Microsoft

Apr 15, 2026

Running Commands Across VM Scale Set Instances Without RDP/SSH Using Azure CLI Run Command

If you’ve ever managed an Azure Virtual Machine Scale Set (VMSS), you’ve likely run into this situation:

You need to validate something across all nodes, such as:

Checking a configuration value
Retrieving logs
Applying a registry change
Confirming runtime settings
Running a quick diagnostic command

And then you realize:

You’re not dealing with two or three machines you’re dealing with 40… 80… or even hundreds of instances.

The Traditional Approach (and Its Limitations)

Historically, administrators would:

Open RDP connections to Windows nodes
SSH into Linux nodes
Execute commands manually on each instance

While this may work for a small number of machines, in real‑world environments such as:

Azure Batch (user‑managed pools)
Azure Service Fabric (classic clusters)
VMSS‑based application tiers

This approach quickly becomes:

Operationally inefficient
Time‑consuming
Sometimes impossible

Especially when:

RDP or SSH ports are blocked
Network Security Groups restrict inbound connectivity
Administrative credentials are unavailable
Network configuration issues prevent guest access

Azure Run Command

To address this, Azure provides a built‑in capability to execute commands inside virtual machines through the Azure control plane, without requiring direct guest OS connectivity. This feature is called Run Command.

You can review the official documentation here:
Run scripts in a Linux VM in Azure using action Run Commands - Azure Virtual Machines | Microsoft Learn
Run scripts in a Windows VM in Azure using action Run Commands - Azure Virtual Machines | Microsoft Learn

Run Command uses the Azure VM Agent installed on the virtual machine to execute PowerShell or shell scripts directly inside the guest OS.

Because execution happens via the Azure control plane, you can run commands even when:

RDP or SSH ports are blocked
NSGs restrict inbound access
Administrative user configuration is broken

In fact, Run Command is specifically designed to troubleshoot and remediate virtual machines that cannot be accessed through standard remote access methods.

Prerequisites & Restrictions.

Before using Run Command, ensure the following:

VM Agent installed and in Ready state
Outbound connectivity from the VM to Azure public IPs over TCP 443 to return execution results.

If outbound connectivity is blocked, scripts may run successfully but no output will be returned to the caller.

Additional limitations include:

Output limited to the last 4,096 bytes
One script execution at a time per VM
Interactive scripts are not supported
Maximum execution time of 90 minutes

Full list of restrictions and limitations are available here:
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command?tabs=portal%2Cpowershellremove#restrictions

Required Permissions (RBAC)

Executing Run Command requires appropriate Azure RBAC permissions.

Action	Permission
List available Run Commands	Microsoft.Compute/locations/runCommands/read
Execute Run Command	Microsoft.Compute/virtualMachines/runCommand/action

The execution permission is included in:

Virtual Machine Contributor role (or higher)

Users without this permission will be unable to execute remote scripts through Run Command.

Azure CLI: az vm vs az vmss

When using Azure CLI, you’ll encounter two similar‑looking commands that behave very differently.

az vm run-command invoke

Used for standalone VMs
Also used for Flexible VM Scale Sets
Targets VMs by name

az vmss run-command invoke

Used only for Uniform VM Scale Sets
Targets instances by numeric instanceId (0, 1, 2, …)

Example: az vmss run-command invoke --instance-id <id>

Unlike standalone VM execution, VMSS instances must be referenced using the parameter "--instance-id" to identify which scale set instance will run the script.

Important: Uniform vs Flexible VM Scale Sets

This distinction is critical when automating Run Command execution.

Uniform VM Scale Sets

Instances are managed as identical replicas
Each instance has a numeric instanceId
Supported by az vmss run-command invoke

Flexible VM Scale Sets

Each instance is a first‑class Azure VM resource
Instance identifiers are VM names, not numbers
az vmss run-command invoke is not supported
Must use az vm run-command invoke per VM

To determine which orchestration mode your VMSS uses:

az vmss show -g "${RG}" -n "${VMSS}" --query "orchestrationMode" -o tsv

Windows vs Linux Targets

Choose the appropriate command ID based on the guest OS:

Windows VMs → RunPowerShellScript
Linux VMs → RunShellScript

Example Scenario - Retrieve Hostname From All VMSS Instances

The following examples demonstrate how to retrieve the hostname from all VMSS instances using Azure CLI and Bash.

Flexible VMSS, Bash (Azure CLI)

RG="<ResourceGroup>"
VMSS="<VMSSName>"
SUBSCRIPTION_ID="<SubscriptionID>"

az account set --subscription "${SUBSCRIPTION_ID}"

VM_NAMES=$(az vmss list-instances \
  -g "${RG}" \
  -n "${VMSS}" \
  --query "[].name" \
  -o tsv)

for VM in $VM_NAMES; do
  echo "Running on VM: $VM"

  az vm run-command invoke \
    -g "${RG}" \
    -n "$VM" \
    --command-id RunShellScript \
    --scripts "hostname" \
    --query "value[0].message" \
    -o tsv
done

Uniform VMSS, Bash (Azure CLI)

RG="<ResourceGroup>"
VMSS="<VMSSName>"
SUBSCRIPTION_ID="<SubscriptionID>"

az account set --subscription "${SUBSCRIPTION_ID}"

INSTANCE_IDS=$(az vmss list-instances -g "${RG}" -n "${VMSS}" --query "[].instanceId" -o tsv)

for ID in $INSTANCE_IDS; do
  echo "Running on instanceId: $ID"

  az vmss run-command invoke \
    -g "${RG}" \
    -n "${VMSS}" \
    --instance-id "$ID" \
    --command-id RunShellScript \
    --scripts "hostname" \
    --query "value[0].message" \
    -o tsv
done