Should there be a requirement to block general internet access out an Azure virtual machine but you still require the virtual machine to apply windows updates / security patches the following network security groups are required to be applied to the VM.

The following Service tags applied to the NSG:
AzureUpdateDelivery – port 443
AzureFrontDoor.FirstParty – port 80
Block internet to Any