Dev/bhbrahma/gallery managed identity

[D1v38om83r]

Adds managed identity support to New-AzGallery and Update-AzGallery, and exposes Identity in the Get-AzGallery output object.

Changes

• PSGallery.cs — Added Identity property (GalleryIdentity); AutoMapper picks it up automatically from the SDK model
• GalleryCreateOrUpdateMethod.cs
  • New-AzGallery: new parameters -EnableSystemAssignedIdentity (SwitchParameter) and -UserAssignedIdentity (string[])
  • Update-AzGallery: same two parameters plus -DisableSystemAssignedIdentity (SwitchParameter) and -RemoveAllUserAssignedIdentity (SwitchParameter) for removing identities
  • Identity type is derived from which parameters are provided: SystemAssigned, UserAssigned, or SystemAssigned, UserAssigned
  • Update-AzGallery merges with the existing identity state on the resource — adding -EnableSystemAssignedIdentity preserves existing user-assigned identities and vice versa
  • Mutual exclusivity validation: -EnableSystemAssignedIdentity / -DisableSystemAssignedIdentity and -UserAssignedIdentity / -RemoveAllUserAssignedIdentity cannot be used together
• Help docs (New-AzGallery.md, Update-AzGallery.md) — Updated syntax blocks and added identity examples
• Tests — Added 7 scenario tests covering identity create, update, and disable workflows
  • TestGalleryWithSystemAssignedIdentity
  • TestGalleryWithUserAssignedIdentity
  • TestGalleryWithSystemAndUserAssignedIdentity
  • TestUpdateGalleryWithSystemAssignedIdentity
  • TestUpdateGalleryWithUserAssignedIdentity
  • TestUpdateGalleryWithSystemAndUserAssignedIdentity
  • TestDisableGalleryIdentities

Usage

# New gallery with system-assigned identity
New-AzGallery -ResourceGroupName $rg -Name $galleryName -Location $loc -EnableSystemAssignedIdentity

# New gallery with user-assigned identity
$uid = Get-AzUserAssignedIdentity -ResourceGroupName $rg -Name $identityName
New-AzGallery -ResourceGroupName $rg -Name $galleryName -Location $loc -UserAssignedIdentity $uid.Id

# Update gallery to add both identity types
Get-AzGallery -ResourceGroupName $rg -Name $galleryName |
    Update-AzGallery -EnableSystemAssignedIdentity -UserAssignedIdentity $uid.Id

# Replace user-assigned identities (removes old, adds new in one call)
$newUid = Get-AzUserAssignedIdentity -ResourceGroupName $rg -Name $newIdentityName
Update-AzGallery -ResourceGroupName $rg -Name $galleryName -UserAssignedIdentity $newUid.Id

# Disable system-assigned identity (preserves user-assigned)
Update-AzGallery -ResourceGroupName $rg -Name $galleryName -DisableSystemAssignedIdentity

# Remove all user-assigned identities (preserves system-assigned)
Update-AzGallery -ResourceGroupName $rg -Name $galleryName -RemoveAllUserAssignedIdentity

# Remove all identities at once
Update-AzGallery -ResourceGroupName $rg -Name $galleryName -DisableSystemAssignedIdentity -RemoveAllUserAssignedIdentity

# Identity is now included in Get-AzGallery output
(Get-AzGallery -ResourceGroupName $rg -Name $galleryName).Identity

Parameter naming follows the repo's managed identity best practices.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• 1n8vsblobprodwus2184.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• 6yfvsblobprodwus2121.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• 7t8vsblobprodwus2168.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• 84hvsblobprodwus2148.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• 8wdvsblobprodwus2137.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• 9yyvsblobprodwus2157.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• b53vsblobprodwus2154.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• ba0vsblobprodwus2130.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• balvsblobprodwus2129.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• cbvvsblobprodwus2131.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• cffvsblobprodwus218.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• d94vsblobprodwus2119.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• ezcvsblobprodwus2170.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• faxvsblobprodwus2122.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• g3xvsblobprodwus2151.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• i01vsblobprodwus216.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• isvvsblobprodwus2147.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• jhgvsblobprodwus2167.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• k4pvsblobprodwus2140.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• mt2vsblobprodwus2110.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• nudvsblobprodwus214.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• p2tvsblobprodwus2189.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• tn2vsblobprodwus2124.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• wlnvsblobprodwus2188.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• x0dvsblobprodwus2111.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• y5lvsblobprodwus2179.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)
• zt8vsblobprodwus2176.vsblob.vsassets.io
  • Triggering command: /usr/bin/dotnet dotnet build src/Compute/Compute.sln (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Az.Compute - Create, Update, Get, Az Compute Gallery with Managed Identity</issue_title>
<issue_description>

Guidelines

The purpose of the Azure PowerShell design review is to ensure that the cmdlets follow the same pattern across the Azure modules. An early design review reduces the risk of unnecessary implementation changes caused by a cmdlet syntax design change.

