Should exclude storageProfile on VMSS update command request

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug

When a VMSS is created using Shared Image Gallery image from a different tenant, any VMSS update operation like az vmss update or az vmss extension add will fail at ARM linked access check. This is because the client CLI use won’t have permission in the SIG tenant.

The error message you see will be:

The client has permission to perform action 'Microsoft.Compute/galleries/images/versions/read' on scope '{VMSS or VM resource ID}', 
however the current tenant '{customer tenant ID}' is not authorized to access linked subscription '109a5e88-712a-48ae-9078-9ca8b3c81345'.

AKS recently rolled out a change to subset of customers to pilot using SIG image and discovered this issue.

To Reproduce

Create an AKS cluster in Australia / Canada region, in the node resource group (named MC_xxx) there will be a VMSS using SIG image. Try do any az vmss update operation on it, or on the VM instance.

Expected behavior

VMSS update should succeed.

In order to make this scenario work, the update request body should only contain the relevant property changes (not the full VMSS properties body), or at least remove property “properties.virtualMachineProfile.storageProfile”.

Environment summary

Additional context