diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json index dc367dca8..a31ad0b69 100644 --- a/workload/arm/deploy-baseline.json +++ b/workload/arm/deploy-baseline.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16059823249270768996" + "version": "0.17.1.54307", + "templateHash": "15051264158868187229" }, "name": "AVD Accelerator - Baseline Deployment", "description": "AVD Accelerator - Deployment Baseline" @@ -100,24 +100,19 @@ "description": "Required, Eronll session hosts on Intune. (Default: false)" } }, - "avdApplicationGroupIdentitiesIds": { - "type": "array", - "defaultValue": [], + "securityPrincipalId": { + "type": "string", + "defaultValue": "", "metadata": { - "description": "Optional, Identity ID array to grant RBAC role to access AVD application group. (Default: \"\")" + "description": "Optional, Identity ID to grant RBAC role to access AVD application group and NTFS permissions. (Default: \"\")" } }, - "avdApplicationGroupIdentityType": { + "securityPrincipalName": { "type": "string", - "defaultValue": "Group", + "defaultValue": "", "metadata": { - "description": "Optional, Identity type to grant RBAC role to access AVD application group. (Default: Group)" - }, - "allowedValues": [ - "Group", - "ServicePrincipal", - "User" - ] + "description": "Optional, Identity name to grant RBAC role to access AVD application group and NTFS permissions. (Default: \"\")" + } }, "avdIdentityDomainName": { "type": "string", @@ -125,6 +120,13 @@ "description": "AD domain name." } }, + "netBios": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Netbios name, will be used to set NTFS file share permissions. (Default: \"\")" + } + }, "identityDomainGuid": { "type": "string", "defaultValue": "", @@ -323,6 +325,17 @@ "description": "Deploy Fslogix setup. (Default: true)" } }, + "fslogixStorageSolution": { + "type": "string", + "defaultValue": "AzureStorageAccount", + "metadata": { + "description": "Fslogix Storage Solution. Default is Azure Storage Account." + }, + "allowedValues": [ + "AzureStorageAccount", + "AzureNetappFiles" + ] + }, "createMsixDeployment": { "type": "bool", "defaultValue": false, @@ -330,6 +343,17 @@ "description": "Deploy MSIX App Attach setup. (Default: false)" } }, + "appAttachStorageSolution": { + "type": "string", + "defaultValue": "AzureStorageAccount", + "metadata": { + "description": "App attach Storage Solution. Default is Azure Storage Account." + }, + "allowedValues": [ + "AzureStorageAccount", + "AzureNetappFiles" + ] + }, "fslogixFileShareQuotaSize": { "type": "int", "defaultValue": 1, @@ -344,6 +368,17 @@ "description": "MSIX file share size. (Default: 1)" } }, + "kerberosEncryption": { + "type": "string", + "defaultValue": "AES256", + "metadata": { + "description": "Kerberos Encryption. Default is AES256." + }, + "allowedValues": [ + "AES256", + "RC4" + ] + }, "avdDeploySessionHosts": { "type": "bool", "defaultValue": true, @@ -558,13 +593,6 @@ "description": "OU name for Azure Storage Account. It is recommended to create a new AD Organizational Unit (OU) in AD and disable password expiration policy on computer accounts or service logon accounts accordingly. (Default: \"\")" } }, - "createOuForStorage": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "If OU for Azure Storage needs to be created - set to true and ensure the domain join credentials have priviledge to create OU and create computer objects or join to domain. (Default: false)" - } - }, "avdUseCustomNaming": { "type": "bool", "defaultValue": false, @@ -1259,7 +1287,7 @@ "varZtKvPrivateEndpointName": "[format('pe-{0}-vault', variables('varZtKvName'))]", "varFsLogixScriptArguments": "[if(equals(parameters('avdIdentityServiceProvider'), 'AAD'), format('-volumeshare {0} -storageAccountName {1} -identityDomainName {2}', variables('varFslogixSharePath'), variables('varFslogixStorageName'), parameters('avdIdentityDomainName')), format('-volumeshare {0}', variables('varFslogixSharePath')))]", "varFslogixSharePath": "[format('\\\\{0}.file.{1}\\{2}', variables('varFslogixStorageName'), environment().suffixes.storage, variables('varFslogixFileShareName'))]", - "varBaseScriptUri": "https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/", + "varBaseScriptUri": "https://raw.githubusercontent.com/Azure/avdaccelerator/ntfs-update/workload/", "varFslogixScriptUri": "[if(equals(parameters('avdIdentityServiceProvider'), 'AAD'), format('{0}scripts/Set-FSLogixRegKeysAAD.ps1', variables('varBaseScriptUri')), format('{0}scripts/Set-FSLogixRegKeys.ps1', variables('varBaseScriptUri')))]", "varFsLogixScript": "[if(equals(parameters('avdIdentityServiceProvider'), 'AAD'), './Set-FSLogixRegKeysAad.ps1', './Set-FSLogixRegKeys.ps1')]", "varAvdAgentPackageLocation": "[format('https://wvdportalstorageblob.blob.{0}/galleryartifacts/Configuration_09-08-2022.zip', environment().suffixes.storage)]", @@ -1467,13 +1495,10 @@ "version": "latest" } }, - "varStorageAzureFilesDscAgentPackageLocation": "https://github.com/Azure/avdaccelerator/raw/main/workload/scripts/DSCStorageScripts.zip", - "varStorageToDomainScriptUri": "[format('{0}scripts/Manual-DSC-Storage-Scripts.ps1', variables('varBaseScriptUri'))]", - "varStorageToDomainScript": "./Manual-DSC-Storage-Scripts.ps1", + "varArtifactsLocation": "https://github.com/Azure/avdaccelerator/raw/ntfs-update/workload/scripts", "varOuStgPath": "[if(not(empty(parameters('storageOuPath'))), format('\"{0}\"', parameters('storageOuPath')), format('\"{0}\"', variables('varDefaultStorageOuPath')))]", "varDefaultStorageOuPath": "[if(equals(parameters('avdIdentityServiceProvider'), 'AADDS'), 'AADDC Computers', 'Computers')]", "varStorageCustomOuPath": "[if(not(empty(parameters('storageOuPath'))), 'true', 'false')]", - "varCreateOuForStorageString": "[string(parameters('createOuForStorage'))]", "varAllDnsServers": "[format('{0},168.63.129.16', parameters('customDnsIps'))]", "varDnsServers": "[if(empty(parameters('customDnsIps')), createArray(), split(variables('varAllDnsServers'), ','))]", "varCreateVnetPeering": "[if(not(empty(parameters('existingHubVnetResourceId'))), true(), false())]", @@ -1558,8 +1583,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8823794279696588123" + "version": "0.17.1.54307", + "templateHash": "16670742080494531396" } }, "parameters": { @@ -1667,8 +1692,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10196623923433376428" + "version": "0.17.1.54307", + "templateHash": "6601448312481874939" } }, "parameters": { @@ -1797,8 +1822,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12106659644963784818" + "version": "0.17.1.54307", + "templateHash": "10998474410748060366" } }, "parameters": { @@ -2158,8 +2183,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8823794279696588123" + "version": "0.17.1.54307", + "templateHash": "16670742080494531396" } }, "parameters": { @@ -2267,8 +2292,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10196623923433376428" + "version": "0.17.1.54307", + "templateHash": "6601448312481874939" } }, "parameters": { @@ -2397,8 +2422,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12106659644963784818" + "version": "0.17.1.54307", + "templateHash": "10998474410748060366" } }, "parameters": { @@ -2753,8 +2778,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8823794279696588123" + "version": "0.17.1.54307", + "templateHash": "16670742080494531396" } }, "parameters": { @@ -2862,8 +2887,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10196623923433376428" + "version": "0.17.1.54307", + "templateHash": "6601448312481874939" } }, "parameters": { @@ -2992,8 +3017,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12106659644963784818" + "version": "0.17.1.54307", + "templateHash": "10998474410748060366" } }, "parameters": { @@ -3366,8 +3391,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "13997721719566643375" + "version": "0.17.1.54307", + "templateHash": "3035548163754880904" } }, "parameters": { @@ -3490,8 +3515,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8823794279696588123" + "version": "0.17.1.54307", + "templateHash": "16670742080494531396" } }, "parameters": { @@ -3599,8 +3624,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10196623923433376428" + "version": "0.17.1.54307", + "templateHash": "6601448312481874939" } }, "parameters": { @@ -3729,8 +3754,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12106659644963784818" + "version": "0.17.1.54307", + "templateHash": "10998474410748060366" } }, "parameters": { @@ -4090,8 +4115,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8596842132721557367" + "version": "0.17.1.54307", + "templateHash": "9723296804992458231" } }, "parameters": { @@ -4484,8 +4509,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16114201815220186510" + "version": "0.17.1.54307", + "templateHash": "1015616738226483875" } }, "parameters": { @@ -4628,8 +4653,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9475182064400951000" + "version": "0.17.1.54307", + "templateHash": "9976669288431551452" } }, "parameters": { @@ -4762,8 +4787,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "4737981453812272169" + "version": "0.17.1.54307", + "templateHash": "3402933947779868845" } }, "parameters": { @@ -4897,8 +4922,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3112143349780297195" + "version": "0.17.1.54307", + "templateHash": "12988075953101096314" } }, "parameters": { @@ -5069,8 +5094,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "123582376075481853" + "version": "0.17.1.54307", + "templateHash": "3289166297924789550" } }, "parameters": { @@ -5216,8 +5241,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16949430988646737619" + "version": "0.17.1.54307", + "templateHash": "18044483929875331860" } }, "parameters": { @@ -5443,8 +5468,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16367350850509170627" + "version": "0.17.1.54307", + "templateHash": "1145398762062008037" } }, "parameters": { @@ -5612,8 +5637,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "4259405973831985687" + "version": "0.17.1.54307", + "templateHash": "15503229472224280826" } }, "parameters": { @@ -5763,8 +5788,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8241310064803100775" + "version": "0.17.1.54307", + "templateHash": "7352784420507326330" } }, "parameters": { @@ -5977,8 +6002,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14509232230386518393" + "version": "0.17.1.54307", + "templateHash": "6119857452463366145" } }, "parameters": { @@ -6286,8 +6311,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "18140433925264498395" + "version": "0.17.1.54307", + "templateHash": "16579532157576436548" } }, "parameters": { @@ -6618,8 +6643,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "2291336375760157964" + "version": "0.17.1.54307", + "templateHash": "5657647834665443119" } }, "parameters": { @@ -6801,8 +6826,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16175402431461753105" + "version": "0.17.1.54307", + "templateHash": "5539435599928560626" } }, "parameters": { @@ -6980,8 +7005,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12228099095722756446" + "version": "0.17.1.54307", + "templateHash": "17165573628970783202" } }, "parameters": { @@ -7249,8 +7274,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7109016207306775504" + "version": "0.17.1.54307", + "templateHash": "13416191842446717007" } }, "parameters": { @@ -7330,8 +7355,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1941283932562101832" + "version": "0.17.1.54307", + "templateHash": "7759814680098607558" } }, "parameters": { @@ -7802,8 +7827,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16949430988646737619" + "version": "0.17.1.54307", + "templateHash": "18044483929875331860" } }, "parameters": { @@ -8035,8 +8060,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16949430988646737619" + "version": "0.17.1.54307", + "templateHash": "18044483929875331860" } }, "parameters": { @@ -8351,8 +8376,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16161040747925174642" + "version": "0.17.1.54307", + "templateHash": "16941034630457330238" } }, "parameters": { @@ -8702,8 +8727,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16587720134751287236" + "version": "0.17.1.54307", + "templateHash": "8833698864456650616" } }, "parameters": { @@ -8979,8 +9004,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12788403587110473233" + "version": "0.17.1.54307", + "templateHash": "2452007385443009245" } }, "parameters": { @@ -9224,8 +9249,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7097336330611846796" + "version": "0.17.1.54307", + "templateHash": "175852501961116138" } }, "parameters": { @@ -9442,8 +9467,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16587720134751287236" + "version": "0.17.1.54307", + "templateHash": "8833698864456650616" } }, "parameters": { @@ -9719,8 +9744,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12788403587110473233" + "version": "0.17.1.54307", + "templateHash": "2452007385443009245" } }, "parameters": { @@ -9964,8 +9989,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7097336330611846796" + "version": "0.17.1.54307", + "templateHash": "175852501961116138" } }, "parameters": { @@ -10170,8 +10195,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1026634425206978147" + "version": "0.17.1.54307", + "templateHash": "4126277245845030634" } }, "parameters": { @@ -10293,8 +10318,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "17311918279735735244" + "version": "0.17.1.54307", + "templateHash": "9764104744913843180" } }, "parameters": { @@ -10500,8 +10525,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16308363173981707308" + "version": "0.17.1.54307", + "templateHash": "3459157471784143501" } }, "parameters": { @@ -10640,8 +10665,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5826842078108214123" + "version": "0.17.1.54307", + "templateHash": "17826830289819287737" } }, "parameters": { @@ -10849,8 +10874,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16308363173981707308" + "version": "0.17.1.54307", + "templateHash": "3459157471784143501" } }, "parameters": { @@ -10989,8 +11014,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5826842078108214123" + "version": "0.17.1.54307", + "templateHash": "17826830289819287737" } }, "parameters": { @@ -11215,8 +11240,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9596720600329001052" + "version": "0.17.1.54307", + "templateHash": "10811539921072000941" } }, "parameters": { @@ -11566,8 +11591,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15295044205283590639" + "version": "0.17.1.54307", + "templateHash": "12913964363513527115" } }, "parameters": { @@ -11759,8 +11784,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15804363095104832975" + "version": "0.17.1.54307", + "templateHash": "1508597549221173835" } }, "parameters": { @@ -11982,8 +12007,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14113542671107167377" + "version": "0.17.1.54307", + "templateHash": "12896423701864490964" } }, "parameters": { @@ -12148,8 +12173,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14113542671107167377" + "version": "0.17.1.54307", + "templateHash": "12896423701864490964" } }, "parameters": { @@ -12309,8 +12334,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "18431427062084145620" + "version": "0.17.1.54307", + "templateHash": "7449417204208520653" } }, "parameters": { @@ -12546,8 +12571,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10793736702090211494" + "version": "0.17.1.54307", + "templateHash": "9421903776734870810" } }, "parameters": { @@ -12634,8 +12659,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10793736702090211494" + "version": "0.17.1.54307", + "templateHash": "9421903776734870810" } }, "parameters": { @@ -12722,8 +12747,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10793736702090211494" + "version": "0.17.1.54307", + "templateHash": "9421903776734870810" } }, "parameters": { @@ -12810,8 +12835,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10793736702090211494" + "version": "0.17.1.54307", + "templateHash": "9421903776734870810" } }, "parameters": { @@ -12974,11 +12999,8 @@ "identityServiceProvider": { "value": "[parameters('avdIdentityServiceProvider')]" }, - "applicationGroupIdentitiesIds": { - "value": "[parameters('avdApplicationGroupIdentitiesIds')]" - }, - "applicationGroupIdentityType": { - "value": "[parameters('avdApplicationGroupIdentityType')]" + "securityPrincipalIds": { + "value": "[array(parameters('securityPrincipalId'))]" }, "tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]", "alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]", @@ -12995,8 +13017,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15982398525226753115" + "version": "0.17.1.54307", + "templateHash": "91889314871995986" } }, "parameters": { @@ -13024,18 +13046,12 @@ "description": "The service providing domain services for Azure Virtual Desktop." } }, - "applicationGroupIdentitiesIds": { + "securityPrincipalIds": { "type": "array", "metadata": { "description": "Identity ID to grant RBAC role to access AVD application group." } }, - "applicationGroupIdentityType": { - "type": "string", - "metadata": { - "description": "Identity type to grant RBAC role to access AVD application group." - } - }, "osImage": { "type": "string", "metadata": { @@ -13289,8 +13305,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "649450619186273171" + "version": "0.17.1.54307", + "templateHash": "8991300973535712331" } }, "parameters": { @@ -13694,8 +13710,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14279396732857224845" + "version": "0.17.1.54307", + "templateHash": "2314964423044495570" } }, "parameters": { @@ -13898,7 +13914,7 @@ "value": "[parameters('tags')]" }, "applications": "[if(equals(variables('varApplicaitonGroups')[copyIndex()].applicationGroupType, 'RemoteApp'), createObject('value', variables('varRAppApplicationGroupsApps')), createObject('value', createArray()))]", - "roleAssignments": "[if(not(empty(parameters('applicationGroupIdentitiesIds'))), createObject('value', createArray(createObject('roleDefinitionIdOrName', 'Desktop Virtualization User', 'principalIds', parameters('applicationGroupIdentitiesIds'), 'principalType', parameters('applicationGroupIdentityType')))), createObject('value', createArray()))]", + "roleAssignments": "[if(not(empty(parameters('securityPrincipalIds'))), createObject('value', createArray(createObject('roleDefinitionIdOrName', 'Desktop Virtualization User', 'principalIds', parameters('securityPrincipalIds'), 'principalType', 'Group'))), createObject('value', createArray()))]", "diagnosticWorkspaceId": { "value": "[parameters('alaWorkspaceResourceId')]" }, @@ -13915,8 +13931,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16629665836116638883" + "version": "0.17.1.54307", + "templateHash": "16831976717101820384" } }, "parameters": { @@ -14181,8 +14197,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "6664287599840054041" + "version": "0.17.1.54307", + "templateHash": "7203259033747042619" } }, "parameters": { @@ -14359,8 +14375,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3347591711902057245" + "version": "0.17.1.54307", + "templateHash": "1752140700494840741" } }, "parameters": { @@ -14569,8 +14585,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12860422037075423458" + "version": "0.17.1.54307", + "templateHash": "8658432020113435364" } }, "parameters": { @@ -14811,8 +14827,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9797264344352680473" + "version": "0.17.1.54307", + "templateHash": "6421047844253253523" } }, "parameters": { @@ -15035,8 +15051,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10855178142469757598" + "version": "0.17.1.54307", + "templateHash": "10268638408600238996" } }, "parameters": { @@ -15316,8 +15332,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7819863254022282170" + "version": "0.17.1.54307", + "templateHash": "12892308842611713996" } }, "parameters": { @@ -15542,8 +15558,8 @@ "createStorageDeployment": { "value": "[variables('varCreateStorageDeployment')]" }, - "appGroupIdentitiesIds": { - "value": "[parameters('avdApplicationGroupIdentitiesIds')]" + "securityPrincipalIds": { + "value": "[array(parameters('securityPrincipalId'))]" }, "tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]" }, @@ -15553,8 +15569,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14451756906747934165" + "version": "0.17.1.54307", + "templateHash": "11341015817286989905" } }, "parameters": { @@ -15606,7 +15622,7 @@ "description": "Required, The service providing domain services for Azure Virtual Desktop." } }, - "appGroupIdentitiesIds": { + "securityPrincipalIds": { "type": "array", "metadata": { "description": "Required, Identity ID to grant RBAC role to access AVD application group." @@ -15665,6 +15681,10 @@ "id": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", "name": "Storage File Data SMB Share Contributor" }, + "varDesktopVirtualizationVirtualMachineContributorRole": { + "id": "\ta959dbd1-f747-45e3-8ba6-dd80f235f97c", + "name": "Desktop Virtualization Virtual Machine Contributor" + }, "varDesktopVirtualizationPowerOnContributorRole": { "id": "489581de-a3bd-480d-9518-53dea7416b33", "name": "Desktop Virtualization Power On Contributor" @@ -15730,8 +15750,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15737913196788172522" + "version": "0.17.1.54307", + "templateHash": "15136491551081535379" } }, "parameters": { @@ -15853,8 +15873,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "943002000979437913" + "version": "0.17.1.54307", + "templateHash": "8490200634198428200" } }, "parameters": { @@ -16046,8 +16066,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15737913196788172522" + "version": "0.17.1.54307", + "templateHash": "15136491551081535379" } }, "parameters": { @@ -16169,8 +16189,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "943002000979437913" + "version": "0.17.1.54307", + "templateHash": "8490200634198428200" } }, "parameters": { @@ -16374,8 +16394,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14509232230386518393" + "version": "0.17.1.54307", + "templateHash": "6119857452463366145" } }, "parameters": { @@ -16675,8 +16695,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -17255,8 +17275,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -17833,8 +17853,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -18390,12 +18410,12 @@ { "copy": { "name": "storageSmbShareContributorRoleAssign", - "count": "[length(parameters('appGroupIdentitiesIds'))]" + "count": "[length(parameters('securityPrincipalIds'))]" }, - "condition": "[and(and(parameters('createStorageDeployment'), equals(parameters('identityServiceProvider'), 'AAD')), not(empty(parameters('appGroupIdentitiesIds'))))]", + "condition": "[and(and(parameters('createStorageDeployment'), equals(parameters('identityServiceProvider'), 'AAD')), not(empty(parameters('securityPrincipalIds'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('Stora-SmbContri-RolAssign-{0}-{1}', take(format('{0}', parameters('appGroupIdentitiesIds')[copyIndex()]), 6), parameters('time'))]", + "name": "[format('Stora-SmbContri-RolAssign-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]", "subscriptionId": "[format('{0}', parameters('subscriptionId'))]", "resourceGroup": "[format('{0}', parameters('storageObjectsRgName'))]", "properties": { @@ -18408,7 +18428,7 @@ "value": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{1}', parameters('subscriptionId'), variables('varStorageSmbShareContributorRole').id)]" }, "principalId": { - "value": "[parameters('appGroupIdentitiesIds')[copyIndex()]]" + "value": "[parameters('securityPrincipalIds')[copyIndex()]]" } }, "template": { @@ -18417,8 +18437,588 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" + } + }, + "parameters": { + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)." + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. ID of the delegated managed identity resource." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition. Currently accepted value is \"2.0\"." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "variables": { + "builtInRoleNames": { + "Access Review Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475", + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "AgFood Platform Sensor Partner Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-41cc-acd1-579c22c17a67", + "AgFood Platform Service Admin": "/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3", + "AgFood Platform Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728", + "AgFood Platform Service Reader": "/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba", + "AnyBuild Builder": "/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8", + "API Management Developer Portal Content Editor": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Autonomous Development Platform Data Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b8b15564-4fa6-4a59-ab12-03e1d9594795", + "Autonomous Development Platform Data Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/27f8b550-c507-4db9-86f2-f4b8e816d59d", + "Autonomous Development Platform Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d63b75f7-47ea-4f27-92ac-e0d173aaf093", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Arc Enabled Kubernetes Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd", + "Azure Arc Kubernetes Admin": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96", + "Azure Arc Kubernetes Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2", + "Azure Arc Kubernetes Viewer": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4", + "Azure Arc Kubernetes Writer": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1", + "Azure Arc ScVmm Administrator role": "/providers/Microsoft.Authorization/roleDefinitions/a92dfd61-77f9-4aec-a531-19858b406c87", + "Azure Arc ScVmm Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/c0781e91-8102-4553-8951-97c6d4243cda", + "Azure Arc ScVmm Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9", + "Azure Arc ScVmm VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e582369a-e17b-42a5-b10c-874c387c530b", + "Azure Arc VMware Administrator role ": "/providers/Microsoft.Authorization/roleDefinitions/ddc140ed-e463-4246-9145-7c664192013f", + "Azure Arc VMware Private Cloud User": "/providers/Microsoft.Authorization/roleDefinitions/ce551c02-7c42-47e0-9deb-e3b6fc3a9a83", + "Azure Arc VMware Private Clouds Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/67d33e57-3129-45e6-bb0b-7cc522f762fa", + "Azure Arc VMware VM Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb", + "Azure Center for SAP solutions administrator": "/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7", + "Azure Center for SAP solutions Management role": "/providers/Microsoft.Authorization/roleDefinitions/6d949e1d-41e2-46e3-8920-c6e4f31a8310", + "Azure Center for SAP solutions reader": "/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-4328-a0de-4cbe7430e26b", + "Azure Center for SAP solutions service role": "/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-458b-a942-81af88f9c138", + "Azure Center for SAP solutions Service role for management": "/providers/Microsoft.Authorization/roleDefinitions/0105a6b0-4bb9-43d2-982a-12806f9faddb", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Connected Machine Resource Manager": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c", + "Azure Connected SQL Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508", + "Azure Digital Twins Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Extension for SQL Server Deployment": "/providers/Microsoft.Authorization/roleDefinitions/7392c568-9289-4bde-aaaa-b7131215889d", + "Azure Front Door Domain Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8", + "Azure Front Door Domain Reader": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f", + "Azure Front Door Secret Contributor": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5", + "Azure Front Door Secret Reader": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca", + "Azure Kubernetes Fleet Manager Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-4770-b5c3-24ed299a07bf", + "Azure Kubernetes Fleet Manager RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba", + "Azure Kubernetes Fleet Manager RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", + "Azure Kubernetes Fleet Manager RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80", + "Azure Kubernetes Fleet Manager RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster Monitoring User": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Kubernetes Service Policy Add-on Deployment": "/providers/Microsoft.Authorization/roleDefinitions/18ed5180-3e48-46fd-8541-4ea054d57064", + "Azure Kubernetes Service RBAC Admin": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7", + "Azure Kubernetes Service RBAC Cluster Admin": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", + "Azure Kubernetes Service RBAC Reader": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db", + "Azure Kubernetes Service RBAC Writer": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", + "Azure Maps Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Maps Search and Render Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005", + "Azure Relay Listener": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d", + "Azure Relay Owner": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38", + "Azure Relay Sender": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Spring Apps Connect Role": "/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b", + "Azure Spring Apps Remote Debugging Role": "/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054", + "Azure Spring Cloud Config Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", + "Azure Spring Cloud Config Server Reader": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7", + "Azure Spring Cloud Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c", + "Azure Spring Cloud Service Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1", + "Azure Spring Cloud Service Registry Reader": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65", + "Azure Stack HCI registration role": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Azure Traffic Controller Configuration Manager": "/providers/Microsoft.Authorization/roleDefinitions/fbc52c3f-28ad-4303-a892-8a056630b8f1", + "Azure Usage Billing Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/f0310ce6-e953-4cf8-b892-fb1c87eaf7f6", + "Azure VM Managed identities restore Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd", + "AzureML Compute Operator": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815", + "AzureML Data Scientist": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121", + "AzureML Metrics Writer (preview)": "/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-44d3-b7fb-6d9a6bd613ae", + "AzureML Registry User": "/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-4ab6-ab4e-7397a3684615", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Bayer Ag Powered Services CWUM Solution User Role": "/providers/Microsoft.Authorization/roleDefinitions/a9b99099-ead7-47db-8fcf-072597a61dfa", + "Bayer Ag Powered Services GDU Solution": "/providers/Microsoft.Authorization/roleDefinitions/c4bc862a-3b64-4a35-a021-a380c159b042", + "Bayer Ag Powered Services Imagery Solution": "/providers/Microsoft.Authorization/roleDefinitions/ef29765d-0d37-4119-a4f8-f9f9902c9588", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Chamber Admin": "/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-495b-ae54-bb60a55b1b5a", + "Chamber User": "/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-4da3-ae60-6cbece780e32", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Code Signing Certificate Profile Signer": "/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958", + "Code Signing Identity Verifier": "/providers/Microsoft.Authorization/roleDefinitions/4339b7cf-9826-4e41-b4ed-c7f4505dac08", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services Face Recognizer": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7", + "Cognitive Services Immersive Reader User": "/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-4659-8781-7e080d3f2b9d", + "Cognitive Services Language Owner": "/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-46b1-8b37-790e26e6e498", + "Cognitive Services Language Reader": "/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-4cdc-b46f-e9b35248918e", + "Cognitive Services Language Writer": "/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-4889-bb49-c8e0fa3d47a8", + "Cognitive Services LUIS Owner": "/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-481c-87ff-72b910f6e3f8", + "Cognitive Services LUIS Reader": "/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-4e29-a639-e7d10c5a6226", + "Cognitive Services LUIS Writer": "/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-4bed-b113-e49bbea25b27", + "Cognitive Services Metrics Advisor Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", + "Cognitive Services Metrics Advisor User": "/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8", + "Cognitive Services OpenAI Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442", + "Cognitive Services OpenAI User": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services Speech Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181", + "Cognitive Services Speech User": "/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Collaborative Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352", + "Collaborative Runtime Operator": "/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102", + "Compute Gallery Sharing Admin": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b", + "ContainerApp Reader": "/providers/Microsoft.Authorization/roleDefinitions/ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "CosmosRestoreOperator": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Labeling - Labeler": "/providers/Microsoft.Authorization/roleDefinitions/c6decf44-fd0a-444c-a844-d653c394e7ab", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Operator for Managed Disks": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Deployment Environments User": "/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-438d-97e1-9528336e149c", + "Desktop Virtualization Application Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8", + "Desktop Virtualization Application Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", + "Desktop Virtualization Contributor": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387", + "Desktop Virtualization Host Pool Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc", + "Desktop Virtualization Host Pool Reader": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822", + "Desktop Virtualization Power On Contributor": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33", + "Desktop Virtualization Power On Off Contributor": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e", + "Desktop Virtualization Reader": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868", + "Desktop Virtualization Session Host Operator": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "Desktop Virtualization User Session Operator": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", + "Desktop Virtualization Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c", + "Desktop Virtualization Workspace Contributor": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b", + "Desktop Virtualization Workspace Reader": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", + "DevCenter Dev Box User": "/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-4001-a660-4198cbe8cd05", + "DevCenter Project Admin": "/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-46d9-b9f4-e1909e1b95a0", + "Device Provisioning Service Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633", + "Device Provisioning Service Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8", + "Device Update Administrator": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a", + "Device Update Content Administrator": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98", + "Device Update Content Reader": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", + "Device Update Deployments Administrator": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432", + "Device Update Deployments Reader": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f", + "Device Update Reader": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DICOM Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8", + "DICOM Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a", + "Disk Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", + "Disk Pool Operator": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840", + "Disk Restore Operator": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13", + "Disk Snapshot Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce", + "DNS Resolver Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", + "Domain Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", + "Elastic SAN Owner": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", + "Elastic SAN Reader": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", + "Elastic SAN Volume Group