feature: Feature/azure compute/enablemachinemanagement#2069
feature: Feature/azure compute/enablemachinemanagement#2069rakal-dyh wants to merge 16 commits intomicrosoft:mainfrom
Conversation
- Add 'Should Trigger - Essential Machine Management' section with 7 EMM prompts - Add 'Essential Machine Management Workflow' unit tests (sections, routing, API, errors) - Add 'EMM Reference Files' unit tests (all 4 refs exist, content assertions) - Update router test to verify EMM description keywords and routing - Add 2 EMM integration test cases (enable flow, enrollment status) - Update snapshot with new EMM keywords Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…r-Azure into feature/azure-compute/enablemachinemanagement
|
verify the integration test now |
|
Update the PR title to start with "feature:" to have this automatically included in the CHANGELOG.md. |
rakal-dyh
changed the title
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Two things to address in this EMM sub-workflow addition:
1. Contradictory "Portal-only" statement (emm-overview.md, Key Characteristics section)
The overview states:
Portal-only during preview: No CLI/API-only enrollment flow is officially supported yet
But emm-enable-flow.md documents a complete 8-step Copilot-guided flow using REST API calls (PUT to Microsoft.ManagedOps/managedOps/default). If the agent reads the overview first, it'll tell users EMM is portal-only and skip the API flow - which is the whole point of this skill.
Suggestion: rephrase to clarify that the REST API exists and the Copilot-guided flow uses it, even if Microsoft's official docs focus on the portal experience.
2. Offboard instructions split with different approaches
essential-machine-management.md says offboard via portal UI (navigate, select, click Offboard). emm-enable-flow.md documents a DELETE API call for the same action. The parent workflow's routing doesn't point to the API-based offboard path. Consider consolidating - either add the API path to the parent routing tree, or remove the duplicate from the enable-flow reference.
| - **Subscription-level scope:** Enables for all VMs in a subscription at once | ||
| - **No VM exclusion:** Currently no ability to exclude individual VMs | ||
| - **Existing services preserved:** If a VM already has Update Manager with a maintenance schedule, it keeps that schedule | ||
| - **Portal-only during preview:** No CLI/API-only enrollment flow is officially supported yet |
There was a problem hiding this comment.
This contradicts emm-enable-flow.md which documents a full REST API enrollment flow. The agent might read this first and tell users EMM is portal-only, refusing to guide them through the Copilot flow.
Consider rephrasing to something like: "Official docs focus on the portal experience, but a REST API (Microsoft.ManagedOps) is available and used by the Copilot-guided flow."
There was a problem hiding this comment.
for 1, update based on the suggestion, saying 'a REST API (Microsoft.ManagedOps) is available and used by the Copilot-guided flow'
for 2, update the essential-machine-management.md, saying unless customer explicitly mention portal, the emm-enable-flow-portal-guidance.md (renamed from emm-enable-flow-portal.md) will be used. Otherwise in other place no portal related info is mentioned
…lability The 'portal-only' statement contradicted emm-enable-flow.md which documents a full Copilot-guided REST API enrollment flow via Microsoft.ManagedOps. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Remove 'Via Portal' sub-section from Browse (keep Copilot-guided API approach) - Point Offboard to emm-enable-flow.md#disable-emm-offboard instead of portal steps - Keep portal routing entry for users who explicitly mention portal Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update all references in SKILL.md, essential-machine-management.md, and unit tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The #disable-emm-offboard anchor doesn't work when the agent reads files. Reference the file directly and mention the section name in text. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Addresses my previous feedback - the "portal-only" contradiction is fixed and offboard instructions are consolidated. Clean changes.
Two new issues in the latest commits:
-
integration.test.ts: The describe block was renamed from"skill-invocation"to"11skill-invocation11". This looks like accidental debug characters left in. It'll affect test output/filtering. -
.playwright-mcp/page-2026-04-20T21-13-59-247Z.ymlwas committed - looks like an accidental Playwright MCP artifact. Should be removed and probably added to.gitignore.
| } | ||
|
|
||
| describe("skill-invocation", () => { | ||
| describe("11skill-invocation11", () => { |
There was a problem hiding this comment.
This renames the test suite from "skill-invocation" to "11skill-invocation11" - looks like accidental debug characters. Should be reverted to "skill-invocation".
There was a problem hiding this comment.
revert the change
|
.playwright-mcp/page-2026-04-20T21-13-59-247Z.yml was committed - looks like an accidental Playwright MCP artifact. Should be removed and |
|
adress the latest comment, remove the mistakenly committed file |
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Addresses my previous feedback. Both items fixed:
"11skill-invocation11"reverted to"skill-invocation".playwright-mcp/artifact removed
No new issues found in the incremental diff. All CI green.
…r-Azure into feature/azure-compute/enablemachinemanagement
There was a problem hiding this comment.
Pull request overview
Adds Essential Machine Management (EMM) coverage to the azure-compute skill by introducing a new EMM workflow + reference docs and extending unit/trigger/integration tests to validate routing and keyword matching.
Changes:
- Added an EMM workflow (
essential-machine-management.md) with routing, browse/offboard guidance, and error handling. - Added EMM reference docs (overview, prerequisites, enable flow, portal enable flow).
