Encountering anomalies when deploying azure update manager dynamic scopes across multiple subscriptions

Question

I'm facing multiple anomolies when deploying azure update manager dynamic scopes linked to maintenance configurations across multiple subscriptions; with the below script (personal details removed) :

# Define a hashtable of subscriptions with their names as keys and IDs as values

$subscriptions = @{

    "subscription A" = "00000000-0000-0000-0000-000000000000"

    "subscription B" = "00000000-0000-0000-0000-000000000000"

    # Additional subscriptions......

}

# Ensures you do not inherit an AzContext in your runbook

Disable-AzContextAutosave -Scope Process

# Authenticate with the sys-mi linked to this automation account

az login --identity

az account show

# Install the maintenance azure clie extension without prompting for confirmation (now mentioned in the ADO pipeline)

az extension add --name maintenance --allow-preview true --yes

az extension show --name maintenance

az config set extension.dynamic_install_allow_preview=true

# Mapping between maintenance configurations and their dynamic scope tags

$dynamic_scope_tag_to_mc = @{

    mc_ne_dev_arc = @{

        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_dev_arc"

        dynamic_scope_tag_value = "dev-arc"      

    }

    mc_ne_stage_platform = @{

        mc_config_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-mc-ne-aum/providers/Microsoft.Maintenance/maintenanceConfigurations/mc_ne_stage_platform"

        dynamic_scope_tag_value = "stage-platform"      

    }

    # Additional maintenance configurations.....

}

# Iterate over each maintenance configuration and its dynamic scope tag

foreach ($scope in $dynamic_scope_tag_to_mc.Keys) {

    # Get the maintenance configuration details

    $mc_config_id = $dynamic_scope_tag_to_mc[$scope]["mc_config_id"]

    $scope_tag_value = $dynamic_scope_tag_to_mc[$scope]["dynamic_scope_tag_value"]

    # Iterate over each subscriptions for this maintenance configuration

    foreach ($sub in $subscriptions.Keys) {

        $subscription_name = $sub

        $subscription_id = $subscriptions[$sub]

        Write-Output "Subscription name - $($subscription_name)"

        Write-Output ""

        Write-Output "Subscription - $($subscription_id)"

        Write-Output ""

        Write-Output "Applying dynamic scope tag '$($scope_tag_value)' to MC >>> $($mc_config_id)"

        Write-Output ""

        # Deploy the dynamic scope to the maintenance configuration for this subscription

        az maintenance assignment create-or-update-subscription `

            --maintenance-configuration-id $mc_config_id `

            --name "assignment-$($scope_tag_value)" `

            --filter-os-types windows linux `

            --filter-resource-types "Microsoft.Compute/VirtualMachines" "Microsoft.HybridCompute/machines" `

            --filter-tags "{zimcanit-mc-config:[$($scope_tag_value)]}" `

            --filter-tags-operator All `

            --subscription $subscription_id

    }

}

az logout

The script is triggered via a runbook within an automation account and does the following:

 - Store a list of all subscriptions in my tenant: $subscriptions

 - Define the dynamic scope tag values to assign per maintenance configuration in a nested hash table object $dynamic_scope_tag_mc

 - Iteration logic:

   - Iterate over every dynamic scope tag value per maintenance configuration id; whilst extracting key attributes for maintenance configuration ID and associated dynamic scope tag value.

   - Iterate over every subscription ID per dynamic scope tag value and leverage  az cli cmd az maintenance assignment create-or-update-subscription to assign cross-subscription dynamic scopes

Architecture of what I want to acheive:

Anomolies faced:

 - Some dynamic scope assignments align with my architectural requirements

 - Some dynamic scope assignments are duplicated, but the difference is the casing for the os type filter

 - Some maintenance configurations have no dynamic scopes assigned to them at all

Questions

 - Is there a way I can dynamically reference my subscriptions within the PowerShell runbook   without hardcoding them?

 - Is there anything with the iteration logic that needs to be revised given how it currently partially works?

 - I refrenced an existing stackoverflow question for inspiration when setting up the original script How to use New-AzConfigurationAssignment Powershell cmdlet for Dynamic Scope for different subscriptions -Azure update manager