In a direct follow on from the last post here are the steps to add two further extensions - listing here for my own benefit......(all run from cloud shell)
First up AntiMalware extension (shamelessly borrowed from here http://www.techkb.onl/azure-installing-the-microsoft-antimalware-and-log-analytics-extensions-on-vm-scale-sets/)
In this case loaded using powershell (make sure to have correct subscription set before you run this)
$rgname = 'yourrgname'
$vmssname = 'yourvmssname'
$location = 'yourlocation'
# Retrieve the most recent version number of the extension.
$allVersions= (Get-AzVMExtensionImage -Location $location -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$versionString = $allVersions[($allVersions.count)-1].Split(".")[0] + "." + $allVersions[($allVersions.count)-1].Split(".")[1]
$VMSS = Get-AzVmss -ResourceGroupName $rgname -VMScaleSetName $vmssname
echo $VMSS
Add-AzVmssExtension -VirtualMachineScaleSet $VMSS -Name "IaaSAntimalware" -Publisher "Microsoft.Azure.Security" -Type "IaaSAntimalware" -TypeHandlerVersion $versionString
Update-AzVmss -ResourceGroupName $rgname -Name $vmssname -VirtualMachineScaleSet $VMSS
And secondly the diagnostics extension - in this case done via azcli - and in my case for windows platform - change point 2 if you have linux
1) az account set -s yoursubscriptionname
2) az vmss diagnostics get-default-config --is-windows-os> vmssconfig.json
3) create vmssprotected.json file - some of the output from step 2 will be to the screen and this explains what you need to do - basically you need a storage account and a sas key to get access to that and this has to be stored in the file.
4) az vmss diagnostics set --resource-group yourrgname --vmss-name yourvmssname --settings vmssconfig.json --protected-settings vmssprotected.json
Note that for point 2 you are just extracted some predefined definitions that Microsoft created - i think it is possible to add your own if you require that but then you would need to change the json file manually.