- Updated
azure-computeskill metadata/routing and extended tests + snapshots to cover EMM prompts and routing.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/azure-compute/unit.test.ts | Adds unit assertions for EMM description keywords, routing link presence, and validates new workflow/reference file content. |
| tests/azure-compute/triggers.test.ts | Adds trigger prompts ensuring EMM queries trigger the azure-compute skill. |
| tests/azure-compute/integration.test.ts | Adds integration prompts to verify EMM queries route to the new workflow at/above the invocation threshold. |
| tests/azure-compute/snapshots/triggers.test.ts.snap | Updates snapshot to include EMM in description and extracted keywords. |
| plugin/skills/azure-compute/workflows/essential-machine-management/essential-machine-management.md | New workflow router for EMM intents (enable/portal/overview/prereqs/browse/offboard/troubleshoot). |
| plugin/skills/azure-compute/workflows/essential-machine-management/references/emm-enable-flow.md | New Copilot-guided enablement flow and API/CLI guidance for enrolling/offboarding EMM. |
| plugin/skills/azure-compute/workflows/essential-machine-management/references/emm-enable-flow-portal-guidance.md | New portal-specific enablement walkthrough for users explicitly requesting portal steps. |
| plugin/skills/azure-compute/workflows/essential-machine-management/references/emm-overview.md | New EMM feature/tier/pricing overview reference. |
| plugin/skills/azure-compute/workflows/essential-machine-management/references/emm-prerequisites.md | New prerequisites (resources, roles, RPs) reference. |
| plugin/skills/azure-compute/SKILL.md | Extends skill description + routing to include EMM and link to the new workflow and references. |
| - **Workspaces** — Log Analytics and Azure Monitor workspace resource IDs | ||
| - **Created by / date** — who enrolled and when (in `systemData`) | ||
|
|
||
| To scan multiple subscriptions, use `azure-subscription_list` to list available subscriptions, then query each one. Report results as a table: |
There was a problem hiding this comment.
azure-subscription_list here doesn’t match the repo’s established Azure MCP tool naming pattern (e.g., mcp_azure_mcp_subscription_list). Please update to the correct tool name for consistency and to keep the workflow executable.
| To scan multiple subscriptions, use `azure-subscription_list` to list available subscriptions, then query each one. Report results as a table: | |
| To scan multiple subscriptions, use `mcp_azure_mcp_subscription_list` to list available subscriptions, then query each one. Report results as a table: |
|
|
||
| | MCP Tool | Purpose | | ||
| | -------- | ------- | | ||
| | `azure-subscription_list` | List available subscriptions | |
There was a problem hiding this comment.
The MCP tool name azure-subscription_list doesn’t match the repo’s established Azure MCP naming pattern (e.g., mcp_azure_mcp_subscription_list used in other skills like plugin/skills/azure-deploy/SKILL.md). Please align this to the correct Azure MCP tool name so agents can actually invoke it.
| | `azure-subscription_list` | List available subscriptions | | |
| | `mcp_azure_mcp_subscription_list` | List available subscriptions | |
| | Log Analytics workspace | `azure-monitor` | List existing workspaces or create new | | ||
| | Azure Monitor workspace | `azure-monitor` | List existing workspaces or create new | | ||
|
|
There was a problem hiding this comment.
azure-monitor is referenced here as an MCP tool, but this tool name doesn’t appear elsewhere in the repo’s Azure MCP usage (which generally uses mcp_azure_mcp_<service> tools or explicit CLI generation). Please update this to the correct Azure MCP tool(s) for listing/creating Log Analytics + Azure Monitor workspaces (or document the CLI fallback) to avoid non-runnable guidance.
| | Log Analytics workspace | `azure-monitor` | List existing workspaces or create new | | |
| | Azure Monitor workspace | `azure-monitor` | List existing workspaces or create new | | |
| | Log Analytics workspace | `N/A - use Azure CLI fallback` | List with `az monitor log-analytics workspace list` or create with `az monitor log-analytics workspace create` | | |
| | Azure Monitor workspace | `N/A - use Azure CLI fallback` | List with `az monitor account list` or create with `az monitor account create` | | |
| > 💡 **Tip:** Do not invoke `azure-monitor` as an MCP tool here unless a verified repo-supported Azure MCP command is available. For this workflow, prefer Azure CLI generation/execution for workspace discovery and creation. |
There was a problem hiding this comment.
update and remove the mcp and using cli now
| GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=assignedTo('{objectId}') | ||
| ``` | ||
|
|
||
| > 💡 **Tip:** The `assignedTo` filter scopes results to the current user's assignments — this works even without `Microsoft.Authorization/roleAssignments/read` permission at subscription level. |
There was a problem hiding this comment.
There’s an internal inconsistency about role-assignment read permissions: the Tip says the assignedTo filter works even without Microsoft.Authorization/roleAssignments/read, but the Error Handling table says a 403 can occur because the user can’t read role assignments. Please reconcile these statements (either adjust the tip, or clarify exactly when 403 can still happen).
| > 💡 **Tip:** The `assignedTo` filter scopes results to the current user's assignments — this works even without `Microsoft.Authorization/roleAssignments/read` permission at subscription level. | |
| > 💡 **Tip:** The `assignedTo` filter scopes results to the current user's assignments and may work in cases where the caller does not have broad permission to list all role assignments. However, it does **not** guarantee access: a `403 Forbidden` can still occur if the caller is not allowed to read role assignments at the requested scope, or if the API enforces `Microsoft.Authorization/roleAssignments/read` for that request. |
There was a problem hiding this comment.
update the error handling
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Latest commits address the Copilot bot findings:
- MCP tool names fixed to
mcp_azure_mcp_subscription_list(both router and enable-flow) azure-monitorMCP tool refs replaced with explicit CLI commands for Log Analytics and Azure Monitor workspaces- Role check tip and 403 error handling now consistent - both correctly explain that
assignedTois self-scoped but requires at least one role on the subscription
All prior review items resolved. CI green. No new issues.
…r-Azure into feature/azure-compute/enablemachinemanagement
Description
Checklist
cd tests && npm test)npm run test:skills:integration -- <skill>)USE FOR/DO NOT USE FOR/PREFER OVERclauses: confirmed no routing regressions for competing skillsRelated Issues