Updating domain name and GUID settings for EntraID + FSLogixDomain in…

…fo (#736)

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

* updates

---------

Co-authored-by: Dany Contreras <[email protected]>

workload/arm/brownfield/deployAppAttachToolsVM.json

@@ -96,13 +96,13 @@
         "subscriptionName": ""
       },
       "metadata": {
-        "description": "Virtual Network to attach MSIX Tools VM to."
+        "description": "Virtual Network to attach App Attach Tools VM to."
       }
     },
     "SubnetName": {
       "type": "string",
       "metadata": {
-        "description": "Subnet to use for MSIX VM Tools VM."
+        "description": "Subnet to use for App Attach VM Tools VM."
       }
     }
   },

workload/bicep/brownfield/appAttachToolsVM/Readme.md

@@ -1,4 +1,4 @@
-# Deploy Azure VM with MSIX App Attach Tools
+# Deploy Azure VM with App Attach Tools
 This deployment will create a VM from the Microsoft Gallery and configure and install software for use when creating MSIX App attach images.
 - MSIX App Attach Store App
 - MSIX Manager command line tool

workload/bicep/modules/identity/deploy.bicep

@@ -91,7 +91,7 @@ var storageRoleAssignments = [
 // Deployments //
 // =========== //
 
-// Managed identity for fslogix/msix app attach
+// Managed identity for fslogix/App Attach
 module managedIdentityStorage '../../../../avm/1.0.0/res/managed-identity/user-assigned-identity/main.bicep' = if (createStorageDeployment) {
   scope: resourceGroup('${subscriptionId}', '${storageObjectsRgName}')
   name: 'MI-Storage-${time}'

workload/bicep/modules/storageAzureFiles/deploy.bicep

@@ -29,6 +29,9 @@ param fileShareName string
 @sys.description('Private endpoint subnet ID.')
 param privateEndpointSubnetId string
 
+@sys.description('VMs subnet ID.')
+param vmsSubnetId string
+
 @sys.description('Location where to deploy resources.')
 param location string
 
@@ -152,7 +155,17 @@ module storageAndFile '../../../../avm/1.0.0/res/storage/storage-account/main.bi
             defaultAction: 'Deny'
             virtualNetworkRules: []
             ipRules: []
-        } : {}
+        }: {
+            bypass: 'AzureServices'
+            defaultAction: 'Deny'
+            virtualNetworkRules: [
+                {
+                    id: vmsSubnetId
+                    action: 'Allow'
+                }
+            ]
+            ipRules: []
+        }
         fileServices: {
             shares: [
                 {

workload/bicep/parameters/deploy-baseline-parameters-example.bicepparam

@@ -38,16 +38,16 @@ param avdVnetPrivateDnsZoneFilesId = '<<PrivateDnsZoneFilesId>>' // Not a mandat
 param avdVnetPrivateDnsZoneKeyvaultId = '<<PrivateDnsZoneKeyvaultId>>' // Not a mandatory parameter
 param vNetworkGatewayOnHub = false
 param createAvdFslogixDeployment = true
-param createMsixDeployment = false
+param createAppAttachDeployment = false
 param fslogixFileShareQuotaSize = 1
-param msixFileShareQuotaSize = 1
+param appAttachFileShareQuotaSize = 1
 param avdDeploySessionHosts = true
 param avdDeploySessionHostsCount = 1
 param avdSessionHostCountIndex = 0
 param availabilityZonesCompute = true
 param zoneRedundantStorage = false
 param fslogixStoragePerformance = 'Premium'
-param msixStoragePerformance = 'Premium'
+param appAttachStoragePerformance = 'Premium'
 param avdSessionHostsSize = 'Standard_D2s_v3'
 param avdSessionHostDiskType = 'Premium_LRS'
 param avdOsImage = 'win11_23h2'

