Azure · danycontre · Aug 14, 2023 · Aug 15, 2023 · Aug 16, 2023 · Aug 16, 2023
diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
@@ -55,20 +55,18 @@ param avdIdentityServiceProvider string = 'ADDS'
 @sys.description('Required, Eronll session hosts on Intune. (Default: false)')
 param createIntuneEnrollment bool = false
 
-@sys.description('Optional, Identity ID array to grant RBAC role to access AVD application group. (Default: "")')
-param avdApplicationGroupIdentitiesIds array = []
+@sys.description('Optional, Identity ID to grant RBAC role to access AVD application group and NTFS permissions. (Default: "")')
+param securityPrincipalId string = ''
 
-@allowed([
-    'Group'
-    'ServicePrincipal'
-    'User'
-])
-@sys.description('Optional, Identity type to grant RBAC role to access AVD application group. (Default: Group)')
-param avdApplicationGroupIdentityType string = 'Group'
+@sys.description('Optional, Identity name to grant RBAC role to access AVD application group and NTFS permissions. (Default: "")')
+param securityPrincipalName string = ''
 
 @sys.description('AD domain name.')
 param avdIdentityDomainName string
 
+@sys.description('Netbios name, will be used to set NTFS file share permissions. (Default: "")')
+param netBios string = ''
+
 @sys.description('AD domain GUID. (Default: "")')
 param identityDomainGuid string = ''
 
@@ -91,8 +89,8 @@ param avdHostPoolType string = 'Pooled'
 
 @sys.description('Optional. The type of preferred application group type, default to Desktop Application Group.')
 @allowed([
-  'Desktop'
-  'RemoteApp'
+    'Desktop'
+    'RemoteApp'
 ])
 param hostPoolPreferredAppGroupType string = 'Desktop'
 
@@ -164,15 +162,36 @@ param vNetworkGatewayOnHub bool = false
 @sys.description('Deploy Fslogix setup. (Default: true)')
 param createAvdFslogixDeployment bool = true
 
+@allowed([
+    'AzureStorageAccount'
+    'AzureNetappFiles'
+])
+@sys.description('Fslogix Storage Solution. Default is Azure Storage Account.')
+param fslogixStorageSolution string = 'AzureStorageAccount'
+
 @sys.description('Deploy MSIX App Attach setup. (Default: false)')
 param createMsixDeployment bool = false
 
+@allowed([
+    'AzureStorageAccount'
+    'AzureNetappFiles'
+])
+@sys.description('App attach Storage Solution. Default is Azure Storage Account.')
+param appAttachStorageSolution string = 'AzureStorageAccount'
+
 @sys.description('Fslogix file share size. (Default: 1)')
 param fslogixFileShareQuotaSize int = 1
 
 @sys.description('MSIX file share size. (Default: 1)')
 param msixFileShareQuotaSize int = 1
 
+@allowed([
+    'AES256'
+    'RC4'
+])
+@sys.description('Kerberos Encryption. Default is AES256.')
+param kerberosEncryption string = 'AES256'
+
 @sys.description('Deploy new session hosts. (Default: true)')
 param avdDeploySessionHosts bool = true
 
@@ -282,9 +301,6 @@ param avdImageTemplateDefinitionId string = ''
 @sys.description('OU name for Azure Storage Account. It is recommended to create a new AD Organizational Unit (OU) in AD and disable password expiration policy on computer accounts or service logon accounts accordingly.  (Default: "")')
 param storageOuPath string = ''
 
