I'm facing multiple anomolies when deploying azure update manager dynamic scopes linked to maintenance configurations across multiple subscriptions; with the below script (personal details removed) :

# Define a hashtable of subscriptions with their names as keys and IDs as values
$subscriptions = @{
    "subscription A" = "00000000-0000-0000-0000-000000000000"
    "subscription B" = "00000000-0000-0000-0000-000000000000"
    # Additional subscriptions......
}

# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process

# Authenticate with the sys-mi linked to this automation account 
az login --identity 
az account show

# Install the maintenance azure clie extension without prompting for confirmation (now mentioned in the ADO pipeline)
az extension add --name maintenance --allow-preview true --yes 
az extension show --name maintenance
az config set extension.dynamic_install_allow_preview=true

# Mapping between maintenance configurations and their dynamic scope tags
$dynamic_scope_tag_to_mc = @{
    mc_ne_dev_arc = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_dev_arc"
        dynamic_scope_tag_value = "dev-arc"       
    }
    mc_ne_stage_platform = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_stage_platform"
        dynamic_scope_tag_value = "stage-platform"       
    }
    # Additional maintenance configurations..... 
}

# Iterate over each maintenance configuration and its dynamic scope tag
foreach ($scope in $dynamic_scope_tag_to_mc.Keys) {
    # Get the maintenance configuration details
    $mc_config_id = $dynamic_scope_tag_to_mc[$scope]["mc_config_id"]
    $scope_tag_value = $dynamic_scope_tag_to_mc[$scope]["dynamic_scope_tag_value"]

    # Iterate over each subscriptions for this maintenance configuration
    foreach ($sub in $subscriptions.Keys) {
        $subscription_name = $sub
        $subscription_id = $subscriptions[$sub]

        Write-Output "Subscription name - $($subscription_name)"
        Write-Output "" 
        Write-Output "Subscription - $($subscription_id)"
        Write-Output ""
        Write-Output "Applying dynamic scope tag '$($scope_tag_value)' to MC >>> $($mc_config_id)"
        Write-Output ""

        # Deploy the dynamic scope to the maintenance configuration for this subscription
        az maintenance assignment create-or-update-subscription `
            --maintenance-configuration-id $mc_config_id `
            --name "assignment-$($scope_tag_value)" `
            --filter-os-types windows linux `
            --filter-resource-types "Microsoft.Compute/VirtualMachines" "Microsoft.HybridCompute/machines" `
            --filter-tags "{zimcanit-mc-config:[$($scope_tag_value)]}" `
            --filter-tags-operator All `
            --subscription $subscription_id 
    }
}

az logout

The script is triggered via a runbook within an automation account and does the following:

• Store a list of all subscriptions in my tenant: $subscriptions
• Define the dynamic scope tag values to assign per maintenance configuration in a nested hash table object $dynamic_scope_tag_mc
• Iteration logic:
  • Iterate over every dynamic scope tag value per maintenance configuration id; whilst extracting key attributes for maintenance configuration ID and associated dynamic scope tag value.
  • Iterate over every subscription ID per dynamic scope tag value and leverage az cli cmd az maintenance assignment create-or-update-subscription to assign cross-subscription dynamic scopes

Architecture of what I want to acheive:

Anomolies faced:

• Some dynamic scope assignments align with my architectural requirements
• Some dynamic scope assignments are duplicated, but the difference is the casing for the os type filter
• Some maintenance configurations have no dynamic scopes assigned to them at all

Questions

• Is there a way I can dynamically reference my subscriptions within the PowerShell runbook without hardcoding them?
• Is there anything with the iteration logic that needs to be revised given how it currently partially works?
• I refrenced an existing stackoverflow question for inspiration when setting up the original script How to use New-AzConfigurationAssignment Powershell cmdlet for Dynamic Scope for different subscriptions -Azure update manager

I'm facing multiple anomolies when deploying azure update manager dynamic scopes linked to maintenance configurations across multiple subscriptions; with the below script (personal details removed) :

# Define a hashtable of subscriptions with their names as keys and IDs as values
$subscriptions = @{
    "subscription A" = "00000000-0000-0000-0000-000000000000"
    "subscription B" = "00000000-0000-0000-0000-000000000000"
    # Additional subscriptions......
}

# Ensures you do not inherit an AzContext in your runbook
Disable-AzContextAutosave -Scope Process

# Authenticate with the sys-mi linked to this automation account 
az login --identity 
az account show

# Install the maintenance azure clie extension without prompting for confirmation (now mentioned in the ADO pipeline)
az extension add --name maintenance --allow-preview true --yes 
az extension show --name maintenance
az config set extension.dynamic_install_allow_preview=true

# Mapping between maintenance configurations and their dynamic scope tags
$dynamic_scope_tag_to_mc = @{
    mc_ne_dev_arc = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_dev_arc"
        dynamic_scope_tag_value = "dev-arc"       
    }
    mc_ne_stage_platform = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_stage_platform"
        dynamic_scope_tag_value = "stage-platform"       
    }
    # Additional maintenance configurations..... 
}

# Iterate over each maintenance configuration and its dynamic scope tag
foreach ($scope in $dynamic_scope_tag_to_mc.Keys) {
    # Get the maintenance configuration details
    $mc_config_id = $dynamic_scope_tag_to_mc[$scope]["mc_config_id"]
    $scope_tag_value = $dynamic_scope_tag_to_mc[$scope]["dynamic_scope_tag_value"]