workload/bicep/parameters/deploy-baseline-parameters-example.json

@@ -116,13 +116,13 @@
         "createAvdFslogixDeployment": {
             "value": true
         },
-        "createMsixDeployment": {
+        "createAppAttachDeployment": {
             "value": false
         },
         "fslogixFileShareQuotaSize": {
             "value": 1
         },
-        "msixFileShareQuotaSize": {
+        "appAttachFileShareQuotaSize": {
             "value": 1
         },
         "avdDeploySessionHosts": {
@@ -149,7 +149,7 @@
         "fslogixStoragePerformance": {
             "value": "Premium"
         },
-        "msixStoragePerformance": {
+        "appAttachStoragePerformance": {
             "value": "Premium"
         },
         "avdSessionHostsSize": {

workload/docs/autoGenerated/deploy-baseline.bicep.md.md

@@ -46,9 +46,9 @@ avdVnetPrivateDnsZoneFilesId | No       | Use existing Azure private DNS zone fo
 avdVnetPrivateDnsZoneKeyvaultId | No       | Use existing Azure private DNS zone for key vault privatelink.vaultcore.azure.net or privatelink.vaultcore.usgovcloudapi.net. (Default: "")
 vNetworkGatewayOnHub | No       | Does the hub contains a virtual network gateway. (Default: false)
 createAvdFslogixDeployment | No       | Deploy Fslogix setup. (Default: true)
-createMsixDeployment | No       | Deploy MSIX App Attach setup. (Default: false)
+createAppAttachDeployment | No       | Deploy App Attach setup. (Default: false)
 fslogixFileShareQuotaSize | No       | Fslogix file share size. (Default: 1)
-msixFileShareQuotaSize | No       | MSIX file share size. (Default: 1)
+appAttachFileShareQuotaSize | No       | App Attach file share size. (Default: 1)
 avdDeploySessionHosts | No       | Deploy new session hosts. (Default: true)
 deployGpuPolicies | No       | Deploy VM GPU extension policies. (Default: false)
 avdDeployMonitoring | No       | Deploy AVD monitoring resources and setings. (Default: false)
@@ -63,7 +63,7 @@ zoneRedundantStorage | No       | When true, Zone Redundant Storage (ZRS) is use
 avsetFaultDomainCount | No       | Sets the number of fault domains for the availability set. (Default: 2)
 avsetUpdateDomainCount | No       | Sets the number of update domains for the availability set. (Default: 5)
 fslogixStoragePerformance | No       | Storage account SKU for FSLogix storage. Recommended tier is Premium (Default: Premium)
-msixStoragePerformance | No       | Storage account SKU for MSIX storage. Recommended tier is Premium. (Default: Premium)
+appAttachStoragePerformance | No       | Storage account SKU for App Attach storage. Recommended tier is Premium. (Default: Premium)
 diskZeroTrust  | No       | Enables a zero trust configuration on the session host disks. (Default: false)
 avdSessionHostsSize | No       | Session host VM size. (Default: Standard_D4ads_v5)
 avdSessionHostDiskType | No       | OS disk type for session host. (Default: Premium_LRS)
@@ -100,9 +100,9 @@ avdApplicationGroupCustomName | No       | AVD desktop application group custom
 avdApplicationGroupCustomFriendlyName | No       | AVD desktop application group custom friendly (Display) name. (Default: Desktops - App1 - East US - Dev - 001)
 avdSessionHostCustomNamePrefix | No       | AVD session host prefix custom name. (Default: vmapp1duse2)
 avsetCustomNamePrefix | No       | AVD availability set custom name. (Default: avail)
-storageAccountPrefixCustomName | No       | AVD FSLogix and MSIX app attach storage account prefix custom name. (Default: st)
+storageAccountPrefixCustomName | No       | AVD FSLogix and App Attach storage account prefix custom name. (Default: st)
 fslogixFileShareCustomName | No       | FSLogix file share name. (Default: fslogix-pc-app1-dev-001)
-msixFileShareCustomName | No       | MSIX file share name. (Default: msix-app1-dev-001)
+appAttach | No       | App Attach file share name. (Default: appa-app1-dev-001)
 avdWrklKvPrefixCustomName | No       | AVD keyvault prefix custom name (with Zero Trust to store credentials to domain join and local admin). (Default: kv-sec)
 ztDiskEncryptionSetCustomNamePrefix | No       | AVD disk encryption set custom name. (Default: des-zt)
 ztManagedIdentityCustomName | No       | AVD managed identity for zero trust to encrypt managed disks using a customer managed key.  (Default: id-zt)
@@ -427,11 +427,11 @@ Deploy Fslogix setup. (Default: true)
 