Owner": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", + "EventGrid Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de", + "EventGrid Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Metric Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Converter": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Importer": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "FHIR SMART User": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0", + "Grafana Admin": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41", + "Grafana Editor": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f", + "Grafana Viewer": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "Guest Configuration Resource Contributor": "/providers/Microsoft.Authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Impact Reader": "/providers/Microsoft.Authorization/roleDefinitions/68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e", + "Impact Reporter": "/providers/Microsoft.Authorization/roleDefinitions/36e80216-a7e8-4f42-a7e1-f12c98cbaf8a", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "IoT Hub Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f", + "IoT Hub Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3", + "IoT Hub Registry Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47", + "IoT Hub Twin Contributor": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c", + "Key Vault Administrator": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483", + "Key Vault Certificates Officer": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Key Vault Crypto Officer": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603", + "Key Vault Crypto Service Encryption User": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6", + "Key Vault Crypto User": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424", + "Key Vault Reader": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2", + "Key Vault Secrets Officer": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7", + "Key Vault Secrets User": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Agentless Operator": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Kubernetes Extension Contributor": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717", + "Kubernetes Namespace User": "/providers/Microsoft.Authorization/roleDefinitions/ba79058c-0414-4a34-9e42-c3399d80cd5a", + "Lab Assistant": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1", + "Lab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Lab Operator": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d", + "Lab Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f", + "Lab Services Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", + "Load Test Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e", + "Load Test Owner": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6", + "Load Test Reader": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081", + "LocalNGFirewallAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2", + "LocalRulestacksAdministrator role": "/providers/Microsoft.Authorization/roleDefinitions/bfc3b73d-c6ff-45eb-9a5f-40298295bf20", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed HSM contributor": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete Role": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Media Services Account Administrator": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466", + "Media Services Live Events Administrator": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77", + "Media Services Media Operator": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c", + "Media Services Policy Administrator": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae", + "Media Services Streaming Endpoints Administrator": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804", + "Microsoft Sentinel Automation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a", + "Microsoft Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Microsoft Sentinel Playbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5", + "Microsoft Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Microsoft Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Microsoft.Kubernetes connected cluster role": "/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/b0d8363b-8ddd-447d-831f-62ca05bff136", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "MySQL Backup And Export Operator": "/providers/Microsoft.Authorization/roleDefinitions/d18ad5f3-1baf-4119-b49b-d944edb1f9d0", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b", + "Object Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Object Understanding Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "PlayFab Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c8b84dc-067c-4039-9615-fa1a4b77c726", + "PlayFab Reader": "/providers/Microsoft.Authorization/roleDefinitions/a9a19cc5-31f4-447c-901f-56c0bb18fcaf", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Project Babylon Data Curator": "/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889", + "Project Babylon Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446", + "Project Babylon Data Source Administrator": "/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f", + "Purview role 1 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347", + "Purview role 2 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803", + "Purview role 3 (Deprecated)": "/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db", + "Quota Request Operator": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Reservation Purchaser": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Role Based Access Control Administrator (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168", + "Scheduled Patching Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Schema Registry Contributor (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25", + "Schema Registry Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", + "Search Index Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7", + "Search Index Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Detonation Chamber Publisher": "/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500", + "Security Detonation Chamber Reader": "/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5", + "Security Detonation Chamber Submission Manager": "/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce", + "Security Detonation Chamber Submitter": "/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "Services Hub Operator": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR App Server": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", + "SignalR REST API Owner": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521", + "SignalR REST API Reader": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035", + "SignalR Service Owner": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3", + "SignalR/Web PubSub Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "SqlDb Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/189207d4-bb67-4208-a635-b06afe8b2c57", + "SqlMI Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/1d335eef-eee1-47fe-a9e0-53214eba8872", + "SqlVM Migration Role": "/providers/Microsoft.Authorization/roleDefinitions/ae8036db-e102-405b-a1b9-bae082ea436d", + "Storage Account Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Storage Table Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", + "Storage Table Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", + "Stream Analytics Query Tester": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Template Spec Contributor": "/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b", + "Template Spec Reader": "/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e", + "Test Base Reader": "/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Video Indexer Restricted Viewer": "/providers/Microsoft.Authorization/roleDefinitions/a2c4a527-7dc0-4ee3-897b-403ade70fafb", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine Local User Login": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "VM Scanner Operator": "/providers/Microsoft.Authorization/roleDefinitions/d24ecba3-c1f4-40fa-a7bb-4588a071e8fd", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Web PubSub Service Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4", + "Web PubSub Service Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Windows Admin Center Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d", + "WorkloadBuilder Migration Agent Role": "/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c" + }, + "roleDefinitionIdVar": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]" + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]", + "properties": { + "roleDefinitionId": "[variables('roleDefinitionIdVar')]", + "principalId": "[parameters('principalId')]", + "description": "[if(not(empty(parameters('description'))), parameters('description'), null())]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The GUID of the Role Assignment." + }, + "value": "[guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId'))]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Role Assignment." + }, + "value": "[resourceId('Microsoft.Authorization/roleAssignments', guid(parameters('subscriptionId'), parameters('resourceGroupName'), variables('roleDefinitionIdVar'), parameters('principalId')))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the role assignment was applied at." + }, + "value": "[resourceGroup().name]" + }, + "scope": { + "type": "string", + "metadata": { + "description": "The scope this Role Assignment applies to." + }, + "value": "[resourceGroup().id]" + } + } + } + } + }, + { + "copy": { + "name": "DesktopVirtualizationVirtualMachineContributorRoleAssign", + "count": "[length(parameters('securityPrincipalIds'))]" + }, + "condition": "[and(and(parameters('createStorageDeployment'), equals(parameters('identityServiceProvider'), 'AAD')), not(empty(parameters('securityPrincipalIds'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Stora-VMCont-RolAssign-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('subscriptionId'))]", + "resourceGroup": "[format('{0}', parameters('serviceObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "roleDefinitionIdOrName": { + "value": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{1}', parameters('subscriptionId'), variables('varDesktopVirtualizationVirtualMachineContributorRole').id)]" + }, + "principalId": { + "value": "[parameters('securityPrincipalIds')[copyIndex()]]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -18970,12 +19570,12 @@ { "copy": { "name": "aadIdentityLoginRoleAssign", - "count": "[length(parameters('appGroupIdentitiesIds'))]" + "count": "[length(parameters('securityPrincipalIds'))]" }, - "condition": "[and(equals(parameters('identityServiceProvider'), 'AAD'), not(empty(parameters('appGroupIdentitiesIds'))))]", + "condition": "[and(equals(parameters('identityServiceProvider'), 'AAD'), not(empty(parameters('securityPrincipalIds'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('VM-Login-Comp-{0}-{1}', take(format('{0}', parameters('appGroupIdentitiesIds')[copyIndex()]), 6), parameters('time'))]", + "name": "[format('VM-Login-Comp-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]", "subscriptionId": "[format('{0}', parameters('subscriptionId'))]", "resourceGroup": "[format('{0}', parameters('computeObjectsRgName'))]", "properties": { @@ -18988,7 +19588,7 @@ "value": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{1}', parameters('subscriptionId'), variables('varVirtualMachineUserLoginRole').id)]" }, "principalId": { - "value": "[parameters('appGroupIdentitiesIds')[copyIndex()]]" + "value": "[parameters('securityPrincipalIds')[copyIndex()]]" } }, "template": { @@ -18997,8 +19597,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -19550,12 +20150,12 @@ { "copy": { "name": "aadIdentityLoginAccessServiceObjects", - "count": "[length(parameters('appGroupIdentitiesIds'))]" + "count": "[length(parameters('securityPrincipalIds'))]" }, - "condition": "[and(equals(parameters('identityServiceProvider'), 'AAD'), not(empty(parameters('appGroupIdentitiesIds'))))]", + "condition": "[and(equals(parameters('identityServiceProvider'), 'AAD'), not(empty(parameters('securityPrincipalIds'))))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('VM-Login-Serv-{0}-{1}', take(format('{0}', parameters('appGroupIdentitiesIds')[copyIndex()]), 6), parameters('time'))]", + "name": "[format('VM-Login-Serv-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]", "subscriptionId": "[format('{0}', parameters('subscriptionId'))]", "resourceGroup": "[format('{0}', parameters('serviceObjectsRgName'))]", "properties": { @@ -19568,7 +20168,7 @@ "value": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{1}', parameters('subscriptionId'), variables('varVirtualMachineUserLoginRole').id)]" }, "principalId": { - "value": "[parameters('appGroupIdentitiesIds')[copyIndex()]]" + "value": "[parameters('securityPrincipalIds')[copyIndex()]]" } }, "template": { @@ -19577,8 +20177,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -20151,8 +20751,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -20794,8 +21394,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "13817365626687960451" + "version": "0.17.1.54307", + "templateHash": "17889562964122918259" } }, "parameters": { @@ -20961,8 +21561,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "2291336375760157964" + "version": "0.17.1.54307", + "templateHash": "5657647834665443119" } }, "parameters": { @@ -21150,8 +21750,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12228099095722756446" + "version": "0.17.1.54307", + "templateHash": "17165573628970783202" } }, "parameters": { @@ -21420,8 +22020,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7109016207306775504" + "version": "0.17.1.54307", + "templateHash": "13416191842446717007" } }, "parameters": { @@ -21514,8 +22114,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12228099095722756446" + "version": "0.17.1.54307", + "templateHash": "17165573628970783202" } }, "parameters": { @@ -21784,8 +22384,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7109016207306775504" + "version": "0.17.1.54307", + "templateHash": "13416191842446717007" } }, "parameters": { @@ -21854,8 +22454,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -22438,8 +23038,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -23019,8 +23619,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15737913196788172522" + "version": "0.17.1.54307", + "templateHash": "15136491551081535379" } }, "parameters": { @@ -23142,8 +23742,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "943002000979437913" + "version": "0.17.1.54307", + "templateHash": "8490200634198428200" } }, "parameters": { @@ -23346,8 +23946,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14509232230386518393" + "version": "0.17.1.54307", + "templateHash": "6119857452463366145" } }, "parameters": { @@ -23643,8 +24243,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16771064281561658183" + "version": "0.17.1.54307", + "templateHash": "10569201387143117913" } }, "parameters": { @@ -24253,8 +24853,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7227063824414734829" + "version": "0.17.1.54307", + "templateHash": "14254441080044712526" } }, "parameters": { @@ -24394,8 +24994,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1658651451767507348" + "version": "0.17.1.54307", + "templateHash": "13715192960596594863" } }, "parameters": { @@ -24772,8 +25372,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10979748506364891487" + "version": "0.17.1.54307", + "templateHash": "6036891804343016093" } }, "parameters": { @@ -24904,8 +25504,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "13473011612578499281" + "version": "0.17.1.54307", + "templateHash": "8593614529812859648" } }, "parameters": { @@ -25041,8 +25641,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12036621733642341793" + "version": "0.17.1.54307", + "templateHash": "7411396567157179257" } }, "parameters": { @@ -25236,8 +25836,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3591721400415712312" + "version": "0.17.1.54307", + "templateHash": "1124355010779190486" } }, "parameters": { @@ -25419,8 +26019,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "4889573445396956380" + "version": "0.17.1.54307", + "templateHash": "7260777690340402293" } }, "parameters": { @@ -25622,8 +26222,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12991773916541265724" + "version": "0.17.1.54307", + "templateHash": "7311288048246157848" } }, "parameters": { @@ -25819,8 +26419,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3520683536217550590" + "version": "0.17.1.54307", + "templateHash": "12718574346799900200" } }, "parameters": { @@ -25954,8 +26554,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "11724106538771429164" + "version": "0.17.1.54307", + "templateHash": "12287935360262920219" } }, "parameters": { @@ -26168,8 +26768,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7774490315865318008" + "version": "0.17.1.54307", + "templateHash": "2925986724999389514" } }, "parameters": { @@ -26399,8 +26999,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3591721400415712312" + "version": "0.17.1.54307", + "templateHash": "1124355010779190486" } }, "parameters": { @@ -26582,8 +27182,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "4889573445396956380" + "version": "0.17.1.54307", + "templateHash": "7260777690340402293" } }, "parameters": { @@ -26785,8 +27385,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16707004874708060114" + "version": "0.17.1.54307", + "templateHash": "9857842888967195839" } }, "parameters": { @@ -26996,8 +27596,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12172667945223907975" + "version": "0.17.1.54307", + "templateHash": "2377303483140510674" } }, "parameters": { @@ -27072,8 +27672,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "2530846489831075796" + "version": "0.17.1.54307", + "templateHash": "1764649882380429233" } }, "parameters": { @@ -27144,8 +27744,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10979748506364891487" + "version": "0.17.1.54307", + "templateHash": "6036891804343016093" } }, "parameters": { @@ -27275,8 +27875,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5693310049980820424" + "version": "0.17.1.54307", + "templateHash": "205693325076049461" } }, "parameters": { @@ -27543,8 +28143,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1658651451767507348" + "version": "0.17.1.54307", + "templateHash": "13715192960596594863" } }, "parameters": { @@ -27921,8 +28521,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10979748506364891487" + "version": "0.17.1.54307", + "templateHash": "6036891804343016093" } }, "parameters": { @@ -28053,8 +28653,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "13473011612578499281" + "version": "0.17.1.54307", + "templateHash": "8593614529812859648" } }, "parameters": { @@ -28190,8 +28790,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12036621733642341793" + "version": "0.17.1.54307", + "templateHash": "7411396567157179257" } }, "parameters": { @@ -28385,8 +28985,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3591721400415712312" + "version": "0.17.1.54307", + "templateHash": "1124355010779190486" } }, "parameters": { @@ -28568,8 +29168,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "4889573445396956380" + "version": "0.17.1.54307", + "templateHash": "7260777690340402293" } }, "parameters": { @@ -28771,8 +29371,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12991773916541265724" + "version": "0.17.1.54307", + "templateHash": "7311288048246157848" } }, "parameters": { @@ -28968,8 +29568,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3520683536217550590" + "version": "0.17.1.54307", + "templateHash": "12718574346799900200" } }, "parameters": { @@ -29103,8 +29703,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "11724106538771429164" + "version": "0.17.1.54307", + "templateHash": "12287935360262920219" } }, "parameters": { @@ -29317,8 +29917,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7774490315865318008" + "version": "0.17.1.54307", + "templateHash": "2925986724999389514" } }, "parameters": { @@ -29569,8 +30169,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8575582116594416846" + "version": "0.17.1.54307", + "templateHash": "10639627576867642146" } }, "parameters": { @@ -29850,8 +30450,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16231583765337904850" + "version": "0.17.1.54307", + "templateHash": "4750663240724101154" } }, "parameters": { @@ -30698,8 +31298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "17209228417067578044" + "version": "0.17.1.54307", + "templateHash": "18094190582004938279" } }, "parameters": { @@ -30859,8 +31459,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9360762827164855564" + "version": "0.17.1.54307", + "templateHash": "9163854717969965207" } }, "parameters": { @@ -31192,8 +31792,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8727835156180887119" + "version": "0.17.1.54307", + "templateHash": "9526391067242259796" } }, "parameters": { @@ -31447,8 +32047,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9874341872740922868" + "version": "0.17.1.54307", + "templateHash": "2878979907665862463" } }, "parameters": { @@ -31745,8 +32345,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12339568584101080218" + "version": "0.17.1.54307", + "templateHash": "934300040337690336" } }, "parameters": { @@ -31961,8 +32561,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -32164,8 +32764,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -32362,8 +32962,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -32565,8 +33165,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -32758,8 +33358,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -32951,8 +33551,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -33148,8 +33748,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -33353,8 +33953,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -33551,8 +34151,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -33752,8 +34352,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9244336776798438387" + "version": "0.17.1.54307", + "templateHash": "542004733048752795" } }, "parameters": { @@ -33918,8 +34518,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16997355648608834977" + "version": "0.17.1.54307", + "templateHash": "5545265229641785727" } }, "parameters": { @@ -34135,8 +34735,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14509232230386518393" + "version": "0.17.1.54307", + "templateHash": "6119857452463366145" } }, "parameters": { @@ -34431,6 +35031,9 @@ "storagePurpose": { "value": "fslogix" }, + "storageSolution": { + "value": "[parameters('fslogixStorageSolution')]" + }, "fileShareName": { "value": "[variables('varFslogixFileShareName')]" }, @@ -34438,27 +35041,27 @@ "storageSku": { "value": "[variables('varFslogixStorageSku')]" }, + "securityPrincipalName": { + "value": "[parameters('securityPrincipalName')]" + }, "fileShareQuotaSize": { "value": "[parameters('fslogixFileShareQuotaSize')]" }, "storageAccountName": { "value": "[variables('varFslogixStorageName')]" }, - "storageToDomainScript": { - "value": "[variables('varStorageToDomainScript')]" + "netBios": { + "value": "[parameters('netBios')]" + }, + "artifactsLocation": { + "value": "[variables('varArtifactsLocation')]" }, - "storageToDomainScriptUri": { - "value": "[variables('varStorageToDomainScriptUri')]" + "KerberosEncryption": { + "value": "[parameters('kerberosEncryption')]" }, "identityServiceProvider": { "value": "[parameters('avdIdentityServiceProvider')]" }, - "dscAgentPackageLocation": { - "value": "[variables('varStorageAzureFilesDscAgentPackageLocation')]" - }, - "storageCustomOuPath": { - "value": "[variables('varStorageCustomOuPath')]" - }, "managementVmName": { "value": "[variables('varManagementVmName')]" }, @@ -34468,9 +35071,6 @@ "ouStgPath": { "value": "[variables('varOuStgPath')]" }, - "createOuForStorageString": { - "value": "[variables('varCreateOuForStorageString')]" - }, "managedIdentityClientId": "[if(variables('varCreateStorageDeployment'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Identities-And-RoleAssign-{0}', parameters('time'))), '2022-09-01').outputs.managedIdentityStorageClientId.value), createObject('value', ''))]", "domainJoinUserName": { "value": "[parameters('avdDomainJoinUserName')]" @@ -34510,8 +35110,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5108709096061162439" + "version": "0.17.1.54307", + "templateHash": "14551661465400904735" } }, "parameters": { @@ -34539,6 +35139,12 @@ "description": "Resource Group Name for management VM." } }, + "securityPrincipalName": { + "type": "string", + "metadata": { + "description": "Optional, Identity name array to grant RBAC role to access AVD application group and NTFS permissions. (Default: \"\")" + } + }, "storageAccountName": { "type": "string", "metadata": { @@ -34611,18 +35217,6 @@ "description": "Use Azure private DNS zones for private endpoints." } }, - "storageToDomainScript": { - "type": "string", - "metadata": { - "description": "Script name for adding storage account to Active Directory." - } - }, - "storageToDomainScriptUri": { - "type": "string", - "metadata": { - "description": "URI for the script for adding the storage account to Active Directory." - } - }, "tags": { "type": "object", "metadata": { @@ -34666,40 +35260,57 @@ "description": "Sets purpose of the storage account." } }, - "dscAgentPackageLocation": { + "ouStgPath": { "type": "string", "metadata": { - "description": "Sets location of DSC Agent." + "description": "OU Storage Path" } }, - "storageCustomOuPath": { + "managedIdentityClientId": { "type": "string", "metadata": { - "description": "Custom OU path for storage." + "description": "Managed Identity Client ID" } }, - "ouStgPath": { + "KerberosEncryption": { "type": "string", "metadata": { - "description": "OU Storage Path" + "description": "Kerberos Encryption. Default is AES256." } }, - "createOuForStorageString": { + "artifactsLocation": { "type": "string", "metadata": { - "description": "If OU for Azure Storage needs to be created - set to true and ensure the domain join credentials have priviledge to create OU and create computer objects or join to domain." + "description": "Location of script. Default is located in workload/scripts" } }, - "managedIdentityClientId": { + "storageSolution": { "type": "string", "metadata": { - "description": "Managed Identity Client ID" + "description": "Storage Solution." + }, + "allowedValues": [ + "AzureStorageAccount", + "AzureNetappFiles" + ] + }, + "storageCount": { + "type": "int", + "defaultValue": 1 + }, + "storageIndex": { + "type": "int", + "defaultValue": 1 + }, + "netBios": { + "type": "string", + "metadata": { + "description": "Netbios name, will be used to set NTFS file share permissions." } } }, "variables": { - "varAzureCloudName": "[environment().name]", - "varStoragePurposeLower": "[toLower(parameters('storagePurpose'))]", + "varActiveDirectorySolution": "[if(not(equals(parameters('identityServiceProvider'), 'AAD')), 'ActiveDirectoryDomainServices', '')]", "varAvdFileShareLogsDiagnostic": [ "allLogs" ], @@ -34707,8 +35318,7 @@ "Transaction" ], "varWrklStoragePrivateEndpointName": "[format('pe-{0}-file', parameters('storageAccountName'))]", - "vardirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]", - "varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -DomainAdminUserName {8} -CustomOuPath {9} -OUName {10} -CreateNewOU {11} -ShareName {12} -ClientId {13}', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), parameters('domainJoinUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('createOuForStorageString'), parameters('fileShareName'), parameters('managedIdentityClientId'))]" + "varDirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]" }, "resources": [ { @@ -34739,7 +35349,7 @@ "kind": "[if(or(equals(toLower(parameters('storageSku')), toLower('Premium_LRS')), equals(toLower(parameters('storageSku')), toLower('Premium_ZRS'))), createObject('value', 'FileStorage'), createObject('value', 'StorageV2'))]", "azureFilesIdentityBasedAuthentication": { "value": { - "directoryServiceOptions": "[variables('vardirectoryServiceOptions')]", + "directoryServiceOptions": "[variables('varDirectoryServiceOptions')]", "activeDirectoryProperties": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('domainGuid', parameters('identityDomainGuid'), 'domainName', parameters('identityDomainName')), createObject())]" } }, @@ -34778,8 +35388,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10333603057132654028" + "version": "0.17.1.54307", + "templateHash": "14819659584479701354" } }, "parameters": { @@ -35339,8 +35949,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "17399845773033742131" + "version": "0.17.1.54307", + "templateHash": "14509829261817545327" } }, "parameters": { @@ -35534,8 +36144,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12991773916541265724" + "version": "0.17.1.54307", + "templateHash": "7311288048246157848" } }, "parameters": { @@ -35731,8 +36341,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3520683536217550590" + "version": "0.17.1.54307", + "templateHash": "12718574346799900200" } }, "parameters": { @@ -35866,8 +36476,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "11724106538771429164" + "version": "0.17.1.54307", + "templateHash": "12287935360262920219" } }, "parameters": { @@ -36073,8 +36683,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5299530817966477918" + "version": "0.17.1.54307", + "templateHash": "6611019192370176160" } }, "parameters": { @@ -36197,8 +36807,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "4867276107242068354" + "version": "0.17.1.54307", + "templateHash": "887985521850583920" } }, "parameters": { @@ -36355,8 +36965,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15213751123686607933" + "version": "0.17.1.54307", + "templateHash": "459680222498554457" } }, "parameters": { @@ -36584,8 +37194,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8477599286867291799" + "version": "0.17.1.54307", + "templateHash": "4711998299496378361" } }, "parameters": { @@ -36698,8 +37308,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "2796131294243404206" + "version": "0.17.1.54307", + "templateHash": "9600027410745431357" } }, "parameters": { @@ -36826,8 +37436,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9471266450275905523" + "version": "0.17.1.54307", + "templateHash": "2765385875040083757" } }, "parameters": { @@ -37064,8 +37674,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "11735671726195697680" + "version": "0.17.1.54307", + "templateHash": "4535070803723456785" } }, "parameters": { @@ -37296,8 +37906,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "6048855322985506812" + "version": "0.17.1.54307", + "templateHash": "17475626136384362732" } }, "parameters": { @@ -37425,8 +38035,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3454304478574190517" + "version": "0.17.1.54307", + "templateHash": "398511802813701603" } }, "parameters": { @@ -37664,8 +38274,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16446761132064405013" + "version": "0.17.1.54307", + "templateHash": "5488562806452443494" } }, "parameters": { @@ -37865,8 +38475,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9116292018335087361" + "version": "0.17.1.54307", + "templateHash": "8626996903060982853" } }, "parameters": { @@ -37962,8 +38572,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8826781769055434429" + "version": "0.17.1.54307", + "templateHash": "7868704077465009471" } }, "parameters": { @@ -38198,8 +38808,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15589712361439512608" + "version": "0.17.1.54307", + "templateHash": "8997312828597029463" } }, "parameters": { @@ -38397,8 +39007,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "18313788100863691650" + "version": "0.17.1.54307", + "templateHash": "10506944460358814800" } }, "parameters": { @@ -38549,28 +39159,26 @@ } }, { + "condition": "[contains(parameters('identityServiceProvider'), 'ADDS')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('Add-{0}-Storage-Setup-{1}', parameters('storagePurpose'), parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", - "resourceGroup": "[format('{0}', parameters('serviceObjectsRgName'))]", + "name": "[format('Fslogix-Ntfs-Permissions-{0}', parameters('time'))]", + "subscriptionId": "[parameters('workloadSubsId')]", + "resourceGroup": "[parameters('serviceObjectsRgName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('sessionHostLocation')]" + "artifactsLocation": { + "value": "[parameters('artifactsLocation')]" }, - "name": { - "value": "[parameters('managementVmName')]" - }, - "file": { - "value": "[parameters('storageToDomainScript')]" + "commandToExecute": { + "value": "[format('powershell -ExecutionPolicy Unrestricted -File Set-NtfsPermissions.ps1 -ClientId \"{0}\" -DomainJoinUserPrincipalName \"{1}\" -ActiveDirectorySolution \"{2}\" -Environment \"{3}\" -KerberosEncryptionType \"{4}\" -StorageAccountFullName \"{5}\" -FileShareName \"{6}\" -Netbios \"{7}\" -OuPath \"{8}\" -SecurityPrincipalName \"{9}\" -StorageAccountResourceGroupName \"{10}\" -StorageCount {11} -StorageIndex {12} -StorageSolution \"{13}\" -StorageSuffix \"{14}\" -SubscriptionId \"{15}\" -TenantId \"{16}\"', parameters('managedIdentityClientId'), parameters('domainJoinUserName'), variables('varActiveDirectorySolution'), environment().name, parameters('KerberosEncryption'), parameters('storageAccountName'), parameters('fileShareName'), parameters('netBios'), parameters('ouStgPath'), parameters('securityPrincipalName'), parameters('storageObjectsRgName'), parameters('storageCount'), parameters('storageIndex'), parameters('storageSolution'), environment().suffixes.storage, subscription().subscriptionId, subscription().tenantId)]" }, - "scriptArguments": { - "value": "[variables('varStorageToDomainScriptArgs')]" + "location": { + "value": "[parameters('sessionHostLocation')]" }, "domainJoinUserPassword": { "reference": { @@ -38580,8 +39188,11 @@ "secretName": "domainJoinUserPassword" } }, - "baseScriptUri": { - "value": "[parameters('storageToDomainScriptUri')]" + "managementVmName": { + "value": "[parameters('managementVmName')]" + }, + "time": { + "value": "[parameters('time')]" } }, "template": { @@ -38590,72 +39201,71 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "13091364540241869728" + "version": "0.17.1.54307", + "templateHash": "9350072428006893357" } }, "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Extension deployment name." - } + "artifactsLocation": { + "type": "string" }, - "location": { + "commandToExecute": { + "type": "string" + }, + "managementVmName": { "type": "string", "metadata": { - "description": "Location where to deploy compute services." + "description": "Name for management virtual machine. for tools and to join Azure Files to domain." } }, - "baseScriptUri": { - "type": "string", + "domainJoinUserPassword": { + "type": "securestring", "metadata": { - "description": "Location for the AVD agent installation package." + "description": "Domain join user password." } }, - "file": { - "type": "string" - }, - "scriptArguments": { + "location": { "type": "string", "metadata": { - "description": "Arguments for domain join script." + "description": "Location where to deploy compute services." } }, - "domainJoinUserPassword": { - "type": "securestring", + "time": { + "type": "string", + "defaultValue": "[utcNow()]", "metadata": { - "description": "Domain join user password." + "description": "Do not modify, used to set unique value for resource deployment." } } }, "variables": { - "varscriptArgumentsWithPassword": "[format('{0} -DomainAdminUserPassword {1} -verbose', parameters('scriptArguments'), parameters('domainJoinUserPassword'))]" + "varCommandToExecute": "[format('{0} -DomainJoinPassword {1} -verbose', parameters('commandToExecute'), parameters('domainJoinUserPassword'))]" }, "resources": [ { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-08-01", - "name": "[format('{0}/AzureFilesDomainJoin', parameters('name'))]", + "apiVersion": "2020-12-01", + "name": "[format('{0}/CustomScriptExtension', parameters('managementVmName'))]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Compute", "type": "CustomScriptExtension", "typeHandlerVersion": "1.10", "autoUpgradeMinorVersion": true, - "settings": {}, + "settings": { + "fileUris": [ + "[format('{0}/Set-NtfsPermissions.ps1', parameters('artifactsLocation'))]" + ], + "timestamp": "[parameters('time')]" + }, "protectedSettings": { - "fileUris": "[array(parameters('baseScriptUri'))]", - "commandToExecute": "[format('powershell -ExecutionPolicy Unrestricted -File {0} {1}', parameters('file'), variables('varscriptArgumentsWithPassword'))]" + "commandToExecute": "[variables('varCommandToExecute')]" } } } ] } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('storageObjectsRgName'))), 'Microsoft.Resources/deployments', format('Storage-{0}-{1}', parameters('storagePurpose'), parameters('time')))]" - ] + } } ] } @@ -38684,6 +39294,9 @@ "storagePurpose": { "value": "msix" }, + "storageSolution": { + "value": "[parameters('appAttachStorageSolution')]" + }, "fileShareName": { "value": "[variables('varMsixFileShareName')]" }, @@ -38691,27 +39304,27 @@ "storageSku": { "value": "[variables('varMsixStorageSku')]" }, + "securityPrincipalName": { + "value": "[parameters('securityPrincipalName')]" + }, "fileShareQuotaSize": { "value": "[parameters('msixFileShareQuotaSize')]" }, "storageAccountName": { "value": "[variables('varMsixStorageName')]" }, - "storageToDomainScript": { - "value": "[variables('varStorageToDomainScript')]" + "netBios": { + "value": "[parameters('netBios')]" + }, + "artifactsLocation": { + "value": "[variables('varArtifactsLocation')]" }, - "storageToDomainScriptUri": { - "value": "[variables('varStorageToDomainScriptUri')]" + "KerberosEncryption": { + "value": "[parameters('kerberosEncryption')]" }, "identityServiceProvider": { "value": "[parameters('avdIdentityServiceProvider')]" }, - "dscAgentPackageLocation": { - "value": "[variables('varStorageAzureFilesDscAgentPackageLocation')]" - }, - "storageCustomOuPath": { - "value": "[variables('varStorageCustomOuPath')]" - }, "managementVmName": { "value": "[variables('varManagementVmName')]" }, @@ -38721,9 +39334,6 @@ "ouStgPath": { "value": "[variables('varOuStgPath')]" }, - "createOuForStorageString": { - "value": "[variables('varCreateOuForStorageString')]" - }, "managedIdentityClientId": "[if(variables('varCreateStorageDeployment'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Identities-And-RoleAssign-{0}', parameters('time'))), '2022-09-01').outputs.managedIdentityStorageClientId.value), createObject('value', ''))]", "domainJoinUserName": { "value": "[parameters('avdDomainJoinUserName')]" @@ -38763,8 +39373,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5108709096061162439" + "version": "0.17.1.54307", + "templateHash": "14551661465400904735" } }, "parameters": { @@ -38792,6 +39402,12 @@ "description": "Resource Group Name for management VM." } }, + "securityPrincipalName": { + "type": "string", + "metadata": { + "description": "Optional, Identity name array to grant RBAC role to access AVD application group and NTFS permissions. (Default: \"\")" + } + }, "storageAccountName": { "type": "string", "metadata": { @@ -38864,18 +39480,6 @@ "description": "Use Azure private DNS zones for private endpoints." } }, - "storageToDomainScript": { - "type": "string", - "metadata": { - "description": "Script name for adding storage account to Active Directory." - } - }, - "storageToDomainScriptUri": { - "type": "string", - "metadata": { - "description": "URI for the script for adding the storage account to Active Directory." - } - }, "tags": { "type": "object", "metadata": { @@ -38919,40 +39523,57 @@ "description": "Sets purpose of the storage account." } }, - "dscAgentPackageLocation": { + "ouStgPath": { "type": "string", "metadata": { - "description": "Sets location of DSC Agent." + "description": "OU Storage Path" } }, - "storageCustomOuPath": { + "managedIdentityClientId": { "type": "string", "metadata": { - "description": "Custom OU path for storage." + "description": "Managed Identity Client ID" } }, - "ouStgPath": { + "KerberosEncryption": { "type": "string", "metadata": { - "description": "OU Storage Path" + "description": "Kerberos Encryption. Default is AES256." } }, - "createOuForStorageString": { + "artifactsLocation": { "type": "string", "metadata": { - "description": "If OU for Azure Storage needs to be created - set to true and ensure the domain join credentials have priviledge to create OU and create computer objects or join to domain." + "description": "Location of script. Default is located in workload/scripts" } }, - "managedIdentityClientId": { + "storageSolution": { "type": "string", "metadata": { - "description": "Managed Identity Client ID" + "description": "Storage Solution." + }, + "allowedValues": [ + "AzureStorageAccount", + "AzureNetappFiles" + ] + }, + "storageCount": { + "type": "int", + "defaultValue": 1 + }, + "storageIndex": { + "type": "int", + "defaultValue": 1 + }, + "netBios": { + "type": "string", + "metadata": { + "description": "Netbios name, will be used to set NTFS file share permissions." } } }, "variables": { - "varAzureCloudName": "[environment().name]", - "varStoragePurposeLower": "[toLower(parameters('storagePurpose'))]", + "varActiveDirectorySolution": "[if(not(equals(parameters('identityServiceProvider'), 'AAD')), 'ActiveDirectoryDomainServices', '')]", "varAvdFileShareLogsDiagnostic": [ "allLogs" ], @@ -38960,8 +39581,7 @@ "Transaction" ], "varWrklStoragePrivateEndpointName": "[format('pe-{0}-file', parameters('storageAccountName'))]", - "vardirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]", - "varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -DomainAdminUserName {8} -CustomOuPath {9} -OUName {10} -CreateNewOU {11} -ShareName {12} -ClientId {13}', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), parameters('domainJoinUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('createOuForStorageString'), parameters('fileShareName'), parameters('managedIdentityClientId'))]" + "varDirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]" }, "resources": [ { @@ -38992,7 +39612,7 @@ "kind": "[if(or(equals(toLower(parameters('storageSku')), toLower('Premium_LRS')), equals(toLower(parameters('storageSku')), toLower('Premium_ZRS'))), createObject('value', 'FileStorage'), createObject('value', 'StorageV2'))]", "azureFilesIdentityBasedAuthentication": { "value": { - "directoryServiceOptions": "[variables('vardirectoryServiceOptions')]", + "directoryServiceOptions": "[variables('varDirectoryServiceOptions')]", "activeDirectoryProperties": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('domainGuid', parameters('identityDomainGuid'), 'domainName', parameters('identityDomainName')), createObject())]" } }, @@ -39031,8 +39651,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "10333603057132654028" + "version": "0.17.1.54307", + "templateHash": "14819659584479701354" } }, "parameters": { @@ -39592,8 +40212,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "17399845773033742131" + "version": "0.17.1.54307", + "templateHash": "14509829261817545327" } }, "parameters": { @@ -39787,8 +40407,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12991773916541265724" + "version": "0.17.1.54307", + "templateHash": "7311288048246157848" } }, "parameters": { @@ -39984,8 +40604,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3520683536217550590" + "version": "0.17.1.54307", + "templateHash": "12718574346799900200" } }, "parameters": { @@ -40119,8 +40739,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "11724106538771429164" + "version": "0.17.1.54307", + "templateHash": "12287935360262920219" } }, "parameters": { @@ -40326,8 +40946,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5299530817966477918" + "version": "0.17.1.54307", + "templateHash": "6611019192370176160" } }, "parameters": { @@ -40450,8 +41070,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "4867276107242068354" + "version": "0.17.1.54307", + "templateHash": "887985521850583920" } }, "parameters": { @@ -40608,8 +41228,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15213751123686607933" + "version": "0.17.1.54307", + "templateHash": "459680222498554457" } }, "parameters": { @@ -40837,8 +41457,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8477599286867291799" + "version": "0.17.1.54307", + "templateHash": "4711998299496378361" } }, "parameters": { @@ -40951,8 +41571,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "2796131294243404206" + "version": "0.17.1.54307", + "templateHash": "9600027410745431357" } }, "parameters": { @@ -41079,8 +41699,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9471266450275905523" + "version": "0.17.1.54307", + "templateHash": "2765385875040083757" } }, "parameters": { @@ -41317,8 +41937,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "11735671726195697680" + "version": "0.17.1.54307", + "templateHash": "4535070803723456785" } }, "parameters": { @@ -41549,8 +42169,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "6048855322985506812" + "version": "0.17.1.54307", + "templateHash": "17475626136384362732" } }, "parameters": { @@ -41678,8 +42298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "3454304478574190517" + "version": "0.17.1.54307", + "templateHash": "398511802813701603" } }, "parameters": { @@ -41917,8 +42537,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16446761132064405013" + "version": "0.17.1.54307", + "templateHash": "5488562806452443494" } }, "parameters": { @@ -42118,8 +42738,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9116292018335087361" + "version": "0.17.1.54307", + "templateHash": "8626996903060982853" } }, "parameters": { @@ -42215,8 +42835,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8826781769055434429" + "version": "0.17.1.54307", + "templateHash": "7868704077465009471" } }, "parameters": { @@ -42451,8 +43071,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "15589712361439512608" + "version": "0.17.1.54307", + "templateHash": "8997312828597029463" } }, "parameters": { @@ -42650,8 +43270,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "18313788100863691650" + "version": "0.17.1.54307", + "templateHash": "10506944460358814800" } }, "parameters": { @@ -42802,28 +43422,26 @@ } }, { + "condition": "[contains(parameters('identityServiceProvider'), 'ADDS')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('Add-{0}-Storage-Setup-{1}', parameters('storagePurpose'), parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", - "resourceGroup": "[format('{0}', parameters('serviceObjectsRgName'))]", + "name": "[format('Fslogix-Ntfs-Permissions-{0}', parameters('time'))]", + "subscriptionId": "[parameters('workloadSubsId')]", + "resourceGroup": "[parameters('serviceObjectsRgName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { - "location": { - "value": "[parameters('sessionHostLocation')]" + "artifactsLocation": { + "value": "[parameters('artifactsLocation')]" }, - "name": { - "value": "[parameters('managementVmName')]" + "commandToExecute": { + "value": "[format('powershell -ExecutionPolicy Unrestricted -File Set-NtfsPermissions.ps1 -ClientId \"{0}\" -DomainJoinUserPrincipalName \"{1}\" -ActiveDirectorySolution \"{2}\" -Environment \"{3}\" -KerberosEncryptionType \"{4}\" -StorageAccountFullName \"{5}\" -FileShareName \"{6}\" -Netbios \"{7}\" -OuPath \"{8}\" -SecurityPrincipalName \"{9}\" -StorageAccountResourceGroupName \"{10}\" -StorageCount {11} -StorageIndex {12} -StorageSolution \"{13}\" -StorageSuffix \"{14}\" -SubscriptionId \"{15}\" -TenantId \"{16}\"', parameters('managedIdentityClientId'), parameters('domainJoinUserName'), variables('varActiveDirectorySolution'), environment().name, parameters('KerberosEncryption'), parameters('storageAccountName'), parameters('fileShareName'), parameters('netBios'), parameters('ouStgPath'), parameters('securityPrincipalName'), parameters('storageObjectsRgName'), parameters('storageCount'), parameters('storageIndex'), parameters('storageSolution'), environment().suffixes.storage, subscription().subscriptionId, subscription().tenantId)]" }, - "file": { - "value": "[parameters('storageToDomainScript')]" - }, - "scriptArguments": { - "value": "[variables('varStorageToDomainScriptArgs')]" + "location": { + "value": "[parameters('sessionHostLocation')]" }, "domainJoinUserPassword": { "reference": { @@ -42833,8 +43451,11 @@ "secretName": "domainJoinUserPassword" } }, - "baseScriptUri": { - "value": "[parameters('storageToDomainScriptUri')]" + "managementVmName": { + "value": "[parameters('managementVmName')]" + }, + "time": { + "value": "[parameters('time')]" } }, "template": { @@ -42843,72 +43464,71 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "13091364540241869728" + "version": "0.17.1.54307", + "templateHash": "9350072428006893357" } }, "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Extension deployment name." - } + "artifactsLocation": { + "type": "string" }, - "location": { + "commandToExecute": { + "type": "string" + }, + "managementVmName": { "type": "string", "metadata": { - "description": "Location where to deploy compute services." + "description": "Name for management virtual machine. for tools and to join Azure Files to domain." } }, - "baseScriptUri": { - "type": "string", + "domainJoinUserPassword": { + "type": "securestring", "metadata": { - "description": "Location for the AVD agent installation package." + "description": "Domain join user password." } }, - "file": { - "type": "string" - }, - "scriptArguments": { + "location": { "type": "string", "metadata": { - "description": "Arguments for domain join script." + "description": "Location where to deploy compute services." } }, - "domainJoinUserPassword": { - "type": "securestring", + "time": { + "type": "string", + "defaultValue": "[utcNow()]", "metadata": { - "description": "Domain join user password." + "description": "Do not modify, used to set unique value for resource deployment." } } }, "variables": { - "varscriptArgumentsWithPassword": "[format('{0} -DomainAdminUserPassword {1} -verbose', parameters('scriptArguments'), parameters('domainJoinUserPassword'))]" + "varCommandToExecute": "[format('{0} -DomainJoinPassword {1} -verbose', parameters('commandToExecute'), parameters('domainJoinUserPassword'))]" }, "resources": [ { "type": "Microsoft.Compute/virtualMachines/extensions", - "apiVersion": "2022-08-01", - "name": "[format('{0}/AzureFilesDomainJoin', parameters('name'))]", + "apiVersion": "2020-12-01", + "name": "[format('{0}/CustomScriptExtension', parameters('managementVmName'))]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Compute", "type": "CustomScriptExtension", "typeHandlerVersion": "1.10", "autoUpgradeMinorVersion": true, - "settings": {}, + "settings": { + "fileUris": [ + "[format('{0}/Set-NtfsPermissions.ps1', parameters('artifactsLocation'))]" + ], + "timestamp": "[parameters('time')]" + }, "protectedSettings": { - "fileUris": "[array(parameters('baseScriptUri'))]", - "commandToExecute": "[format('powershell -ExecutionPolicy Unrestricted -File {0} {1}', parameters('file'), variables('varscriptArgumentsWithPassword'))]" + "commandToExecute": "[variables('varCommandToExecute')]" } } } ] } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('storageObjectsRgName'))), 'Microsoft.Resources/deployments', format('Storage-{0}-{1}', parameters('storagePurpose'), parameters('time')))]" - ] + } } ] } @@ -42959,8 +43579,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8648238951029079364" + "version": "0.17.1.54307", + "templateHash": "14889137037653853520" } }, "parameters": { @@ -43038,8 +43658,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8447272874314804308" + "version": "0.17.1.54307", + "templateHash": "11940163391569342138" } }, "parameters": { @@ -43196,8 +43816,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "5091916529584467175" + "version": "0.17.1.54307", + "templateHash": "10835079600690809858" } }, "parameters": { @@ -43513,8 +44133,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9542486132206933343" + "version": "0.17.1.54307", + "templateHash": "3647241641137692756" } }, "parameters": { @@ -43919,8 +44539,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16231583765337904850" + "version": "0.17.1.54307", + "templateHash": "4750663240724101154" } }, "parameters": { @@ -44767,8 +45387,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "17209228417067578044" + "version": "0.17.1.54307", + "templateHash": "18094190582004938279" } }, "parameters": { @@ -44928,8 +45548,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9360762827164855564" + "version": "0.17.1.54307", + "templateHash": "9163854717969965207" } }, "parameters": { @@ -45261,8 +45881,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "8727835156180887119" + "version": "0.17.1.54307", + "templateHash": "9526391067242259796" } }, "parameters": { @@ -45516,8 +46136,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9874341872740922868" + "version": "0.17.1.54307", + "templateHash": "2878979907665862463" } }, "parameters": { @@ -45814,8 +46434,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12339568584101080218" + "version": "0.17.1.54307", + "templateHash": "934300040337690336" } }, "parameters": { @@ -46030,8 +46650,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -46233,8 +46853,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -46431,8 +47051,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -46634,8 +47254,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -46827,8 +47447,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -47020,8 +47640,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -47217,8 +47837,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -47422,8 +48042,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -47620,8 +48240,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -47821,8 +48441,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "9244336776798438387" + "version": "0.17.1.54307", + "templateHash": "542004733048752795" } }, "parameters": { @@ -47987,8 +48607,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "16997355648608834977" + "version": "0.17.1.54307", + "templateHash": "5545265229641785727" } }, "parameters": { @@ -48204,8 +48824,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14509232230386518393" + "version": "0.17.1.54307", + "templateHash": "6119857452463366145" } }, "parameters": { @@ -48537,8 +49157,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -48736,8 +49356,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14509232230386518393" + "version": "0.17.1.54307", + "templateHash": "6119857452463366145" } }, "parameters": { @@ -49067,8 +49687,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "1490032793186823332" + "version": "0.17.1.54307", + "templateHash": "3345220041904522099" } }, "parameters": { @@ -49267,8 +49887,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "14509232230386518393" + "version": "0.17.1.54307", + "templateHash": "6119857452463366145" } }, "parameters": { @@ -49576,8 +50196,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "2897218414027100934" + "version": "0.17.1.54307", + "templateHash": "14854652588114627341" } }, "parameters": { @@ -49676,8 +50296,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "886630281819911694" + "version": "0.17.1.54307", + "templateHash": "7172748536042045689" } }, "parameters": { @@ -49792,8 +50412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12570414431099862364" + "version": "0.17.1.54307", + "templateHash": "231872691044961836" } }, "parameters": { @@ -49885,8 +50505,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "2291336375760157964" + "version": "0.17.1.54307", + "templateHash": "5657647834665443119" } }, "parameters": { @@ -50060,8 +50680,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "12228099095722756446" + "version": "0.17.1.54307", + "templateHash": "17165573628970783202" } }, "parameters": { @@ -50329,8 +50949,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.18.4.5664", - "templateHash": "7109016207306775504" + "version": "0.17.1.54307", + "templateHash": "13416191842446717007" } }, "parameters": { diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep index b7642b1d7..ef6540d8a 100644 --- a/workload/bicep/deploy-baseline.bicep +++ b/workload/bicep/deploy-baseline.bicep @@ -55,20 +55,18 @@ param avdIdentityServiceProvider string = 'ADDS' @sys.description('Required, Eronll session hosts on Intune. (Default: false)') param createIntuneEnrollment bool = false -@sys.description('Optional, Identity ID array to grant RBAC role to access AVD application group. (Default: "")') -param avdApplicationGroupIdentitiesIds array = [] +@sys.description('Optional, Identity ID to grant RBAC role to access AVD application group and NTFS permissions. (Default: "")') +param securityPrincipalId string = '' -@allowed([ - 'Group' - 'ServicePrincipal' - 'User' -]) -@sys.description('Optional, Identity type to grant RBAC role to access AVD application group. (Default: Group)') -param avdApplicationGroupIdentityType string = 'Group' +@sys.description('Optional, Identity name to grant RBAC role to access AVD application group and NTFS permissions. (Default: "")') +param securityPrincipalName string = '' @sys.description('AD domain name.') param avdIdentityDomainName string +@sys.description('Netbios name, will be used to set NTFS file share permissions. (Default: "")') +param netBios string = '' + @sys.description('AD domain GUID. (Default: "")') param identityDomainGuid string = '' @@ -91,8 +89,8 @@ param avdHostPoolType string = 'Pooled' @sys.description('Optional. The type of preferred application group type, default to Desktop Application Group.') @allowed([ - 'Desktop' - 'RemoteApp' + 'Desktop' + 'RemoteApp' ]) param hostPoolPreferredAppGroupType string = 'Desktop' @@ -164,15 +162,36 @@ param vNetworkGatewayOnHub bool = false @sys.description('Deploy Fslogix setup. (Default: true)') param createAvdFslogixDeployment bool = true +@allowed([ + 'AzureStorageAccount' + 'AzureNetappFiles' +]) +@sys.description('Fslogix Storage Solution. Default is Azure Storage Account.') +param fslogixStorageSolution string = 'AzureStorageAccount' + @sys.description('Deploy MSIX App Attach setup. (Default: false)') param createMsixDeployment bool = false +@allowed([ + 'AzureStorageAccount' + 'AzureNetappFiles' +]) +@sys.description('App attach Storage Solution. Default is Azure Storage Account.') +param appAttachStorageSolution string = 'AzureStorageAccount' + @sys.description('Fslogix file share size. (Default: 1)') param fslogixFileShareQuotaSize int = 1 @sys.description('MSIX file share size. (Default: 1)') param msixFileShareQuotaSize int = 1 +@allowed([ + 'AES256' + 'RC4' +]) +@sys.description('Kerberos Encryption. Default is AES256.') +param kerberosEncryption string = 'AES256' + @sys.description('Deploy new session hosts. (Default: true)') param avdDeploySessionHosts bool = true @@ -282,9 +301,6 @@ param avdImageTemplateDefinitionId string = '' @sys.description('OU name for Azure Storage Account. It is recommended to create a new AD Organizational Unit (OU) in AD and disable password expiration policy on computer accounts or service logon accounts accordingly. (Default: "")') param storageOuPath string = '' -@sys.description('If OU for Azure Storage needs to be created - set to true and ensure the domain join credentials have priviledge to create OU and create computer objects or join to domain. (Default: false)') -param createOuForStorage bool = false - // Custom Naming // Input must followe resource naming rules on https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules @sys.description('AVD resources custom naming. (Default: false)') @@ -487,7 +503,7 @@ param enableTelemetry bool = true // Resource naming var varDeploymentPrefixLowercase = toLower(deploymentPrefix) var varDeploymentEnvironmentLowercase = toLower(deploymentEnvironment) -var varDeploymentEnvironmentComputeStorage = (deploymentEnvironment == 'Dev') ? 'd': ((deploymentEnvironment == 'Test') ? 't' : ((deploymentEnvironment == 'Prod') ? 'p' : '')) +var varDeploymentEnvironmentComputeStorage = (deploymentEnvironment == 'Dev') ? 'd' : ((deploymentEnvironment == 'Test') ? 't' : ((deploymentEnvironment == 'Prod') ? 'p' : '')) var varNamingUniqueStringThreeChar = take('${uniqueString(avdWorkloadSubsId, varDeploymentPrefixLowercase, time)}', 3) var varSessionHostLocationAcronym = varLocations[varSessionHostLocationLowercase].acronym var varManagementPlaneLocationAcronym = varLocations[varManagementPlaneLocationLowercase].acronym @@ -507,7 +523,7 @@ var varStorageObjectsRgName = avdUseCustomNaming ? avdStorageObjectsRgCustomName var varMonitoringRgName = avdUseCustomNaming ? avdMonitoringRgCustomName : 'rg-avd-${varDeploymentEnvironmentLowercase}-${varManagementPlaneLocationAcronym}-monitoring' // max length limit 90 characters var varVnetName = avdUseCustomNaming ? avdVnetworkCustomName : 'vnet-${varComputeStorageResourcesNamingStandard}-001' var varHubVnetName = (createAvdVnet && !empty(existingHubVnetResourceId)) ? split(existingHubVnetResourceId, '/')[8] : '' -var varVnetPeeringName = 'peer-${varHubVnetName}' +var varVnetPeeringName = 'peer-${varHubVnetName}' var varRemoteVnetPeeringName = 'peer-${varVnetName}' var varVnetAvdSubnetName = avdUseCustomNaming ? avdVnetworkSubnetCustomName : 'snet-avd-${varComputeStorageResourcesNamingStandard}-001' var varVnetPrivateEndpointSubnetName = avdUseCustomNaming ? privateEndpointVnetworkSubnetCustomName : 'snet-pe-${varComputeStorageResourcesNamingStandard}-001' @@ -545,7 +561,7 @@ var varZtKvPrivateEndpointName = 'pe-${varZtKvName}-vault' // var varFsLogixScriptArguments = (avdIdentityServiceProvider == 'AAD') ? '-volumeshare ${varFslogixSharePath} -storageAccountName ${varFslogixStorageName} -identityDomainName ${avdIdentityDomainName}' : '-volumeshare ${varFslogixSharePath}' var varFslogixSharePath = '\\\\${varFslogixStorageName}.file.${environment().suffixes.storage}\\${varFslogixFileShareName}' -var varBaseScriptUri = 'https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/' +var varBaseScriptUri = 'https://raw.githubusercontent.com/Azure/avdaccelerator/ntfs-update/workload/' var varFslogixScriptUri = (avdIdentityServiceProvider == 'AAD') ? '${varBaseScriptUri}scripts/Set-FSLogixRegKeysAAD.ps1' : '${varBaseScriptUri}scripts/Set-FSLogixRegKeys.ps1' var varFsLogixScript = (avdIdentityServiceProvider == 'AAD') ? './Set-FSLogixRegKeysAad.ps1' : './Set-FSLogixRegKeys.ps1' //var varCompRgDeploCleanScript = './cleanUpRgDeployments.ps1' @@ -763,16 +779,13 @@ var varMarketPlaceGalleryWindows = { version: 'latest' } } -var varStorageAzureFilesDscAgentPackageLocation = 'https://github.com/Azure/avdaccelerator/raw/main/workload/scripts/DSCStorageScripts.zip' +var varArtifactsLocation = 'https://github.com/Azure/avdaccelerator/raw/ntfs-update/workload/scripts' //var varTempResourcesCleanUpDscAgentPackageLocation = 'https://github.com/Azure/avdaccelerator/raw/main/workload/scripts/postDeploymentTempResourcesCleanUp.zip' -var varStorageToDomainScriptUri = '${varBaseScriptUri}scripts/Manual-DSC-Storage-Scripts.ps1' //var varPostDeploymentTempResuorcesCleanUpScriptUri = '${varBaseScriptUri}scripts/postDeploymentTempResuorcesCleanUp.ps1' -var varStorageToDomainScript = './Manual-DSC-Storage-Scripts.ps1' //var varPostDeploymentTempResuorcesCleanUpScript = './PostDeploymentTempResuorcesCleanUp.ps1' var varOuStgPath = !empty(storageOuPath) ? '"${storageOuPath}"' : '"${varDefaultStorageOuPath}"' var varDefaultStorageOuPath = (avdIdentityServiceProvider == 'AADDS') ? 'AADDC Computers' : 'Computers' var varStorageCustomOuPath = !empty(storageOuPath) ? 'true' : 'false' -var varCreateOuForStorageString = string(createOuForStorage) var varAllDnsServers = '${customDnsIps},168.63.129.16' var varDnsServers = empty(customDnsIps) ? [] : (split(varAllDnsServers, ',')) var varCreateVnetPeering = !empty(existingHubVnetResourceId) ? true : false @@ -830,7 +843,7 @@ var verResourceGroups = [ // enableDefaultTelemetry: false // tags: createResourceTags ? union(varAllComputeStorageTags, varAvdDefaultTags) : union(varAvdDefaultTags, varAllComputeStorageTags) //} - + ] // =========== // @@ -924,7 +937,7 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre existingPeSubnetResourceId: existingVnetPrivateEndpointSubnetResourceId existingAvdSubnetResourceId: existingVnetAvdSubnetResourceId createPrivateDnsZones: deployPrivateEndpointKeyvaultStorage ? createPrivateDnsZones : false - applicationSecurityGroupName: varApplicationSecurityGroupName + applicationSecurityGroupName: varApplicationSecurityGroupName computeObjectsRgName: varComputeObjectsRgName networkObjectsRgName: varNetworkObjectsRgName avdNetworksecurityGroupName: varAvdNetworksecurityGroupName @@ -984,8 +997,7 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = { startVmOnConnect: (avdHostPoolType == 'Pooled') ? avdDeployScalingPlan : avdStartVmOnConnect workloadSubsId: avdWorkloadSubsId identityServiceProvider: avdIdentityServiceProvider - applicationGroupIdentitiesIds: avdApplicationGroupIdentitiesIds - applicationGroupIdentityType: avdApplicationGroupIdentityType + securityPrincipalIds: array(securityPrincipalId) tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags alaWorkspaceResourceId: avdDeployMonitoring ? (deployAlaWorkspace ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : '' diagnosticLogsRetentionInDays: avdAlaWorkspaceDataRetention @@ -1015,7 +1027,7 @@ module identity './modules/identity/deploy.bicep' = { enableStartVmOnConnect: avdStartVmOnConnect identityServiceProvider: avdIdentityServiceProvider createStorageDeployment: varCreateStorageDeployment - appGroupIdentitiesIds: avdApplicationGroupIdentitiesIds + securityPrincipalIds: array(securityPrincipalId) tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags } dependsOn: [ @@ -1051,7 +1063,7 @@ module zeroTrust './modules/zeroTrust/deploy.bicep' = if (diskZeroTrust && avdDe baselineResourceGroups baselineStorageResourceGroup monitoringDiagnosticSettings - identity + identity ] } @@ -1180,20 +1192,20 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if name: 'Storage-FSLogix-${time}' params: { storagePurpose: 'fslogix' + storageSolution: fslogixStorageSolution fileShareName: varFslogixFileShareName fileShareMultichannel: (fslogixStoragePerformance == 'Premium') ? true : false storageSku: varFslogixStorageSku + securityPrincipalName: securityPrincipalName fileShareQuotaSize: fslogixFileShareQuotaSize storageAccountName: varFslogixStorageName - storageToDomainScript: varStorageToDomainScript - storageToDomainScriptUri: varStorageToDomainScriptUri + netBios: netBios + artifactsLocation: varArtifactsLocation + KerberosEncryption: kerberosEncryption identityServiceProvider: avdIdentityServiceProvider - dscAgentPackageLocation: varStorageAzureFilesDscAgentPackageLocation - storageCustomOuPath: varStorageCustomOuPath managementVmName: varManagementVmName deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage ouStgPath: varOuStgPath - createOuForStorageString: varCreateOuForStorageString managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : '' domainJoinUserName: avdDomainJoinUserName wrklKvName: varWrklKvName @@ -1223,20 +1235,20 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (cr name: 'Storage-MSIX-${time}' params: { storagePurpose: 'msix' + storageSolution: appAttachStorageSolution fileShareName: varMsixFileShareName fileShareMultichannel: (msixStoragePerformance == 'Premium') ? true : false storageSku: varMsixStorageSku + securityPrincipalName: securityPrincipalName fileShareQuotaSize: msixFileShareQuotaSize storageAccountName: varMsixStorageName - storageToDomainScript: varStorageToDomainScript - storageToDomainScriptUri: varStorageToDomainScriptUri + netBios: netBios + artifactsLocation: varArtifactsLocation + KerberosEncryption: kerberosEncryption identityServiceProvider: avdIdentityServiceProvider - dscAgentPackageLocation: varStorageAzureFilesDscAgentPackageLocation - storageCustomOuPath: varStorageCustomOuPath managementVmName: varManagementVmName deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage ouStgPath: varOuStgPath - createOuForStorageString: varCreateOuForStorageString managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : '' domainJoinUserName: avdDomainJoinUserName wrklKvName: varWrklKvName @@ -1283,7 +1295,7 @@ module availabilitySet './modules/avdSessionHosts/.bicep/availabilitySets.bicep' // Session hosts @batchSize(3) module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [for i in range(1, varSessionHostBatchCount): if (avdDeploySessionHosts) { - name: 'SH-Batch-${i-1}-${time}' + name: 'SH-Batch-${i - 1}-${time}' params: { diskEncryptionSetResourceId: diskZeroTrust ? zeroTrust.outputs.ztDiskEncryptionSetResourceId : '' avdAgentPackageLocation: varAvdAgentPackageLocation @@ -1293,7 +1305,7 @@ module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [for i in range(1 createIntuneEnrollment: createIntuneEnrollment maxAvsetMembersCount: varMaxAvsetMembersCount avsetNamePrefix: varAvsetNamePrefix - batchId: i-1 + batchId: i - 1 computeObjectsRgName: varComputeObjectsRgName count: i == varSessionHostBatchCount && varMaxSessionHostsDivisionRemainderValue > 0 ? varMaxSessionHostsDivisionRemainderValue : varMaxSessionHostsPerTemplate countIndex: i == 1 ? avdSessionHostCountIndex : (((i - 1) * varMaxSessionHostsPerTemplate) + avdSessionHostCountIndex) @@ -1346,14 +1358,14 @@ module gpuPolicies './modules/avdSessionHosts/.bicep/azurePolicyGpuExtensions.bi scope: subscription('${avdWorkloadSubsId}') name: 'GPU-VM-Extensions-${time}' params: { - computeObjectsRgName: varComputeObjectsRgName - location: avdSessionHostLocation - subscriptionId: avdWorkloadSubsId + computeObjectsRgName: varComputeObjectsRgName + location: avdSessionHostLocation + subscriptionId: avdWorkloadSubsId } dependsOn: [ sessionHosts ] - } +} /* // Post deployment resources clean up. diff --git a/workload/bicep/modules/avdManagementPlane/deploy.bicep b/workload/bicep/modules/avdManagementPlane/deploy.bicep index 370e4ad72..09f97696e 100644 --- a/workload/bicep/modules/avdManagementPlane/deploy.bicep +++ b/workload/bicep/modules/avdManagementPlane/deploy.bicep @@ -16,10 +16,7 @@ param computeTimeZone string param identityServiceProvider string @sys.description('Identity ID to grant RBAC role to access AVD application group.') -param applicationGroupIdentitiesIds array - -@sys.description('Identity type to grant RBAC role to access AVD application group.') -param applicationGroupIdentityType string +param securityPrincipalIds array @sys.description('AVD OS image source.') param osImage string @@ -240,11 +237,11 @@ module applicationGroups '../../../../carml/1.3.0/Microsoft.DesktopVirtualizatio hostpoolName: hostPoolName tags: tags applications: (applicationGroup.applicationGroupType == 'RemoteApp') ? varRAppApplicationGroupsApps : [] - roleAssignments: !empty(applicationGroupIdentitiesIds) ? [ + roleAssignments: !empty(securityPrincipalIds) ? [ { roleDefinitionIdOrName: 'Desktop Virtualization User' - principalIds: applicationGroupIdentitiesIds - principalType: applicationGroupIdentityType + principalIds: securityPrincipalIds + principalType: 'Group' } ]: [] diagnosticWorkspaceId: alaWorkspaceResourceId diff --git a/workload/bicep/modules/identity/deploy.bicep b/workload/bicep/modules/identity/deploy.bicep index bf0e18e3b..fd1a7389e 100644 --- a/workload/bicep/modules/identity/deploy.bicep +++ b/workload/bicep/modules/identity/deploy.bicep @@ -28,7 +28,7 @@ param enableStartVmOnConnect bool param identityServiceProvider string @sys.description('Required, Identity ID to grant RBAC role to access AVD application group.') -param appGroupIdentitiesIds array +param securityPrincipalIds array @sys.description('Deploy scaling plan.') param deployScalingPlan bool @@ -62,6 +62,10 @@ var varStorageSmbShareContributorRole = { id: '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' name: 'Storage File Data SMB Share Contributor' } +var varDesktopVirtualizationVirtualMachineContributorRole = { + id:' a959dbd1-f747-45e3-8ba6-dd80f235f97c' + name: 'Desktop Virtualization Virtual Machine Contributor' +} var varDesktopVirtualizationPowerOnContributorRole = { id: '489581de-a3bd-480d-9518-53dea7416b33' name: 'Desktop Virtualization Power On Contributor' @@ -182,7 +186,7 @@ module storageContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authoriza }] // Storage File Data SMB Share Contributor -module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in appGroupIdentitiesIds: if (createStorageDeployment && (identityServiceProvider == 'AAD') && (!empty(appGroupIdentitiesIds))) { +module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (createStorageDeployment && (identityServiceProvider == 'AAD') && (!empty(securityPrincipalIds))) { name: 'Stora-SmbContri-RolAssign-${take('${appGroupIdentitiesId}', 6)}-${time}' scope: resourceGroup('${subscriptionId}', '${storageObjectsRgName}') params: { @@ -191,8 +195,18 @@ module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.A } }] +//Management VM Desktop Virtualization Virtual Machine Contributor Role assignment +module DesktopVirtualizationVirtualMachineContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (createStorageDeployment && (identityServiceProvider == 'AAD') && (!empty(securityPrincipalIds))) { + name: 'Stora-VMCont-RolAssign-${take('${appGroupIdentitiesId}', 6)}-${time}' + scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}') + params: { + roleDefinitionIdOrName: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${varDesktopVirtualizationVirtualMachineContributorRole.id}' + principalId: appGroupIdentitiesId + } +}] + // VM AAD access roles compute RG -module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in appGroupIdentitiesIds: if (identityServiceProvider == 'AAD' && !empty(appGroupIdentitiesIds)) { +module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'AAD' && !empty(securityPrincipalIds)) { name: 'VM-Login-Comp-${take('${appGroupIdentitiesId}', 6)}-${time}' scope: resourceGroup('${subscriptionId}', '${computeObjectsRgName}') params: { @@ -202,7 +216,7 @@ module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorizati }] // VM AAD access roles service objects RG -module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in appGroupIdentitiesIds: if (identityServiceProvider == 'AAD' && !empty(appGroupIdentitiesIds)) { +module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'AAD' && !empty(securityPrincipalIds)) { name: 'VM-Login-Serv-${take('${appGroupIdentitiesId}', 6)}-${time}' scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}') params: { diff --git