Please ensure your cmdlets comply with the design guidelines outlined in the PowerShell Design Guidelines document.

Please generate cmdlets syntax using GenerateCmdletDesignMarkdown.ps1 for review if your cmdlet is generated from API spec directly by Autorest.PowerShell.

If you just add parameter to existing cmdlets and parameter definition complies with guideline, the design review is not expected.

• Have you read above statement?

  • YES

Service Release Details

• Is this an Embargoed Preview, A Public Preview, or a General Release?

  • General Release

• What is the expected service release date?

  • 2026-03-15

• Which Powershell module are these changes being made in?

  • Az.Compute

Contact Information

• Main developer contacts (emails + github aliases)

  • bhbrahma@microsoft.com @D1v38om83r

• PM contact (email + github alias)

  • Tanmay.Gore@microsoft.com @tanmaygore

• Other people who should attend a design review (email)

  • Joseph.Calev@microsoft.com

High Level Scenarios

• Describe how your feature is intended to be used by customers.

  • New-AzGallery command should allow user to specify managed identities when creating an Azure Compute Gallery
  • Update-AzGallery should accept the updated PSObject of type Microsoft.Compute/galleries with Managed Identity information and also allow user to specify managed identities.
  • Get-AzGallery command should be able to fetch updated PSObject of type Microsoft.Compute/galleries with Managed Identity information

• Piping scenarios / how these cmdlets are used with existing cmdlets

      $uid1 = Get-AzUserAssignedIdentity -ResourceGroupName azure-rg-test -Name uai-pwsh01
      $uid2 = Get-AzUserAssignedIdentity -ResourceGroupName azure-rg-test -Name uai-pwsh02
      New-AzGallery -ResourceGroupName $rgname -Name $galleryName -Location $location -UserAssginedIdentities $uid1 $uid2 -SystemAssignedIdentity

     $uid1 = Get-AzUserAssignedIdentity -ResourceGroupName azure-rg-test -Name uai-pwsh01
     $uid2 = Get-AzUserAssignedIdentity -ResourceGroupName azure-rg-test -Name uai-pwsh02
     Get-AzGallery -ResourceGroupName $rgname -Name $galleryName | Update-AzGallery -UserAssginedIdentities $uid1 $uid2 -SystemAssignedIdentity

• Sample of end-to-end usage

  • Please provide comprehensive examples that don't assume additional setup. It helps the audience understand your feature.

  • New-AzGallery -ResourceGroupName $rgname -Name $galleryName -Location $location -SystemAssignedIdentity

  • $uid1 = Get-AzUserAssignedIdentity -ResourceGroupName azure-rg-test -Name uai-pwsh01; New-AzGallery -ResourceGroupName $rgname -Name $galleryName -Location $location -UserAssignedIdentities $uid1

  • $gallery = Get-AzGallery -ResourceGroupName $rgname -Name $galleryName; Update-AzGallery -inputObject gallery SystemAssignedIdentity

  • $uid1 = Get-AzUserAssignedIdentity -ResourceGroupName azure-rg-test -Name uai-pwsh01; $gallery = Get-AzGallery -ResourceGroupName $rgname -Name $galleryName; Update-AzGallery -inputObject $gallery -UserAssginedIdentities $uid1

Syntax changes

Indicate if you are requesting an edit to existing cmdlets, adding new cmdlets, or both. Then edit the corresponding section below.

• Update parameters to existing cmdlets

Changed cmdlet

List the names of the cmdlets that are being edited.

• New-AzGallery, Get-AzGallery, Update-AzGallery

List the new parameters for the cmdlet, the parameter types, and their allowed values if applicable.

• New-AzGallery [-SystemAssignedIdentity]
• New-AzGallery [-UserAssginedIdentities] <Microsoft.ManagedIdentity/userAssignedIdentities[]>
• Get-AzGallery no change in parameters, update to output object
• Update-AzGallery [-SystemAssignedIdentity]
• Update-AzGallery [-UserAssginedIdentities] <Microsoft.ManagedIdentity/userAssignedIdentities[]>

Please describe the new business logic of the cmdlet and paramet...

