Error faced when deploy azure update manager dynamic scopes across multiple subscriptions

Question

I'm facing multiple anomolies when deploying azure update manager dynamic scopes linked to maintenance configurations across multiple subscriptions; with the below script (personal details removed) :

# Define a hashtable of subscriptions with their names as keys and IDs as values
$subscriptions = @{
    "subscription A" = "00000000-0000-0000-0000-000000000000"
    "subscription B" = "00000000-0000-0000-0000-000000000000"
    # Additional subscriptions......
}

# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process

# Authenticate with the sys-mi linked to this automation account 
az login --identity 
az account show

# Install the maintenance azure clie extension without prompting for confirmation (now mentioned in the ADO pipeline)
az extension add --name maintenance --allow-preview true --yes 
az extension show --name maintenance
az config set extension.dynamic_install_allow_preview=true

# Mapping between maintenance configurations and their dynamic scope tags
$dynamic_scope_tag_to_mc = @{
    mc_ne_dev_arc = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_dev_arc"
        dynamic_scope_tag_value = "dev-arc"       
    }
    mc_ne_stage_platform = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_stage_platform"
        dynamic_scope_tag_value = "stage-platform"       
    }
    # Additional maintenance configurations..... 
}

# Iterate over each maintenance configuration and its dynamic scope tag
foreach ($scope in $dynamic_scope_tag_to_mc.Keys) {
    # Get the maintenance configuration details
    $mc_config_id = $dynamic_scope_tag_to_mc[$scope]["mc_config_id"]
    $scope_tag_value = $dynamic_scope_tag_to_mc[$scope]["dynamic_scope_tag_value"]

    # Iterate over each subscriptions for this maintenance configuration
    foreach ($sub in $subscriptions.Keys) {
        $subscription_name = $sub
        $subscription_id = $subscriptions[$sub]

        Write-Output "Subscription name - $($subscription_name)"
        Write-Output "" 
        Write-Output "Subscription - $($subscription_id)"
        Write-Output ""
        Write-Output "Applying dynamic scope tag '$($scope_tag_value)' to MC >>> $($mc_config_id)"
        Write-Output ""

        # Deploy the dynamic scope to the maintenance configuration for this subscription
        az maintenance assignment create-or-update-subscription `
            --maintenance-configuration-id $mc_config_id `
            --name "assignment-$($scope_tag_value)" `
            --filter-os-types windows linux `
            --filter-resource-types "Microsoft.Compute/VirtualMachines" "Microsoft.HybridCompute/machines" `
            --filter-tags "{zimcanit-mc-config:[$($scope_tag_value)]}" `
            --filter-tags-operator All `
            --subscription $subscription_id 
    }
}

az logout

The script is triggered via a runbook within an automation account and does the following:

• Store a list of all subscriptions in my tenant: $subscriptions
• Define the dynamic scope tag values to assign per maintenance configuration in a nested hash table object $dynamic_scope_tag_mc
• Iteration logic:
  • Iterate over every dynamic scope tag value per maintenance configuration id; whilst extracting key attributes for maintenance configuration ID and associated dynamic scope tag value.
  • Iterate over every subscription ID per dynamic scope tag value and leverage az cli cmd az maintenance assignment create-or-update-subscription to assign cross-subscription dynamic scopes

Architecture of what I want to acheive:

Anomolies faced:

• Some dynamic scope assignments align with my architectural requirements
• Some dynamic scope assignments are duplicated, but the difference is the casing for the os type filter
• Some maintenance configurations have no dynamic scopes assigned to them at all

Questions

• Is there a way I can dynamically reference my subscriptions within the PowerShell runbook without hardcoding them?
• Is there anything with the iteration logic that needs to be revised given how it currently partially works?
• I refrenced an existing stackoverflow question for inspiration when setting up the original script How to use New-AzConfigurationAssignment Powershell cmdlet for Dynamic Scope for different subscriptions -Azure update manager

Answer 1

Instead of hardcoded $subscriptions hashtable, dynamically retrieve all subscriptions using Azure PowerShell.

• The script which given in the question iterates over $subscriptions.Keys, but Azure CLI commands needs subscription context for each iteration.

Create Azure Update Manager Maintenance Configurations and assign Dynamic Scopes across multiple subscriptions using the New-AzConfigurationAssignment cmdlet.

Script:

# Define subscriptions
$subscriptions = @{
    "subscription A" = "00000000-0000-0000-0000-000000000000"
    "subscription B" = "00000000-0000-0000-0000-000000000000"
}

# Disable AzContext autosave
Disable-AzContextAutosave -Scope Process

# Authenticate with the system-assigned managed identity
az login --identity 
az account show

# Ensure the maintenance extension is installed and updated
az extension add --name maintenance --allow-preview true --yes
az extension update --name maintenance
az config set extension.dynamic_install_allow_preview=true

# Define dynamic scope tag mappings
$dynamic_scope_tag_to_mc = @{
    mc_ne_dev_arc = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_dev_arc"
        dynamic_scope_tag_value = "dev-arc"       
    }
    mc_ne_stage_platform = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_stage_platform"
        dynamic_scope_tag_value = "stage-platform"       
    }
}

# Iterate over maintenance configurations and subscriptions
foreach ($scope in $dynamic_scope_tag_to_mc.Keys) {
    $mc_config_id = $dynamic_scope_tag_to_mc[$scope]["mc_config_id"]
    $scope_tag_value = $dynamic_scope_tag_to_mc[$scope]["dynamic_scope_tag_value"]

    foreach ($sub in $subscriptions.Keys) {
        $subscription_name = $sub
        $subscription_id = $subscriptions[$sub]

        Write-Output "Processing: $subscription_name ($subscription_id) with tag $scope_tag_value"

        # Switch subscription context
        az account set --subscription $subscription_id

        # Try to create or update the maintenance assignment
        try {
            az maintenance assignment create-or-update-subscription `
                --maintenance-configuration-id $mc_config_id `
                --name "assignment-$scope_tag_value" `
                --filter-os-types windows linux `
                --filter-resource-types "Microsoft.Compute/VirtualMachines" "Microsoft.HybridCompute/machines" `
                --filter-tags "{\"zimcanit-mc-config\":[\"$scope_tag_value\"]}" `
                --filter-tags-operator All `
                --subscription $subscription_id

            Write-Output "Successfully applied scope $scope_tag_value to subscription $subscription_name"
        } catch {
            Write-Error "Failed to apply scope $scope_tag_value to subscription $subscription_name. Error: $_"
        }
    }
}

# Logout after operations
az logout