    # Iterate over each subscriptions for this maintenance configuration
    foreach ($sub in $subscriptions.Keys) {
        $subscription_name = $sub
        $subscription_id = $subscriptions[$sub]

        Write-Output "Subscription name - $($subscription_name)"
        Write-Output "" 
        Write-Output "Subscription - $($subscription_id)"
        Write-Output ""
        Write-Output "Applying dynamic scope tag '$($scope_tag_value)' to MC >>> $($mc_config_id)"
        Write-Output ""

        # Deploy the dynamic scope to the maintenance configuration for this subscription
        az maintenance assignment create-or-update-subscription `
            --maintenance-configuration-id $mc_config_id `
            --name "assignment-$($scope_tag_value)" `
            --filter-os-types windows linux `
            --filter-resource-types "Microsoft.Compute/VirtualMachines" "Microsoft.HybridCompute/machines" `
            --filter-tags "{zimcanit-mc-config:[$($scope_tag_value)]}" `
            --filter-tags-operator All `
            --subscription $subscription_id 
    }
}

az logout

The script is triggered via a runbook within an automation account and does the following:

• Store a list of all subscriptions in my tenant: $subscriptions
• Define the dynamic scope tag values to assign per maintenance configuration in a nested hash table object $dynamic_scope_tag_mc
• Iteration logic:
  • Iterate over every dynamic scope tag value per maintenance configuration id; whilst extracting key attributes for maintenance configuration ID and associated dynamic scope tag value.
  • Iterate over every subscription ID per dynamic scope tag value and leverage az cli cmd az maintenance assignment create-or-update-subscription to assign cross-subscription dynamic scopes

Architecture of what I want to acheive:

Anomolies faced:

• Some dynamic scope assignments align with my architectural requirements
• Some dynamic scope assignments are duplicated, but the difference is the casing for the os type filter
• Some maintenance configurations have no dynamic scopes assigned to them at all

Questions

• Is there a way I can dynamically reference my subscriptions within the PowerShell runbook without hardcoding them?
• Is there anything with the iteration logic that needs to be revised given how it currently partially works?
• I refrenced an existing stackoverflow question for inspiration when setting up the original script How to use New-AzConfigurationAssignment Powershell cmdlet for Dynamic Scope for different subscriptions -Azure update manager

• azure
• powershell
• scripting

• Try using Get-AzSubscription | ForEach-Object { $subscriptions[$_.Name] = $_.Id } command for dynamic subscriptions and normalize OS filter casing to prevent duplication @ZimcanIT – Vinay B Commented Feb 3 at 11:54

1 Answer 1

Instead of hardcoded $subscriptions hashtable, dynamically retrieve all subscriptions using Azure PowerShell.

• The script which given in the question iterates over $subscriptions.Keys, but Azure CLI commands needs subscription context for each iteration.

Create Azure Update Manager Maintenance Configurations and assign Dynamic Scopes across multiple subscriptions using the New-AzConfigurationAssignment cmdlet.

Script:

# Define subscriptions
$subscriptions = @{
    "subscription A" = "00000000-0000-0000-0000-000000000000"
    "subscription B" = "00000000-0000-0000-0000-000000000000"
}

# Disable AzContext autosave
Disable-AzContextAutosave -Scope Process

# Authenticate with the system-assigned managed identity
az login --identity 
az account show

# Ensure the maintenance extension is installed and updated
az extension add --name maintenance --allow-preview true --yes
az extension update --name maintenance
az config set extension.dynamic_install_allow_preview=true

# Define dynamic scope tag mappings
$dynamic_scope_tag_to_mc = @{
    mc_ne_dev_arc = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_dev_arc"
        dynamic_scope_tag_value = "dev-arc"       
    }
    mc_ne_stage_platform = @{
        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_stage_platform"
        dynamic_scope_tag_value = "stage-platform"       
    }
}

# Iterate over maintenance configurations and subscriptions
foreach ($scope in $dynamic_scope_tag_to_mc.Keys) {
    $mc_config_id = $dynamic_scope_tag_to_mc[$scope]["mc_config_id"]
    $scope_tag_value = $dynamic_scope_tag_to_mc[$scope]["dynamic_scope_tag_value"]

    foreach ($sub in $subscriptions.Keys) {
        $subscription_name = $sub
        $subscription_id = $subscriptions[$sub]

        Write-Output "Processing: $subscription_name ($subscription_id) with tag $scope_tag_value"

        # Switch subscription context
        az account set --subscription $subscription_id

        # Try to create or update the maintenance assignment
        try {
            az maintenance assignment create-or-update-subscription `
                --maintenance-configuration-id $mc_config_id `
                --name "assignment-$scope_tag_value" `
                --filter-os-types windows linux `
                --filter-resource-types "Microsoft.Compute/VirtualMachines" "Microsoft.HybridCompute/machines" `
                --filter-tags "{\"zimcanit-mc-config\":[\"$scope_tag_value\"]}" `
                --filter-tags-operator All `
                --subscription $subscription_id

            Write-Output "Successfully applied scope $scope_tag_value to subscription $subscription_name"
        } catch {
            Write-Error "Failed to apply scope $scope_tag_value to subscription $subscription_name. Error: $_"
        }
    }
}

# Logout after operations
az logout