-@sys.description('If OU for Azure Storage needs to be created - set to true and ensure the domain join credentials have priviledge to create OU and create computer objects or join to domain. (Default: false)')
-param createOuForStorage bool = false
-
 // Custom Naming
 // Input must followe resource naming rules on https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules
 @sys.description('AVD resources custom naming. (Default: false)')
@@ -487,7 +503,7 @@ param enableTelemetry bool = true
 // Resource naming
 var varDeploymentPrefixLowercase = toLower(deploymentPrefix)
 var varDeploymentEnvironmentLowercase = toLower(deploymentEnvironment)
-var varDeploymentEnvironmentComputeStorage = (deploymentEnvironment == 'Dev') ? 'd': ((deploymentEnvironment == 'Test') ? 't' : ((deploymentEnvironment == 'Prod') ? 'p' : ''))
+var varDeploymentEnvironmentComputeStorage = (deploymentEnvironment == 'Dev') ? 'd' : ((deploymentEnvironment == 'Test') ? 't' : ((deploymentEnvironment == 'Prod') ? 'p' : ''))
 var varNamingUniqueStringThreeChar = take('${uniqueString(avdWorkloadSubsId, varDeploymentPrefixLowercase, time)}', 3)
 var varSessionHostLocationAcronym = varLocations[varSessionHostLocationLowercase].acronym
 var varManagementPlaneLocationAcronym = varLocations[varManagementPlaneLocationLowercase].acronym
@@ -507,7 +523,7 @@ var varStorageObjectsRgName = avdUseCustomNaming ? avdStorageObjectsRgCustomName
 var varMonitoringRgName = avdUseCustomNaming ? avdMonitoringRgCustomName : 'rg-avd-${varDeploymentEnvironmentLowercase}-${varManagementPlaneLocationAcronym}-monitoring' // max length limit 90 characters
 var varVnetName = avdUseCustomNaming ? avdVnetworkCustomName : 'vnet-${varComputeStorageResourcesNamingStandard}-001'
 var varHubVnetName = (createAvdVnet && !empty(existingHubVnetResourceId)) ? split(existingHubVnetResourceId, '/')[8] : ''
-var varVnetPeeringName = 'peer-${varHubVnetName}' 
+var varVnetPeeringName = 'peer-${varHubVnetName}'
 var varRemoteVnetPeeringName = 'peer-${varVnetName}'
 var varVnetAvdSubnetName = avdUseCustomNaming ? avdVnetworkSubnetCustomName : 'snet-avd-${varComputeStorageResourcesNamingStandard}-001'
 var varVnetPrivateEndpointSubnetName = avdUseCustomNaming ? privateEndpointVnetworkSubnetCustomName : 'snet-pe-${varComputeStorageResourcesNamingStandard}-001'
@@ -545,7 +561,7 @@ var varZtKvPrivateEndpointName = 'pe-${varZtKvName}-vault'
 //
 var varFsLogixScriptArguments = (avdIdentityServiceProvider == 'AAD') ? '-volumeshare ${varFslogixSharePath} -storageAccountName ${varFslogixStorageName} -identityDomainName ${avdIdentityDomainName}' : '-volumeshare ${varFslogixSharePath}'
 var varFslogixSharePath = '\\\\${varFslogixStorageName}.file.${environment().suffixes.storage}\\${varFslogixFileShareName}'
-var varBaseScriptUri = 'https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/'
+var varBaseScriptUri = 'https://raw.githubusercontent.com/Azure/avdaccelerator/ntfs-update/workload/'
 var varFslogixScriptUri = (avdIdentityServiceProvider == 'AAD') ? '${varBaseScriptUri}scripts/Set-FSLogixRegKeysAAD.ps1' : '${varBaseScriptUri}scripts/Set-FSLogixRegKeys.ps1'
 var varFsLogixScript = (avdIdentityServiceProvider == 'AAD') ? './Set-FSLogixRegKeysAad.ps1' : './Set-FSLogixRegKeys.ps1'
 //var varCompRgDeploCleanScript = './cleanUpRgDeployments.ps1'
@@ -763,16 +779,13 @@ var varMarketPlaceGalleryWindows = {
         version: 'latest'
     }
 }
-var varStorageAzureFilesDscAgentPackageLocation = 'https://github.com/Azure/avdaccelerator/raw/main/workload/scripts/DSCStorageScripts.zip'
+var varArtifactsLocation = 'https://github.com/Azure/avdaccelerator/raw/ntfs-update/workload/scripts'
 //var varTempResourcesCleanUpDscAgentPackageLocation = 'https://github.com/Azure/avdaccelerator/raw/main/workload/scripts/postDeploymentTempResourcesCleanUp.zip'
-var varStorageToDomainScriptUri = '${varBaseScriptUri}scripts/Manual-DSC-Storage-Scripts.ps1'
 //var varPostDeploymentTempResuorcesCleanUpScriptUri = '${varBaseScriptUri}scripts/postDeploymentTempResuorcesCleanUp.ps1'
-var varStorageToDomainScript = './Manual-DSC-Storage-Scripts.ps1'
 //var varPostDeploymentTempResuorcesCleanUpScript = './PostDeploymentTempResuorcesCleanUp.ps1'
 var varOuStgPath = !empty(storageOuPath) ? '"${storageOuPath}"' : '"${varDefaultStorageOuPath}"'
 var varDefaultStorageOuPath = (avdIdentityServiceProvider == 'AADDS') ? 'AADDC Computers' : 'Computers'
 var varStorageCustomOuPath = !empty(storageOuPath) ? 'true' : 'false'
-var varCreateOuForStorageString = string(createOuForStorage)
 var varAllDnsServers = '${customDnsIps},168.63.129.16'
 var varDnsServers = empty(customDnsIps) ? [] : (split(varAllDnsServers, ','))
 var varCreateVnetPeering = !empty(existingHubVnetResourceId) ? true : false
@@ -830,7 +843,7 @@ var verResourceGroups = [
     //    enableDefaultTelemetry: false
     //    tags: createResourceTags ? union(varAllComputeStorageTags, varAvdDefaultTags) : union(varAvdDefaultTags, varAllComputeStorageTags)
     //}
-    
+
 ]
 