 - Default value: `True`
 
-### createMsixDeployment
+### createAppAttachDeployment
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Deploy MSIX App Attach setup. (Default: false)
+Deploy App Attach setup. (Default: false)
 
 - Default value: `False`
 
@@ -443,11 +443,11 @@ Fslogix file share size. (Default: 1)
 
 - Default value: `1`
 
-### msixFileShareQuotaSize
+### appAttachFileShareQuotaSize
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-MSIX file share size. (Default: 1)
+App Attach file share size. (Default: 1)
 
 - Default value: `1`
 
@@ -563,11 +563,11 @@ Storage account SKU for FSLogix storage. Recommended tier is Premium (Default: P
 
 - Allowed values: `Standard`, `Premium`
 
-### msixStoragePerformance
+### appAttachStoragePerformance
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-Storage account SKU for MSIX storage. Recommended tier is Premium. (Default: Premium)
+Storage account SKU for App Attach storage. Recommended tier is Premium. (Default: Premium)
 
 - Default value: `Premium`
 
@@ -868,7 +868,7 @@ AVD availability set custom name. (Default: avail)
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-AVD FSLogix and MSIX app attach storage account prefix custom name. (Default: st)
+AVD FSLogix and App Attach storage account prefix custom name. (Default: st)
 
 - Default value: `st`
 
@@ -880,13 +880,13 @@ FSLogix file share name. (Default: fslogix-pc-app1-dev-001)
 
 - Default value: `fslogix-pc-app1-dev-use2-001`
 
-### msixFileShareCustomName
+### appAttachFileShareCustomName
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
 
-MSIX file share name. (Default: msix-app1-dev-001)
+App Attach file share name. (Default: appa-app1-dev-001)
 
-- Default value: `msix-app1-dev-use2-001`
+- Default value: `appa-app1-dev-use2-001`
 
 ### avdWrklKvPrefixCustomName
 
@@ -1188,13 +1188,13 @@ Enable purge protection for the keyvaults. (Default: true)
         "createAvdFslogixDeployment": {
             "value": true
         },
-        "createMsixDeployment": {
+        "createAppAttachDeployment": {
             "value": false
         },
         "fslogixFileShareQuotaSize": {
             "value": 1
         },
-        "msixFileShareQuotaSize": {
+        "appAttachFileShareQuotaSize": {
             "value": 1
         },
         "avdDeploySessionHosts": {
@@ -1239,7 +1239,7 @@ Enable purge protection for the keyvaults. (Default: true)
         "fslogixStoragePerformance": {
             "value": "Premium"
         },
-        "msixStoragePerformance": {
+        "appAttachStoragePerformance": {
             "value": "Premium"
         },
         "diskZeroTrust": {
@@ -1356,8 +1356,8 @@ Enable purge protection for the keyvaults. (Default: true)
         "fslogixFileShareCustomName": {
             "value": "fslogix-pc-app1-dev-use2-001"
         },
-        "msixFileShareCustomName": {
-            "value": "msix-app1-dev-use2-001"
+        "appAttachFileShareCustomName": {
+            "value": "appa-app1-dev-use2-001"
         },
         "avdWrklKvPrefixCustomName": {
             "value": "kv-sec"