Custom agent used: Compute PowerShell Pull Request Agent
Specialized agent for creating PowerShell pull requests based on a design request

• Fixes Azure/azure-powershell-cmdlet-review-pr#1540

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[azure-client-tools-bot-prd]

Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds managed identity support to Azure Compute Gallery cmdlets by introducing new identity-related parameters and surfacing identity in output models.

Changes:

• Added -EnableSystemAssignedIdentity and -UserAssignedIdentity to New-AzGallery and Update-AzGallery.
• Exposed Identity on PSGallery and updated help docs with new syntax/examples.
• Added scenario tests for system-assigned identity and fixed Update-AzGallery to return the updated gallery result.

Reviewed changes

Copilot reviewed 5 out of 9 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/Compute/Compute/Generated/Gallery/GalleryCreateOrUpdateMethod.cs	Implements new identity parameters, sets gallery identity, and fixes Update cmdlet result handling
src/Compute/Compute/Generated/Models/PSGallery.cs	Adds Identity to the PowerShell output model
src/Compute/Compute/help/New-AzGallery.md	Documents new identity parameters and examples for gallery creation
src/Compute/Compute/help/Update-AzGallery.md	Documents new identity parameters and update examples
src/Compute/Compute.Test/ScenarioTests/GalleryTests.ps1	Adds scenario scripts validating system-assigned identity create/update flows
src/Compute/Compute.Test/ScenarioTests/GalleryTests.cs	Wires new scenario scripts into test runner
src/Compute/Compute/ChangeLog.md	Notes the new parameters and output model changes for the upcoming release

[VeryEarly]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[Copilot]

Pull request overview

Copilot reviewed 5 out of 12 changed files in this pull request and generated 3 comments.

[VeryEarly]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[VeryEarly]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[Copilot]

Pull request overview

Copilot reviewed 5 out of 14 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 14 changed files in this pull request and generated 2 comments.

[D1v38om83r]

@copilot apply changes based on this feedback

[Copilot]

Pull request overview

Copilot reviewed 5 out of 14 changed files in this pull request and generated 2 comments.

[Copilot]

newIdentityIds is case-insensitive, but galleryUpdate.Identity.UserAssignedIdentities is created with the default (case-sensitive) comparer. If an existing identity key differs only by casing from a newly provided ID, the PATCH payload can end up retaining the old key (not nulled) and adding the new key, effectively duplicating the same identity. Use a case-insensitive dictionary for UserAssignedIdentities and normalize/resolve casing consistently when comparing existing vs requested IDs.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 14 changed files in this pull request and generated 3 comments.

[Copilot]

The replace-user-assigned logic compares existing keys case-insensitively, but then adds desired IDs using whatever casing the user passed. If the same identity is already present with different casing, it won’t be nulled out and may end up duplicated in the PATCH payload/resource. Normalize keys against existing identities (or use a case-insensitive dictionary and canonicalize to existing keys) so replacement is deterministic.

[VeryEarly]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[VeryEarly]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).

[audreyttt]

LGTM other than two comments

[audreyttt]

Can you move this to ensure alphabetical ordering of the parameters

[VeryEarly]

Hi @D1v38om83r ,

Please fix failed test cases, you can verify test results locally before pushing

[audreyttt]

Because update is now a patch not a put, there is also an existing test failing that needs to be updated and re-recorded.

[audreyttt]

A logic error is introduced here now. When Update-AzGallery -InputObject $gallery is used, the InputObject is mapped into the local Gallery variable, but the PATCH payload (GalleryUpdate) is only populated from explicitly-bound cmdlet parameters (via IsParameterBound checks). Since the user modified the PSGallery object directly rather than passing individual -Description, -Tag, etc. parameters, those checks all return False and GalleryUpdate is sent nearly empty.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 16 changed files in this pull request and generated 2 comments.

[Copilot]

When -Share, -Community, or -Reset is present, the cmdlet only calls GallerySharingProfileClient.Update(...) and then does a GET, skipping GalleriesClient.Update(...). That means identity changes (and other non-sharing updates in galleryUpdate, like tags/description) will be silently ignored if a user combines them with sharing-related switches. Consider either (1) validating and throwing a clear error when sharing switches are combined with identity/other update parameters, or (2) applying both updates (sharing update + GalleriesClient.Update) in a deterministic order so the cmdlet honors all provided parameters.