 // =========== //
@@ -924,7 +937,7 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre
         existingPeSubnetResourceId: existingVnetPrivateEndpointSubnetResourceId
         existingAvdSubnetResourceId: existingVnetAvdSubnetResourceId
         createPrivateDnsZones: deployPrivateEndpointKeyvaultStorage ? createPrivateDnsZones : false
-        applicationSecurityGroupName: varApplicationSecurityGroupName 
+        applicationSecurityGroupName: varApplicationSecurityGroupName
         computeObjectsRgName: varComputeObjectsRgName
         networkObjectsRgName: varNetworkObjectsRgName
         avdNetworksecurityGroupName: varAvdNetworksecurityGroupName
@@ -984,8 +997,7 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
         startVmOnConnect: (avdHostPoolType == 'Pooled') ? avdDeployScalingPlan : avdStartVmOnConnect
         workloadSubsId: avdWorkloadSubsId
         identityServiceProvider: avdIdentityServiceProvider
-        applicationGroupIdentitiesIds: avdApplicationGroupIdentitiesIds
-        applicationGroupIdentityType: avdApplicationGroupIdentityType
+        securityPrincipalIds: array(securityPrincipalId)
         tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags
         alaWorkspaceResourceId: avdDeployMonitoring ? (deployAlaWorkspace ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : ''
         diagnosticLogsRetentionInDays: avdAlaWorkspaceDataRetention
@@ -1015,7 +1027,7 @@ module identity './modules/identity/deploy.bicep' = {
         enableStartVmOnConnect: avdStartVmOnConnect
         identityServiceProvider: avdIdentityServiceProvider
         createStorageDeployment: varCreateStorageDeployment
-        appGroupIdentitiesIds: avdApplicationGroupIdentitiesIds
+        securityPrincipalIds: array(securityPrincipalId)
         tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags
     }
     dependsOn: [
@@ -1051,7 +1063,7 @@ module zeroTrust './modules/zeroTrust/deploy.bicep' = if (diskZeroTrust && avdDe
         baselineResourceGroups
         baselineStorageResourceGroup
         monitoringDiagnosticSettings
-        identity     
+        identity
     ]
 }
 