workload/docs/cost-estimate.md

@@ -18,7 +18,7 @@ Azure Virtual Desktop resources and dependent services for establishing the base
   - Associated Desktop Application Group for personal
   - Associated Desktop Application Group and Remote Application Group for pooled
 - Azure Files Storage with FSLogix share, RBAC role assignment and private endpoint **
-- Azure Files Storage with MSIX App Attach share, RBAC role assignment and private endpoint **
+- Azure Files Storage with App Attach share, RBAC role assignment and private endpoint **
 - Application Security group
 - Key Vault and private endpoint
 

workload/docs/deploy-baseline.md

@@ -10,11 +10,15 @@
   - **Prefix** – A prefix of maximum 4 characters that will be appended to the names of Resource Groups and Azure resources within the Resource Groups.
   - **Environment** – Deployment Environment type (Development/Test/Production), will be used for naming and tagging purposes.
 - **Identity provider** blade
-  - **Identity Service Provider** - Identity service provider (AD DS, Entra DS, Microsoft Entra ID) that already exists and will be used for Azure Virtual Desktop.
-    - Microsoft Entra ID.
-    - Active Directory (AD DS).
-    - Microsoft Entra Domain Services.
-  - **Azure Virtual Desktop access assignment** - These identities will be granted access to Azure Virtual Desktop application groups (role "Desktop Virtualization User").
+  - **Domain to join**
+    - **Identity Service Provider** - Identity service provider (AD DS, Entra DS, Microsoft Entra ID) that already exists and will be used for Azure Virtual Desktop.
+      - Microsoft Entra ID.
+      - Active Directory (AD DS).
+      - Microsoft Entra Domain Services.
+      - **Intune enrollment** - If Intune is configured in your Microsoft Entra ID tenant, you can choose to have the VM automatically enrolled during the deployment by selecting this box.
+      - **Domain name** - The full qualified domain name of the on-premises domain where the hybrid identities originated from. This requirement also applies to Entra ID + FSLogix deployments, because identities need to be hybrid for storage authenctication to be supported.
+      - **Domain GUID** - GUID for the on-premises domain controller.
+    - **Azure Virtual Desktop access assignment** - These identities will be granted access to Azure Virtual Desktop application groups (role "Desktop Virtualization User").
     - Groups - select from the drop down the groups to be granted access to Azure Virtual Desktop published items and to create sessions on VMs and single sign-on (SSO) when using Microsoft Entra ID as the identity provider.
     - Note: when using Microsoft Entra ID as the identity service provider, an additional role (virtual machine user login) will be granted to compute resource group during deployment.
   - **When selecting AD DS or Microsoft Entra DS:**
@@ -49,15 +53,14 @@
   - **OS version or image** - Choose the OS version or desired image from the Azure compute gallery.
 - **Storage** blade
   - **General Settings**:
-    - **AD Domain name**: The full qualified domain name of the on-premises domain where the hybrid identities originated from, this information is used for Azure files authentication setup, Example: contoso.com.
     - **Custom OU Path (Optional)**: specify an OU path to create domain storage objects.
     - **Zone redundant storage**: Select to replicate storage across availability zones or only use local redundancy.
   - **FSLogix profile management**: Deploys FSLogix containers and session host setup for user's profiles.
   - **FSLogix Azure Files share Performance** - Select the desired performance.
   - **FSLogix file share size** Choose the desired size in 100GB increments. Minimum size is 100GB.
-  - **MSIX App Attach**: Deploys MSIX App Attach container for MSIX app packages.
-  - **MSIX App Attach Azure Files share Performance** - Select the desired performance.
-  - **MSIX App Attach file share size** Choose the desired size in 100GB increments. Minimum size is 100GB.
+  - **App Attach**: Deploys App Attach container for App Attach app packages.
+  - **App Attach Azure Files share Performance** - Select the desired performance.
+  - **App Attach file share size** Choose the desired size in 100GB increments. Minimum size is 100GB.
 - **Network connectivity** blade
   - **Virtual Network** - Select if creating "New"" or use "Existing" virtual network.
     - **New** - Select if you want to create a new VNet to be used for Azure Virtual Desktop.

