How to use New-AzConfigurationAssignment Powershell cmdlet for Dynamic Scope for different subscriptions -Azure update manager

Question

I'm failing to set up Dynamic Scopes for my Maintenance Configuration related to VMs (InGuestPatching) with Powershell. I have created a maintenance configuration. Now I want to do the configuration assignment on number of virtual machines at scale using powershell over subscription level dynamic scope. But powershell cmdlet is failing to do so.

Import-Module Az.Accounts
Import-Module Az.Resources
Import-Module Az.Compute
Import-Module Az.Automation
Import-Module Az.Storage
Import-Module Az.KeyVault
Import-Module Az.Maintenance
Import-Module Az.Compute  

Set-AzContext -Subscription ""

$maintenanceconfig =  New-AzMaintenanceConfiguration -ResourceGroup $RGName -Name $configName -MaintenanceScope $scope -Location $location -StartDateTime $startDateTime -TimeZone $timeZone -Duration $duration -RecurEvery $recurEvery -WindowParameterClassificationToInclude $WindowsParameterClassificationToInclude -InstallPatchRebootSetting $RebootOption -ExtensionProperty @{"InGuestPatchMode"="User"}     

New-AzConfigurationAssignment -ConfigurationAssignmentName $maintenanceconfig.Name -MaintenanceConfigurationId $maintenanceconfig.Id -ProviderName Microsoft.Compute -ResourceType virtualMachines -FilterLocation eastus2 -FilterOsType Windows -FilterOperator "Any" -FilterTag '{"network_environment" : ["sb"]}'

The above code is failing to create dynamic scope assignment and below is the error I am getting.

Error:

I don't know what exactly am I missing but this cmdlet is not working for me and MS documentation is lacking the information. Please suggest a solution for this

Answer 1

Just remember there is 30 sub dynamic scope limit https://learn.microsoft.com/en-us/azure/virtual-machines/maintenance-configurations

Answer 2

How to use New-AzConfigurationAssignment Powershell cmdlet for Dynamic Scope for different subscriptions -Azure update manager.

Here is the updated PowerShell script for creating a maintenance configuration for a VM.

    $RGName           = "RG-Name"
    $configName        = "workervmscentralus"
    $scope            = "InGuestPatch"
    $location         = "eastus2euap"
    $startDateTime    = "2024-03-09 12:30"
    $timeZone         = "UTC"
    $duration         = "3:00"
    $recurEvery       = "Day"
    $WindowsParameterClassificationToInclud = "apt","httpd"
    $RebootOption = "IfRequired"
    $Flocation  =  "eastus2euap,centraluseuap"
    $maintenanceconfig = New-AzMaintenanceConfiguration -ResourceGroupName v-nehrujir-Mindtree `
    -Name workervmseastus `
    -MaintenanceScope "InGuestPatch" `
    -Location eastus2 `
    -Timezone "UTC" `
    -StartDateTime "2025-10-09 12:30" `
    -Duration "3:00" `
    -RecurEvery "Day" `
    -LinuxParameterPackageNameMaskToInclude "apt","httpd" `
    -ExtensionProperty @{inGuestPatchMode="User"} `
    -InstallPatchRebootSetting "IfRequired" `
    
    
  $assignment = New-AzConfigurationAssignment -ResourceGroup $RGName -ResourceName "testvm" -ConfigurationAssignmentName $maintenanceconfig.Name -MaintenanceConfigurationId $maintenanceconfig.Id -ProviderName Microsoft.Compute -ResourceType virtualMachines -FilterLocation eastus2  -FilterOsType Windows -FilterOperator "Any" -FilterTag '{"network_environment" : ["sb"]}' -Location centralus
    
 $assignment = New-AzConfigurationAssignment -ResourceGroup $RGName -ResourceName testvm -ConfigurationAssignmentName $maintenanceconfig.Name -MaintenanceConfigurationId $maintenanceconfig.Id -ProviderName Microsoft.Compute -ResourceType virtualMachines -FilterLocation eastus2 -FilterOsType Windows -FilterOperator "Any" -FilterTag '{"network_environment" : ["sb"]}' -Location centralus

To add dynamic scope into multiple subscription based filters, you can use the following code.

    $subscriptionnames = Get-AzSubscription | Select-Object -ExpandProperty Name
    foreach ($subscriptionname in $subscriptionnames) {
        Set-AzContext -Subscription $subscriptionname
        az maintenance assignment create-or-update-subscription --maintenance-configuration-id $maintenanceconfig.Id --subscription $subscriptionname --name $maintenanceconfig.Name --filter-locations centralus westus2 --filter-os-types windows linux --filter-tags '{"azsecpack":["nonprod"], "Department":["IT"]}' --filter-tags-operator All
    }

Output:

After executing the script, the dynamic scope has been created in Maintenance configuration.

Reference: az maintenance assignment create-or-update-subscription