a/workload/bicep/modules/storageAzureFiles/.bicep/azureFilesDomainJoin.bicep b/workload/bicep/modules/storageAzureFiles/.bicep/azureFilesDomainJoin.bicep deleted file mode 100644 index 094ebc09f..000000000 --- a/workload/bicep/modules/storageAzureFiles/.bicep/azureFilesDomainJoin.bicep +++ /dev/null @@ -1,48 +0,0 @@ -// ========== // -// Parameters // -// ========== // - -@sys.description('Extension deployment name.') -param name string - -@sys.description('Location where to deploy compute services.') -param location string - -@sys.description('Location for the AVD agent installation package.') -param baseScriptUri string - -param file string - -@sys.description('Arguments for domain join script.') -param scriptArguments string - -@secure() -@sys.description('Domain join user password.') -param domainJoinUserPassword string - -// =========== // -// Variable declaration // -// =========== // - -var varscriptArgumentsWithPassword = '${scriptArguments} -DomainAdminUserPassword ${domainJoinUserPassword} -verbose' - -// =========== // -// Deployments // -// =========== // - -// Add Azure Files to AD DS domain. -resource dscStorageScript 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = { - name: '${name}/AzureFilesDomainJoin' - location: location - properties: { - publisher: 'Microsoft.Compute' - type: 'CustomScriptExtension' - typeHandlerVersion: '1.10' - autoUpgradeMinorVersion: true - settings: {} - protectedSettings: { - fileUris: array(baseScriptUri) - commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File ${file} ${varscriptArgumentsWithPassword}' - } - } -} diff --git a/workload/bicep/modules/storageAzureFiles/.bicep/ntfsPermissions.bicep b/workload/bicep/modules/storageAzureFiles/.bicep/ntfsPermissions.bicep new file mode 100644 index 000000000..0518a899b --- /dev/null +++ b/workload/bicep/modules/storageAzureFiles/.bicep/ntfsPermissions.bicep @@ -0,0 +1,53 @@ +// ========== // +// Parameters // +// ========== // + +param artifactsLocation string + +// @secure() +// param _artifactsLocationSasToken string + +param commandToExecute string + +@sys.description('Name for management virtual machine. for tools and to join Azure Files to domain.') +param managementVmName string + +@secure() +@sys.description('Domain join user password.') +param domainJoinUserPassword string + +@sys.description('Location where to deploy compute services.') +param location string + +@sys.description('Do not modify, used to set unique value for resource deployment.') +param time string = utcNow() + +// =========== // +// Variable declaration // +// =========== // + +var varCommandToExecute = '${commandToExecute} -DomainJoinPassword ${domainJoinUserPassword} -verbose' + +// =========== // +// Deployments // +// =========== // + +resource customScriptExtension 'Microsoft.Compute/virtualMachines/extensions@2020-12-01' = { + name: '${managementVmName}/CustomScriptExtension' + location: location + properties: { + publisher: 'Microsoft.Compute' + type: 'CustomScriptExtension' + typeHandlerVersion: '1.10' + autoUpgradeMinorVersion: true + settings: { + fileUris: [ + '${artifactsLocation}/Set-NtfsPermissions.ps1'//${_artifactsLocationSasToken}' + ] + timestamp: time + } + protectedSettings: { + commandToExecute: varCommandToExecute + } + } +} diff --git a/workload/bicep/modules/storageAzureFiles/deploy.bicep b/workload/bicep/modules/storageAzureFiles/deploy.bicep index 9974bc884..ae0005a95 100644 --- a/workload/bicep/modules/storageAzureFiles/deploy.bicep +++ b/workload/bicep/modules/storageAzureFiles/deploy.bicep @@ -16,6 +16,9 @@ param identityServiceProvider string @sys.description('Resource Group Name for management VM.') param serviceObjectsRgName string +@sys.description('Optional, Identity name array to grant RBAC role to access AVD application group and NTFS permissions. (Default: "")') +param securityPrincipalName string + @sys.description('Storage account name.') param storageAccountName string @@ -52,12 +55,6 @@ param fileShareQuotaSize int @sys.description('Use Azure private DNS zones for private endpoints.') param vnetPrivateDnsZoneFilesId string -@sys.description('Script name for adding storage account to Active Directory.') -param storageToDomainScript string - -@sys.description('URI for the script for adding the storage account to Active Directory.') -param storageToDomainScriptUri string - @sys.description('Tags to be applied to resources') param tags object @@ -79,27 +76,41 @@ param time string = utcNow() @sys.description('Sets purpose of the storage account.') param storagePurpose string -//parameters for domain join -@sys.description('Sets location of DSC Agent.') -param dscAgentPackageLocation string - -@sys.description('Custom OU path for storage.') -param storageCustomOuPath string - @sys.description('OU Storage Path') param ouStgPath string -@sys.description('If OU for Azure Storage needs to be created - set to true and ensure the domain join credentials have priviledge to create OU and create computer objects or join to domain.') -param createOuForStorageString string - @sys.description('Managed Identity Client ID') param managedIdentityClientId string +@sys.description('Kerberos Encryption. Default is AES256.') +param KerberosEncryption string + +@sys.description('Location of script. Default is located in workload/scripts') +param artifactsLocation string + +// @description('SAS Token to access script.') +// param _artifactsLocationSasToken string = '' + +@allowed([ + 'AzureStorageAccount' + 'AzureNetappFiles' +]) +@sys.description('Storage Solution.') +param storageSolution string + +//borrar +param storageCount int = 1 + +param storageIndex int = 1 +// + +@sys.description('Netbios name, will be used to set NTFS file share permissions.') +param netBios string + // =========== // // Variable declaration // // =========== // -var varAzureCloudName = environment().name -var varStoragePurposeLower = toLower(storagePurpose) +var varActiveDirectorySolution = (identityServiceProvider != 'AAD') ? 'ActiveDirectoryDomainServices': '' var varAvdFileShareLogsDiagnostic = [ 'allLogs' ] @@ -107,8 +118,8 @@ var varAvdFileShareMetricsDiagnostic = [ 'Transaction' ] var varWrklStoragePrivateEndpointName = 'pe-${storageAccountName}-file' -var vardirectoryServiceOptions = (identityServiceProvider == 'AADDS') ? 'AADDS': (identityServiceProvider == 'AAD') ? 'AADKERB': 'None' -var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -DomainAdminUserName ${domainJoinUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -CreateNewOU ${createOuForStorageString} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId}' +var varDirectoryServiceOptions = (identityServiceProvider == 'AADDS') ? 'AADDS' : (identityServiceProvider == 'AAD') ? 'AADKERB' : 'None' + // =========== // // Deployments // // =========== // @@ -131,11 +142,11 @@ module storageAndFile '../../../../carml/1.3.0/Microsoft.Storage/storageAccounts publicNetworkAccess: deployPrivateEndpoint ? 'Disabled' : 'Enabled' kind: ((storageSku =~ 'Premium_LRS') || (storageSku =~ 'Premium_ZRS')) ? 'FileStorage' : 'StorageV2' azureFilesIdentityBasedAuthentication: { - directoryServiceOptions: vardirectoryServiceOptions + directoryServiceOptions: varDirectoryServiceOptions activeDirectoryProperties: (identityServiceProvider == 'AAD') ? { domainGuid: identityDomainGuid domainName: identityDomainName - }: {} + } : {} } accessTier: 'Hot' networkAcls: deployPrivateEndpoint ? { @@ -171,7 +182,7 @@ module storageAndFile '../../../../carml/1.3.0/Microsoft.Storage/storageAccounts privateDnsZoneGroup: { privateDNSResourceIds: [ vnetPrivateDnsZoneFilesId - ] + ] } } ] : [] @@ -187,21 +198,19 @@ module storageAndFile '../../../../carml/1.3.0/Microsoft.Storage/storageAccounts // scope: resourceGroup('${workloadSubsId}', '${serviceObjectsRgName}') //} -// Custom Extension call in on the DSC script to join Azure storage account to domain. -module addShareToDomainScript './.bicep/azureFilesDomainJoin.bicep' = { - scope: resourceGroup('${workloadSubsId}', '${serviceObjectsRgName}') - name: 'Add-${storagePurpose}-Storage-Setup-${time}' +module ntfsPermissions '.bicep/ntfsPermissions.bicep' = if (contains(identityServiceProvider, 'ADDS')) { + name: 'Fslogix-Ntfs-Permissions-${time}' + scope: resourceGroup(workloadSubsId, serviceObjectsRgName) params: { + artifactsLocation: artifactsLocation + //_artifactsLocationSasToken: _artifactsLocationSasToken + commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File Set-NtfsPermissions.ps1 -ClientId "${managedIdentityClientId}" -DomainJoinUserPrincipalName "${domainJoinUserName}" -ActiveDirectorySolution "${varActiveDirectorySolution}" -Environment "${environment().name}" -KerberosEncryptionType "${KerberosEncryption}" -StorageAccountFullName "${storageAccountName}" -FileShareName "${fileShareName}" -Netbios "${netBios}" -OuPath "${ouStgPath}" -SecurityPrincipalName "${securityPrincipalName}" -StorageAccountResourceGroupName "${storageObjectsRgName}" -StorageCount ${storageCount} -StorageIndex ${storageIndex} -StorageSolution "${storageSolution}" -StorageSuffix "${environment().suffixes.storage}" -SubscriptionId "${subscription().subscriptionId}" -TenantId "${subscription().tenantId}"' location: sessionHostLocation - name: managementVmName - file: storageToDomainScript - scriptArguments: varStorageToDomainScriptArgs domainJoinUserPassword: avdWrklKeyVaultget.getSecret('domainJoinUserPassword') - baseScriptUri: storageToDomainScriptUri + managementVmName: managementVmName + time: time } - dependsOn: [ - storageAndFile - ] + //... } // =========== // diff --git a/workload/bicep/parameters/deploy-baseline-parameters-example.json b/workload/bicep/parameters/deploy-baseline-parameters-example.json index bdbe900ff..40b2aa900 100644 --- a/workload/bicep/parameters/deploy-baseline-parameters-example.json +++ b/workload/bicep/parameters/deploy-baseline-parameters-example.json @@ -35,15 +35,18 @@ "createIntuneEnrollment": { "value": false }, - "avdApplicationGroupIdentitiesIds": { + "securityPrincipalId": { "value": "" - }, - "avdApplicationGroupIdentityType": { - "value": "Group" - }, + }, + "securityPrincipalName": { + "value": "" + }, "avdIdentityDomainName": { "value": "<>" }, + "netBios": { + "value": "" + }, "avdDomainJoinUserName": { "value": "none" }, @@ -182,9 +185,6 @@ "storageOuPath": { "value": "" }, - "createOuForStorage": { - "value": false - }, "createResourceTags": { "value": false }, @@ -208,6 +208,15 @@ }, "deployGpuPolicies": { "value": true + }, + "fslogixStorageSolution": { + "value": "AzureStorageAccount" + }, + "appAttachStorageSolution": { + "value": "AzureStorageAccount" + }, + "kerberosEncryption": { + "value": "AES256" } } } diff --git a/workload/docs/autoGenerated/deploy-baseline.bicep.md b/workload/docs/autoGenerated/deploy-baseline.bicep.md index 427f287fb..0e48f0f30 100644 --- a/workload/docs/autoGenerated/deploy-baseline.bicep.md +++ b/workload/docs/autoGenerated/deploy-baseline.bicep.md @@ -17,7 +17,8 @@ avdVmLocalUserName | Yes | AVD session host local username. avdVmLocalUserPassword | Yes | AVD session host local password. avdIdentityServiceProvider | No | Required, The service providing domain services for Azure Virtual Desktop. (Default: ADDS) createIntuneEnrollment | No | Required, Eronll session hosts on Intune. (Default: false) -avdApplicationGroupIdentitiesIds | No | Optional, Identity ID array to grant RBAC role to access AVD application group. (Default: "") +securityPrincipalId | No | Optional, Identity ID to grant RBAC role to access AVD application group and NTFS permissions. (Default: "") +securityPrincipalName | No | Optional, Identity name to grant RBAC role to access AVD application group and NTFS permissions. (Default: "") avdApplicationGroupIdentityType | No | Optional, Identity type to grant RBAC role to access AVD application group. (Default: Group) avdIdentityDomainName | Yes | AD domain name. identityDomainGuid | No | AD domain GUID. (Default: "") @@ -207,11 +208,17 @@ Required, Eronll session hosts on Intune. (Default: false) - Default value: `False` -### avdApplicationGroupIdentitiesIds +### securityPrincipalId ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -Optional, Identity ID array to grant RBAC role to access AVD application group. (Default: "") +Optional, Identity ID to grant RBAC role to access AVD application group and NTFS permissions. (Default: "") + +### securityPrincipalName + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Optional, Identity name to grant RBAC role to access AVD application group and NTFS permissions. (Default: "") ### avdApplicationGroupIdentityType @@ -1098,8 +1105,11 @@ Enable usage and telemetry feedback to Microsoft. "createIntuneEnrollment": { "value": false }, - "avdApplicationGroupIdentitiesIds": { - "value": [] + "securityPrincipalId": { + "value": "" + }, + "securityPrincipalName": { + "value": "" }, "avdApplicationGroupIdentityType": { "value": "Group" diff --git a/workload/portal-ui/portal-ui-baseline.json b/workload/portal-ui/portal-ui-baseline.json index d54635a9f..38fa8e11f 100644 --- a/workload/portal-ui/portal-ui-baseline.json +++ b/workload/portal-ui/portal-ui-baseline.json @@ -199,33 +199,41 @@ } }, { - "name": "identityAvdUserAccessGroupsDropDown", + "name": "identityAvdUserAccessGroupDropDown", "type": "Microsoft.Common.DropDown", - "visible": "[not(steps('identity').identityAvdAccess.identityAvdUserAccessGroupsCheckBox)]", - "label": "Groups", + "visible": "[not(steps('identity').identityAvdAccess.identityAvdUserAccessGroupCheckBox)]", + "label": "Group", "defaultValue": "", "filter": true, - "toolTip": "Select the desired group(s) to give access to Azure Virtual Desktop resources and if applicable to FSLogix file share.", - "multiselect": true, + "toolTip": "Select the desired group to give access to Azure Virtual Desktop resources and if applicable to FSLogix file share.", + "multiselect": false, "constraints": { "allowedValues": "[map(steps('identity').identityAvdAccess.groupsApi.value, (item) => parse(concat('{\"label\":\"', item.displayName, '\",\"value\": {\"name\":\"', item.displayName, '\",\"id\":\"', item.id, '\"}}')))]" } }, { - "name": "identityAvdUserAccessGroupsCheckBox", + "name": "identityAvdUserAccessGroupCheckBox", "type": "Microsoft.Common.CheckBox", "visible": true, - "label": "Provide groups IDs instead", + "label": "Provide group details", "defaultValue": false, - "toolTip": "When the desired groups are not listed in the drop down, selecting this box will allow for entering the group's ObjectIDs." + "toolTip": "When the desired group is not listed in the drop down, selecting this box will allow for entering the group's ObjectID and name. this information will be used to setup AVD access and FSLogix's file share NTFS permissions." + }, + { + "name": "identityAvdUserAccessGroupTextBox1", + "type": "Microsoft.Common.TextBox", + "visible": "[steps('identity').identityAvdAccess.identityAvdUserAccessGroupCheckBox]", + "label": "Name", + "toolTip": "Group name to be granted access to Azure Virtual Desktop published items and FSLogix NTFS permissions.", + "placeholder": "Example: AVD-users" }, { - "name": "identityAvdUserAccessGroupsTextBox", + "name": "identityAvdUserAccessGroupTextBox2", "type": "Microsoft.Common.TextBox", - "visible": "[steps('identity').identityAvdAccess.identityAvdUserAccessGroupsCheckBox]", - "label": "ObjectIDs", - "toolTip": "Comma separated list of security groups (ObjectIDs) to be granted access to Azure Virtual Desktop published items and to create sessions on VMs and single sign-on (SSO) when using AAD as identity provider.", - "placeholder": "Example: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" + "visible": "[steps('identity').identityAvdAccess.identityAvdUserAccessGroupCheckBox]", + "label": "Object ID", + "toolTip": "Group objectID to be granted access to Azure Virtual Desktop published items and FSLogix NTFS permissions.", + "placeholder": "Example: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" } ] }, @@ -2365,8 +2373,8 @@ "opsTeamTag": "[if(equals(steps('resourceTagging').resourceTaggingSelection, true), steps('resourceTagging').resourceTags.tagsOpsTeamTag, 'no')]", "ownerTag": "[if(equals(steps('resourceTagging').resourceTaggingSelection, true), steps('resourceTagging').resourceTags.tagsOwnerTag, 'no')]", "costCenterTag": "[if(equals(steps('resourceTagging').resourceTaggingSelection, true), steps('resourceTagging').resourceTags.tagsCostCenterTag, 'no')]", - "avdApplicationGroupIdentitiesIds": "[if(equals(steps('identity').identityAvdAccess.identityAvdUserAccessGroupsCheckBox, true), split(steps('identity').identityAvdAccess.identityAvdUserAccessGroupsTextBox, ','), map(steps('identity').identityAvdAccess.identityAvdUserAccessGroupsDropDown, (item) => item.id))]", - "avdDeployMonitoring": "[steps('monitoring').deployMonitoring]", + "avdApplicationGroupIdentityId": "[if(equals(steps('identity').identityAvdAccess.identityAvdUserAccessGroupCheckBox, true), steps('identity').identityAvdAccess.identityAvdUserAccessGroupTextBox2, steps('identity').identityAvdAccess.identityAvdUserAccessGroupDropDown.id)]", + "avdApplicationGroupIdentityName": "[if(equals(steps('identity').identityAvdAccess.identityAvdUserAccessGroupCheckBox, true), steps('identity').identityAvdAccess.identityAvdUserAccessGroupTextBox1, steps('identity').identityAvdAccess.identityAvdUserAccessGroupDropDown.name)]", "avdDeployMonitoring": "[steps('monitoring').deployMonitoring]", "deployAlaWorkspace": "[if(equals(steps('monitoring').deployMonitoring, true), steps('monitoring').deployMonitoringAlaWorkspace, false)]", "avdAlaWorkspaceDataRetention": "[if(equals(steps('monitoring').deployMonitoringAlaWorkspace, true), steps('monitoring').deployMonitoringNewAlaWorkspaceRetention, 0)]", "alaExistingWorkspaceResourceId": "[if(equals(steps('monitoring').deployMonitoringAlaWorkspace, false), steps('monitoring').alaWorkspaceExistingWorkspacesSelection.id, 'no')]", diff --git a/workload/scripts/DSCStorageScripts-v1.zip b/workload/scripts/DSCStorageScripts-v1.zip new file mode 100644 index 000000000..060f38b2f Binary files /dev/null and b/workload/scripts/DSCStorageScripts-v1.zip differ diff --git a/workload/scripts/DSCStorageScripts-v2.zip b/workload/scripts/DSCStorageScripts-v2.zip new file mode 100644 index 000000000..38b8b3c14 Binary files /dev/null and b/workload/scripts/DSCStorageScripts-v2.zip differ diff --git a/workload/scripts/DSCStorageScripts.zip b/workload/scripts/DSCStorageScripts.zip index ee50a9067..a02aca446 100644 Binary files a/workload/scripts/DSCStorageScripts.zip and b/workload/scripts/DSCStorageScripts.zip differ diff --git a/workload/scripts/DSCStorageScripts/Configuration.ps1 b/workload/scripts/DSCStorageScripts/Configuration.ps1 index 3b019318e..84d7f4c05 