workload/docs/getting-started-baseline.md

@@ -55,16 +55,16 @@ Prior to deploying the Baseline solution, you need to ensure you have met the fo
 - [x] Private endpoint considerations for Azure Files and Key Vault private endpoints name resolution:
   - Scenario 1:
     - Specs: creating a new Azure Virtual Desktop vNet, using custom DNS servers and existing Azure private DNS Zones.
-    - Existing private DNS zones MUST be linked to the vNet where the custom DNS servers are connected, this is needed for the end-to-end setup of FSLogix and MSIX App Attach file shares to be successful. The DNS resolution requests will be sent to the custom DNS servers and its vNet is the one that needs to resolve private endpoint DNS records.
+    - Existing private DNS zones MUST be linked to the vNet where the custom DNS servers are connected, this is needed for the end-to-end setup of FSLogix and App Attach file shares to be successful. The DNS resolution requests will be sent to the custom DNS servers and its vNet is the one that needs to resolve private endpoint DNS records.
   - Scenario 2:
     - Specs: using private endpoints, creating a new Azure Virtual Desktop vNet and new private DNS zones.
-    - Custom DNS servers may NOT be used in the new vNet as this will cause FSLogix and/or MSIX App Attach file shares deployments to fail. This happens because the private DNS zones will be linked to the newly created vNet and only this vNet will be able to resolve the private endpoints DNS records. When using custom DNS servers, existing Private DNS zones link to the vNet wher custom DNS server are connected will need to be used.
+    - Custom DNS servers may NOT be used in the new vNet as this will cause FSLogix and/or App Attach file shares deployments to fail. This happens because the private DNS zones will be linked to the newly created vNet and only this vNet will be able to resolve the private endpoints DNS records. When using custom DNS servers, existing Private DNS zones link to the vNet wher custom DNS server are connected will need to be used.
   - Scenario 3:
     - Specs: using existing Azure Virtual Desktop vNet, and creating new private DNS zones.
-    - Custom DNS servers may NOT be used (unless they are connected to the same vNet used for the Azure Virtual Desktop deployment) in order for FSlogix/MSIX App Attach deployment to be successful, given that the private DNS zone will be linked to the existing vNet and this will be the only network able to resolve private endpoint DNS records. This scenario is only recommended when using Microsoft Entra ID as identity service provider.
+    - Custom DNS servers may NOT be used (unless they are connected to the same vNet used for the Azure Virtual Desktop deployment) in order for FSlogix/App Attach deployment to be successful, given that the private DNS zone will be linked to the existing vNet and this will be the only network able to resolve private endpoint DNS records. This scenario is only recommended when using Microsoft Entra ID as identity service provider.
   - Scenario 4:
     - Specs: using private endpoints and an existing Azure Virtual Desktop vNet with custom DNS servers configured.
-    - Existing private DNS zones MUST be linked to the vNet containing the custom DNS servers for FSLogix and/or MSIX App Attach file shares deployments to be successful, given DNS name resolution requests will go to custom DNS servers and their vNet will need to resolve private endpoints DNS records.
+    - Existing private DNS zones MUST be linked to the vNet containing the custom DNS servers for FSLogix and/or App Attach file shares deployments to be successful, given DNS name resolution requests will go to custom DNS servers and their vNet will need to resolve private endpoints DNS records.
 
   **Important**: for all scenatios that use custom DNS servers, conditional forwarding rules MUST be configured to send to Azure (168.63.129.16) the DNS requests targeting file.core.windows.net and vaultcore.azure.net name spaces.
 - [x] Required private DNS zone name spaces: