deploy subscriptions to tenant root group - move to a specific Mg using the newly created SubId progrmmatically

Question

Hey Community,

tricky one, I am going through the learn documents (specifically -https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement?tabs=rest

and i am using a Bicep template in Azure Devops which creates an array of Subscriptions which gets created at the tenant root group. (commented out for testing purposes)

targetScope = 'managementGroup'
param subscriptionNames array = [
  'Identity Subscription'
  'Management Subscription'
  //'Connectivity Subscription'
  //'Landing Zone A1 Subscription'
  //'Landing Zone A2 Subscription'
  //'Decommissioned Subscription'
  //'Sandbox Subscription'
  //'Quarantine Subscription'
]

param billingScope string = '/providers/Microsoft.Billing/billingAccounts/********1-6408-902411ce107a:494bd0f6-2661-4e1e-817b-8f31a616958b_2019-05-31/billingProfiles/*********/invoiceSections/*******'
// Resource definitions
resource subscriptionAlias 'Microsoft.Subscription/aliases@2021-10-01' = [for name in subscriptionNames: {
  scope: tenant()
  name: name
  properties: {
    workload: 'Production'
    displayName: name
    billingScope: billingScope
  }
}]

// Outputs for individual subscription IDs
//output createdSubscriptionIds array = [for sub in subscriptionAlias: sub.id]
output identitySubscriptionId string = subscriptionAlias[0].id
output managementSubscriptionId string = subscriptionAlias[1].id
//output connectivitySubscriptionId string = subscriptionAlias[2].id
//output landingZoneA1SubscriptionId string = subscriptionAlias[3].id
//output landingZoneA2SubscriptionId string = subscriptionAlias[4].id
//output decommissionedSubscriptionId string = subscriptionAlias[5].id
//output sandboxSubscriptionId string = subscriptionAlias[6].id
//output quarantineSubscriptionId string = subscriptionAlias[7].id
 

And I have a yaml script that is deploying the above mentioned Bicep template

#Deploy the Subcription Loop and also extract the subscription Id's. ----> deploys to tenant root group anyway but might need to change MG to Tenant for clarification

trigger:
- none

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'JoshuaMartin'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      echo "Installing the Bicep CLI"
      az bicep version
      echo "Deploying Bicep template to Management Group JoshLZ-Quarantine"
      az deployment mg create --location australiaeast --management-group-id JoshLZ**** --template-file ./AZLHead/LZSubscriptionDeployment/idSubLoop.bicep 

# Task to capture the outputs for subscriptions
- script: |
    identityOutput=$(az deployment mg show --location australiaeast --management-group-id JoshLZ**** --name yourDeploymentName --query "properties.outputs.identitySubscriptionId.value" -o tsv)
    echo "##vso[task.setvariable variable=identitySubId]$identityOutput"

    managementOutput=$(az deployment mg show --location australiaeast --management-group-id JoshLZ***** --name yourDeploymentName --query "properties.outputs.managementSubscriptionId.value" -o tsv)
    echo "##vso[task.setvariable variable=managementSubId]$managementOutput"

    # Commented out as they are commented in your Bicep file
    # connectivityOutput=$(az deployment mg show --location australiaeast --management-group-id JoshLZ**** --name yourDeploymentName --query "properties.outputs.connectivitySubscriptionId.value" -o tsv)
    # echo "##vso[task.setvariable variable=connectivitySubId]$connectivityOutput"

    # landingZoneA1Output=$(az deployment mg show --location australiaeast --management-group-id JoshLZ***** --name yourDeploymentName --query "properties.outputs.landingZoneA1SubscriptionId.value" -o tsv)
    # echo "##vso[task.setvariable variable=landingZoneA1SubId]$landingZoneA1Output"

    # landingZoneA2Output=$(az deployment mg show --location australiaeast --management-group-id JoshLZ***** --name yourDeploymentName --query "properties.outputs.landingZoneA2SubscriptionId.value" -o tsv)
    # echo "##vso[task.setvariable variable=landingZoneA2SubId]$landingZoneA2Output"

    # decommissionedOutput=$(az deployment mg show --location australiaeast --management-group-id JoshLZ***** --name yourDeploymentName --query "properties.outputs.decommissionedSubscriptionId.value" -o tsv)
    # echo "##vso[task.setvariable variable=decommissionedSubId]$decommissionedOutput"

    # sandboxOutput=$(az deployment mg show --location australiaeast --management-group-id JoshLZ-Quarantine --name yourDeploymentName --query "properties.outputs.sandboxSubscriptionId.value" -o tsv)
    # echo "##vso[task.setvariable variable=sandboxSubId]$sandboxOutput"

    # quarantineOutput=$(az deployment mg show --location australiaeast --management-group-id JoshLZ***** --name yourDeploymentName --query "properties.outputs.quarantineSubscriptionId.value" -o tsv)
    # echo "##vso[task.setvariable variable=quarantineSubId]$quarantineOutput"

  displayName: 'Capture Outputs'

now the question is, this deploys to the tenant root group, how do i know for testing purposes use the identity subscription that i have just deployed in my account, extract the subscriptionId created and then just use that in the code below so there is no manual intervention when moving these newly created subscriptions to a specified MG group.

targetScope = 'managementGroup'

@description('Provide the ID of the management group that you want to move the subscription to.')
param targetMgId string = 'JoshLZ****'

@description('Provide the ID of the existing subscription to move.')
param subscriptionId string = /*What goes here to define Identity SubId and get extracted from portal? */

resource subToMG 'Microsoft.Management/managementGroups/subscriptions@2020-05-01' = {
  scope: tenant()
  name: '${targetMgId}/${subscriptionId}'
}