100644 --- a/workload/scripts/DSCStorageScripts/Configuration.ps1 +++ b/workload/scripts/DSCStorageScripts/Configuration.ps1 @@ -20,6 +20,10 @@ param [ValidateNotNullOrEmpty()] [string] $ShareName, + [Parameter(Mandatory = $false)] + [ValidateNotNullOrEmpty()] + [string]$SecurityPrincipalName, + [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $DomainName, @@ -82,6 +86,10 @@ Configuration DomainJoinFileShare [ValidateNotNullOrEmpty()] [string] $ShareName, + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string]$SecurityPrincipalName, + [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $DomainName, @@ -208,4 +216,4 @@ $config = @{ ) } -DomainJoinFileShare -ConfigurationData $config -StorageAccountName $StorageAccountName -StorageAccountRG $StorageAccountRG -SubscriptionId $SubscriptionId -ShareName $ShareName -DomainName $DomainName -IdentityServiceProvider $IdentityServiceProvider -AzureCloudEnvironment $AzureCloudEnvironment -CustomOuPath $CustomOuPath -OUName $OUName -CreateNewOU $CreateNewOU -DomainAdminUserName $DomainAdminUserName -DomainAdminUserPassword $DomainAdminUserPassword -ClientId $ClientId -StoragePurpose $StoragePurpose -Verbose; \ No newline at end of file +DomainJoinFileShare -ConfigurationData $config -StorageAccountName $StorageAccountName -StorageAccountRG $StorageAccountRG -SubscriptionId $SubscriptionId -ShareName $ShareName -DomainName $DomainName -IdentityServiceProvider $IdentityServiceProvider -AzureCloudEnvironment $AzureCloudEnvironment -CustomOuPath $CustomOuPath -OUName $OUName -CreateNewOU $CreateNewOU -DomainAdminUserName $DomainAdminUserName -DomainAdminUserPassword $DomainAdminUserPassword -ClientId $ClientId -SecurityPrincipalName $SecurityPrincipalName -StoragePurpose $StoragePurpose -Verbose; \ No newline at end of file diff --git a/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 b/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 index 7a367f682..7312562e1 100644 --- a/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 +++ b/workload/scripts/DSCStorageScripts/script-domainjoinstorage.ps1 @@ -14,6 +14,10 @@ param( [ValidateNotNullOrEmpty()] [string] $StorageAccountRG, + [Parameter(Mandatory = $false)] + [ValidateNotNullOrEmpty()] + [string]$SecurityPrincipalName, + [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $ClientId, @@ -168,7 +172,7 @@ Try { Write-Log "Storage key: $StorageKey" Write-Log "File Share location: $FileShareLocation" net use ${DriveLetter}: $FileShareLocation $UserStorage $StorageKey.Value - #New-PSDrive -Name $DriveLetter -PSProvider FileSystem -Root $FileShareLocation -Persist + #New-PSDrive -Name $DriveLetter -PSProvider 'FileSystem' -Root $FileShareLocation -Persist #-Credential $Credential } else { Write-Log "Drive $DriveLetter already mounted." @@ -181,10 +185,29 @@ Catch { } Try { - Write-Log "setting up NTFS permission for FSLogix" - $Commands = "icacls ${DriveLetter}: /remove ('BUILTIN\Administrators')" - Invoke-Expression -Command $Commands - Write-Log "ACLs set" + Write-Log "setting up general NTFS permission" + + $acl = get-acl -path "${DriveLetter}:" + $creatorowner = new-object system.security.principal.ntaccount ("creator owner") + $acl.purgeaccessrules($creatorowner) + $administrator = new-object system.security.principal.ntaccount ("BUILTIN\Administrators") + $acl.purgeaccessrules($administrator) + $authenticatedusers = new-object system.security.principal.ntaccount ("authenticated users") + $acl.purgeaccessrules($authenticatedusers) + $users = new-object system.security.principal.ntaccount ("users") + $acl.purgeaccessrules($users) + $creatorowner = new-object system.security.accesscontrol.filesystemaccessrule("creator owner","modify","containerinherit,objectinherit","inheritonly","allow") + $acl.addaccessrule($creatorowner) + # AVD group permissions + $Group = 'd2lsolutions.com' + '\' + $SecurityPrincipalName + Write-Log -Message "Group for NTFS Permissions = $Group" -Type 'INFO' + $domainGroup = new-object system.security.accesscontrol.filesystemaccessrule("$group","modify","none","none","allow") + $acl.addaccessrule($domainGroup) + $acl | set-acl -path "${DriveLetter}:" + # Unmount file share + Remove-PSDrive -Name $DriveLetter -PSProvider 'FileSystem' -Force + Start-Sleep -Seconds 5 + Write-Log -Message "Unmounting the Azure file share, $FileShareLocation, succeeded" -Type 'INFO' } Catch { Write-Log -Err "Error while setting up NTFS permission for FSLogix" diff --git a/workload/scripts/Manual-DSC-Storage-Scripts.ps1 b/workload/scripts/Manual-DSC-Storage-Scripts.ps1 index cb43c9443..c372144e1 100644 --- a/workload/scripts/Manual-DSC-Storage-Scripts.ps1 +++ b/workload/scripts/Manual-DSC-Storage-Scripts.ps1 @@ -18,6 +18,10 @@ param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [string] $ClientId, + + [Parameter(Mandatory = $false)] + [ValidateNotNullOrEmpty()] + [String]$SecurityPrincipalName, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] @@ -81,7 +85,7 @@ Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force Install-Module 'PSDscResources' -Force -$DscCompileCommand="./Configuration.ps1 -StorageAccountName " + $StorageAccountName + " -StorageAccountRG " + $StorageAccountRG+ " -StoragePurpose " + $StoragePurpose +" -ShareName " + $ShareName + " -SubscriptionId " + $SubscriptionId + " -ClientId " + $ClientId +" -DomainName " + $DomainName + " -IdentityServiceProvider " + $IdentityServiceProvider + " -AzureCloudEnvironment " + $AzureCloudEnvironment + " -CustomOuPath " + $CustomOuPath + " -OUName """ + $OUName + """ -CreateNewOU " + $CreateNewOU + " -DomainAdminUserName " + $DomainAdminUserName + " -DomainAdminUserPassword " + $DomainAdminUserPassword + " -Verbose" +$DscCompileCommand="./Configuration.ps1 -StorageAccountName " + $StorageAccountName + " -StorageAccountRG " + $StorageAccountRG+ " -StoragePurpose " + $StoragePurpose +" -ShareName " + $ShareName + " -SubscriptionId " + $SubscriptionId + " -ClientId " + $ClientId + " -SecurityPrincipalName " + $SecurityPrincipalName + " -DomainName " + $DomainName + " -IdentityServiceProvider " + $IdentityServiceProvider + " -AzureCloudEnvironment " + $AzureCloudEnvironment + " -CustomOuPath " + $CustomOuPath + " -OUName """ + $OUName + """ -CreateNewOU " + $CreateNewOU + " -DomainAdminUserName " + $DomainAdminUserName + " -DomainAdminUserPassword " + $DomainAdminUserPassword + " -Verbose" Write-Host "Executing the commmand $DscCompileCommand" Invoke-Expression -Command $DscCompileCommand diff --git a/workload/scripts/Set-NtfsPermissions.ps1 b/workload/scripts/Set-NtfsPermissions.ps1 new file mode 100644 index 000000000..aaa163d7e --- /dev/null +++ b/workload/scripts/Set-NtfsPermissions.ps1 @@ -0,0 +1,309 @@ +param +( + [Parameter(Mandatory)] + [String]$ClientId, + + [Parameter(Mandatory=$false)] + [String]$DomainAccountType = "ComputerAccount", + + [Parameter(Mandatory)] + [String]$DomainJoinPassword, + + [Parameter(Mandatory)] + [String]$DomainJoinUserPrincipalName, + + [Parameter(Mandatory=$false)] + [String]$ActiveDirectorySolution, + + [Parameter(Mandatory=$false)] + [String]$Environment, + + [Parameter(Mandatory=$false)] + [ValidateSet("AES256","RC4")] + [String]$KerberosEncryptionType, + + [Parameter(Mandatory=$false)] + [String]$StorageAccountFullName, + + [Parameter(Mandatory=$false)] + [String]$FileShareName, + + [Parameter(Mandatory=$false)] + [String]$Netbios, + + [Parameter(Mandatory=$false)] + [String]$OuPath, + + [Parameter(Mandatory)] + [String]$SecurityPrincipalNames, + + [Parameter(Mandatory=$false)] + [String]$SmbServerLocation, + + [Parameter(Mandatory=$false)] + [String]$StorageAccountResourceGroupName, + + [Parameter(Mandatory=$false)] + [Int]$StorageCount, + + [Parameter(Mandatory=$false)] + [Int]$StorageIndex, + + [Parameter(Mandatory)] + [String]$StorageSolution, + + [Parameter(Mandatory=$false)] + [String]$StorageSuffix, + + [Parameter(Mandatory=$false)] + [String]$SubscriptionId, + + [Parameter(Mandatory=$false)] + [String]$TenantId + ) + +function Write-Log +{ + param( + [parameter(Mandatory)] + [string]$Message, + + [parameter(Mandatory)] + [string]$Type + ) + $Path = 'C:\cse.txt' + if(!(Test-Path -Path $Path)) + { + New-Item -Path C:\ -Name cse.txt | Out-Null + } + $Timestamp = Get-Date -Format 'MM/dd/yyyy HH:mm:ss.ff' + $Entry = '[' + $Timestamp + '] [' + $Type + '] ' + $Message + $Entry | Out-File -FilePath $Path -Append +} + +$ErrorActionPreference = 'Stop' + +try +{ + ############################################################## + # Install Prerequisites + ############################################################## + # Install Active Directory PowerShell module + if($StorageSolution -eq 'AzureNetAppFiles' -or ($StorageSolution -eq 'AzureStorageAccount' -and $ActiveDirectorySolution -eq 'ActiveDirectoryDomainServices')) + { + $RsatInstalled = (Get-WindowsFeature -Name 'RSAT-AD-PowerShell').Installed + if(!$RsatInstalled) + { + Install-WindowsFeature -Name 'RSAT-AD-PowerShell' + Write-Log -Message "Installation of the AD module succeeded" -Type 'INFO' + } + else + { + Write-Log -Message "AD module already exists" -Type 'INFO' + } + } + + if($StorageSolution -eq 'AzureStorageAccount') + { + # Install latest NuGet Provider; recommended for PowerShellGet + $NuGet = Get-PackageProvider | Where-Object {$_.Name -eq 'NuGet'} + if(!$NuGet) + { + Install-PackageProvider -Name 'NuGet' -Force + Write-Log -Message "Installed the NuGet Package Provider" -Type 'INFO' + } + else + { + Write-Log -Message "NuGet Package Provider already exists" -Type 'INFO' + } + + # Install required Az.Storage module + $AzStorageModule = Get-Module -ListAvailable | Where-Object {$_.Name -eq 'Az.Storage'} + if(!$AzStorageModule) + { + Install-Module -Name 'Az.Storage' -Repository 'PSGallery' -RequiredVersion '5.5.0' -Force + Write-Log -Message "Installed the Az.Storage module" -Type 'INFO' + } + else + { + Write-Log -Message "Az.Storage module already exists" -Type 'INFO' + } + } + + + ############################################################## + # Variables + ############################################################## + # Convert Security Principal Names from a JSON array to a PowerShell array + #[array]$SecurityPrincipalNames = $SecurityPrincipalNames.Replace("'",'"') | ConvertFrom-Json + Write-Log -Message "Security Principal Names:" -Type 'INFO' + $SecurityPrincipalNames | Add-Content -Path 'C:\cse.txt' -Force + + #Set share name + $Share = $Filesharename + + if($StorageSolution -eq 'AzureNetAppFiles' -or ($StorageSolution -eq 'AzureStorageAccount' -and $ActiveDirectorySolution -eq 'ActiveDirectoryDomainServices')) + { + # Create Domain credential + $DomainUsername = $DomainJoinUserPrincipalName + $DomainPassword = ConvertTo-SecureString -String $DomainJoinPassword -AsPlainText -Force + [pscredential]$DomainCredential = New-Object System.Management.Automation.PSCredential ($DomainUsername, $DomainPassword) + + # Get Domain information + $Domain = Get-ADDomain -Credential $DomainCredential -Current 'LocalComputer' + Write-Log -Message "Domain information collection succeeded" -Type 'INFO' + } + + if($StorageSolution -eq 'AzureStorageAccount') + { + $FilesSuffix = '.file.' + $StorageSuffix + Write-Log -Message "Azure Files Suffix = $FilesSuffix" -Type 'INFO' + } + + + ############################################################## + # Process Storage Resources + ############################################################## + for($i = 0; $i -lt $StorageCount; $i++) + { + # Determine Principal for assignment + $SecurityPrincipalName = $SecurityPrincipalNames + $Group = $Netbios + '\' + $SecurityPrincipalName + Write-Log -Message "Group for NTFS Permissions = $Group" -Type 'INFO' + + # Get storage resource details + switch($StorageSolution) + { + 'AzureNetAppFiles' { + $Credential = $DomainCredential + $SmbServerName = (Get-ADComputer -Filter "Name -like 'anf-$SmbServerLocation*'" -Credential $DomainCredential).Name + $FileServer = '\\' + $SmbServerName + '.' + $Domain.DNSRoot + } + 'AzureStorageAccount' { + $StorageAccountName = $StorageAccountFullName + $FileServer = '\\' + $StorageAccountName + $FilesSuffix + + # Connects to Azure using a User Assigned Managed Identity + Connect-AzAccount -Identity -AccountId $ClientId -Environment $Environment -Tenant $TenantId -Subscription $SubscriptionId + Write-Log -Message "Authenticated to Azure" -Type 'INFO' + + # Get the storage account key + $StorageKey = (Get-AzStorageAccountKey -ResourceGroupName $StorageAccountResourceGroupName -Name $StorageAccountName)[0].Value + Write-Log -Message "The GET operation for the Storage Account key on $StorageAccountName succeeded" -Type 'INFO' + + # Create credential for accessing the storage account + $StorageUsername = 'Azure\' + $StorageAccountName + $StoragePassword = ConvertTo-SecureString -String "$($StorageKey)" -AsPlainText -Force + [pscredential]$StorageKeyCredential = New-Object System.Management.Automation.PSCredential ($StorageUsername, $StoragePassword) + $Credential = $StorageKeyCredential + + if($ActiveDirectorySolution -eq 'ActiveDirectoryDomainServices') + { + # Get / create kerberos key for Azure Storage Account + $KerberosKey = (Get-AzStorageAccountKey -ResourceGroupName $StorageAccountResourceGroupName -Name $StorageAccountName -ListKerbKey | Where-Object {$_.Keyname -contains 'kerb1'}).Value + if(!$KerberosKey) + { + New-AzStorageAccountKey -ResourceGroupName $StorageAccountResourceGroupName -Name $StorageAccountName -KeyName kerb1 + $Key = (Get-AzStorageAccountKey -ResourceGroupName $StorageAccountResourceGroupName -Name $StorageAccountName -ListKerbKey | Where-Object {$_.Keyname -contains 'kerb1'}).Value + Write-Log -Message "Kerberos Key creation on Storage Account, $StorageAccountName, succeeded." -Type 'INFO' + } + else + { + $Key = $KerberosKey + Write-Log -Message "Acquired Kerberos Key from Storage Account, $StorageAccountName." -Type 'INFO' + } + + # Creates a password for the Azure Storage Account in AD using the Kerberos key + $ComputerPassword = ConvertTo-SecureString -String $Key.Replace("'","") -AsPlainText -Force + Write-Log -Message "Secure string conversion succeeded" -Type 'INFO' + + # Create the SPN value for the Azure Storage Account; attribute for computer object in AD + $SPN = 'cifs/' + $StorageAccountName + $FilesSuffix + + # Create the Description value for the Azure Storage Account; attribute for computer object in AD + $Description = "Computer account object for Azure storage account $($StorageAccountName)." + + # Create the AD computer object for the Azure Storage Account + $Computer = Get-ADComputer -Credential $DomainCredential -Filter {Name -eq $StorageAccountName} + if($Computer) + { + Remove-ADComputer -Credential $DomainCredential -Identity $StorageAccountName -Confirm:$false + } + $ComputerObject = New-ADComputer -Credential $DomainCredential -Name $StorageAccountName -Path $OuPath -ServicePrincipalNames $SPN -AccountPassword $ComputerPassword -Description $Description -PassThru + Write-Log -Message "Computer object creation succeeded" -Type 'INFO' + + # Update the Azure Storage Account with the domain join 'INFO' + $SamAccountName = switch($KerberosEncryptionType) + { + 'AES256' {$StorageAccountName} + 'RC4' {$ComputerObject.SamAccountName} + } + + Set-AzStorageAccount ` + -ResourceGroupName $StorageAccountResourceGroupName ` + -Name $StorageAccountName ` + -EnableActiveDirectoryDomainServicesForFile $true ` + -ActiveDirectoryDomainName $Domain.DNSRoot ` + -ActiveDirectoryNetBiosDomainName $Domain.NetBIOSName ` + -ActiveDirectoryForestName $Domain.Forest ` + -ActiveDirectoryDomainGuid $Domain.ObjectGUID ` + -ActiveDirectoryDomainsid $Domain.DomainSID ` + -ActiveDirectoryAzureStorageSid $ComputerObject.SID.Value ` + -ActiveDirectorySamAccountName $SamAccountName ` + -ActiveDirectoryAccountType 'Computer' + Write-Log -Message "Storage Account update with domain join info succeeded" -Type 'INFO' + + # Enable AES256 encryption if selected + if($KerberosEncryptionType -eq 'AES256') + { + # Set the Kerberos encryption on the computer object + $DistinguishedName = 'CN=' + $StorageAccountName + ',' + $OuPath + Set-ADComputer -Credential $DomainCredential -Identity $DistinguishedName -KerberosEncryptionType 'AES256' + Write-Log -Message "Setting Kerberos AES256 Encryption on the computer object succeeded" -Type 'INFO' + + # Reset the Kerberos key on the Storage Account + New-AzStorageAccountKey -ResourceGroupName $StorageAccountResourceGroupName -Name $StorageAccountName -KeyName kerb1 + $Key = (Get-AzStorageAccountKey -ResourceGroupName $StorageAccountResourceGroupName -Name $StorageAccountName -ListKerbKey | Where-Object {$_.Keyname -contains 'kerb1'}).Value + Write-Log -Message "Resetting the Kerberos key on the Storage Account succeeded" -Type 'INFO' + + # Update the password on the computer object with the new Kerberos key on the Storage Account + $NewPassword = ConvertTo-SecureString -String $Key -AsPlainText -Force + Set-ADAccountPassword -Credential $DomainCredential -Identity $DistinguishedName -Reset -NewPassword $NewPassword + Write-Log -Message "Setting the new Kerberos key on the Computer Object succeeded" -Type 'INFO' + } + } + Disconnect-AzAccount + Write-Log -Message "Disconnection to Azure succeeded" -Type 'INFO' + } + } + # Mount file share + $FileShare = $FileServer + '\' + $Share + New-PSDrive -Name 'Z' -PSProvider 'FileSystem' -Root $FileShare -Credential $Credential + Write-Log -Message "Mounting the Azure file share, $FileShare, succeeded" -Type 'INFO' + + # Set recommended NTFS permissions on the file share + $ACL = Get-Acl -Path 'Z:' + $CreatorOwner = New-Object System.Security.Principal.Ntaccount ("Creator Owner") + $ACL.PurgeAccessRules($CreatorOwner) + $AuthenticatedUsers = New-Object System.Security.Principal.Ntaccount ("Authenticated Users") + $ACL.PurgeAccessRules($AuthenticatedUsers) + $Users = New-Object System.Security.Principal.Ntaccount ("Users") + $ACL.PurgeAccessRules($Users) + $DomainUsers = New-Object System.Security.AccessControl.FileSystemAccessRule("$Group","Modify","None","None","Allow") + $ACL.SetAccessRule($DomainUsers) + $CreatorOwner = New-Object System.Security.AccessControl.FileSystemAccessRule("Creator Owner","Modify","ContainerInherit,ObjectInherit","InheritOnly","Allow") + $ACL.AddAccessRule($CreatorOwner) + $ACL | Set-Acl -Path 'Z:' + Write-Log -Message "Setting the NTFS permissions on the Azure file share succeeded" -Type 'INFO' + + # Unmount file share + Remove-PSDrive -Name 'Z' -PSProvider 'FileSystem' -Force + Write-Log -Message "Unmounting the Azure file share, $FileShare, succeeded" -Type 'INFO' + } +} +catch { + Write-Log -Message $_ -Type 'ERROR' + $ErrorData = $_ | Select-Object * + $ErrorData | Out-File -FilePath 'C:\cse.txt' -Append + throw +} \ No newline at end of file