VMExtensionNotFound
Azure returns `VMExtensionNotFound` when a VM operation references an extension resource name that does not exist on the target VM.
Last reviewed: February 12, 2026|Editorial standard: source-backed technical guidance
What Does VM Extension Not Found Mean?
Extension update, remove, or query workflows fail for the target VM, leaving configuration drift unresolved until extension identity is corrected.
Common Causes
- -Deployment references an extension name that is not installed on the VM.
- -Automation targets the wrong VM or scale-set instance for extension operations.
- -Extension was removed manually or by another pipeline between plan and apply steps.
- -Publisher/type/version mismatch caused previous extension install to fail or roll back.
How to Fix VM Extension Not Found
- 1List extensions on the target VM and use the exact extension resource name returned by Azure.
- 2Validate VM resource ID and scope before invoking extension update/remove calls.
- 3Install or re-install the extension with correct publisher, type, and handler version when missing.
- 4Rerun operation and confirm extension provisioning state transitions to `Succeeded`.
Step-by-Step Diagnosis for VM Extension Not Found
- 1Inspect ARM deployment or API failure details to identify the exact extension name Azure cannot find.
- 2Compare desired extension name in IaC/state files against `az vm extension list` output.
- 3Review extension instance view and agent logs for prior failed installs that left partial state.
- 4Audit parallel automation jobs for remove/redeploy actions touching the same extension.
Extension Identity and Handler Validation
- -Verify extension resource naming and handler metadata (example: template calls `IaaSAntimalware` while VM has `MicrosoftMonitoringAgent`).
- -Inspect publisher/type/version compatibility (example: unsupported handler version requested for the VM OS image).
VM Scope and Orchestration Checks
- -Audit VM or VMSS instance targeting in automation (example: extension update sent to old instance ID after scale set replacement).
- -Trace concurrent deployment jobs that may remove extensions mid-rollout (example: security baseline pipeline deletes custom extension before app pipeline update).
How to Verify the Fix
- -Run extension list/get and confirm the expected extension resource now exists on the target VM.
- -Re-execute the failing extension action and verify no `VMExtensionNotFound` response is returned.
- -Confirm dependent provisioning steps complete successfully after extension state is corrected.
How to Prevent Recurrence
- -Manage VM extensions declaratively with a single source of truth and drift detection.
- -Serialize extension lifecycle actions to avoid concurrent remove/update conflicts.
- -Pin tested extension publisher/type/version combinations per VM image baseline.
Pro Tip
- -capture and diff `az vm extension list --query "[].{name:name,publisher:publisher,type:typeHandlerVersion}"` in CI to detect unexpected extension drift before rollout.
Decision Support
Compare Guide
403 Forbidden vs 404 Not Found: When to Hide Resources
Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.
Compare Guide
404 Not Found vs 410 Gone: Missing vs Permanent Removal
Learn when to return 404 (missing or temporary absence) versus 410 (intentional permanent removal), including redirect and cache implications.
Playbook
Resource State Playbook (404 / 410 / ResourceNotFound)
Use this playbook to separate temporary missing-resource lookups from permanent removals, then fix scope, lifecycle, and identifier drift safely.
Official References
Provider Context
This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.