@@ -1180,20 +1192,20 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if
     name: 'Storage-FSLogix-${time}'
     params: {
         storagePurpose: 'fslogix'
+        storageSolution: fslogixStorageSolution
         fileShareName: varFslogixFileShareName
         fileShareMultichannel: (fslogixStoragePerformance == 'Premium') ? true : false
         storageSku: varFslogixStorageSku
+        securityPrincipalName: securityPrincipalName
         fileShareQuotaSize: fslogixFileShareQuotaSize
         storageAccountName: varFslogixStorageName
-        storageToDomainScript: varStorageToDomainScript
-        storageToDomainScriptUri: varStorageToDomainScriptUri
+        netBios: netBios
+        artifactsLocation: varArtifactsLocation
+        KerberosEncryption: kerberosEncryption
         identityServiceProvider: avdIdentityServiceProvider
-        dscAgentPackageLocation: varStorageAzureFilesDscAgentPackageLocation
-        storageCustomOuPath: varStorageCustomOuPath
         managementVmName: varManagementVmName
         deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage
         ouStgPath: varOuStgPath
-        createOuForStorageString: varCreateOuForStorageString
         managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : ''
         domainJoinUserName: avdDomainJoinUserName
         wrklKvName: varWrklKvName
@@ -1223,20 +1235,20 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (cr
     name: 'Storage-MSIX-${time}'
     params: {
         storagePurpose: 'msix'
+        storageSolution: appAttachStorageSolution
         fileShareName: varMsixFileShareName
         fileShareMultichannel: (msixStoragePerformance == 'Premium') ? true : false
         storageSku: varMsixStorageSku
+        securityPrincipalName: securityPrincipalName
         fileShareQuotaSize: msixFileShareQuotaSize
         storageAccountName: varMsixStorageName
-        storageToDomainScript: varStorageToDomainScript
-        storageToDomainScriptUri: varStorageToDomainScriptUri
+        netBios: netBios
+        artifactsLocation: varArtifactsLocation
+        KerberosEncryption: kerberosEncryption
         identityServiceProvider: avdIdentityServiceProvider
-        dscAgentPackageLocation: varStorageAzureFilesDscAgentPackageLocation
-        storageCustomOuPath: varStorageCustomOuPath
         managementVmName: varManagementVmName
         deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage
         ouStgPath: varOuStgPath
-        createOuForStorageString: varCreateOuForStorageString
         managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : ''
         domainJoinUserName: avdDomainJoinUserName
         wrklKvName: varWrklKvName
@@ -1283,7 +1295,7 @@ module availabilitySet './modules/avdSessionHosts/.bicep/availabilitySets.bicep'
 // Session hosts
 @batchSize(3)
 module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [for i in range(1, varSessionHostBatchCount): if (avdDeploySessionHosts) {
-    name: 'SH-Batch-${i-1}-${time}'
+    name: 'SH-Batch-${i - 1}-${time}'
     params: {
         diskEncryptionSetResourceId: diskZeroTrust ? zeroTrust.outputs.ztDiskEncryptionSetResourceId : ''
         avdAgentPackageLocation: varAvdAgentPackageLocation
@@ -1293,7 +1305,7 @@ module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [for i in range(1
         createIntuneEnrollment: createIntuneEnrollment
         maxAvsetMembersCount: varMaxAvsetMembersCount
         avsetNamePrefix: varAvsetNamePrefix
-        batchId: i-1
+        batchId: i - 1
         computeObjectsRgName: varComputeObjectsRgName
         count: i == varSessionHostBatchCount && varMaxSessionHostsDivisionRemainderValue > 0 ? varMaxSessionHostsDivisionRemainderValue : varMaxSessionHostsPerTemplate
         countIndex: i == 1 ? avdSessionHostCountIndex : (((i - 1) * varMaxSessionHostsPerTemplate) + avdSessionHostCountIndex)
@@ -1346,14 +1358,14 @@ module gpuPolicies './modules/avdSessionHosts/.bicep/azurePolicyGpuExtensions.bi
     scope: subscription('${avdWorkloadSubsId}')
     name: 'GPU-VM-Extensions-${time}'
     params: {
-      computeObjectsRgName: varComputeObjectsRgName
-      location: avdSessionHostLocation
-      subscriptionId: avdWorkloadSubsId
+        computeObjectsRgName: varComputeObjectsRgName
+        location: avdSessionHostLocation
+        subscriptionId: avdWorkloadSubsId
     }
     dependsOn: [
         sessionHosts
     ]
-  }
+}
 
 /*
 // Post deployment resources clean up.

diff --git a/workload/bicep/modules/avdManagementPlane/deploy.bicep b/workload/bicep/modules/avdManagementPlane/deploy.bicep
@@ -16,10 +16,7 @@ param computeTimeZone string
 param identityServiceProvider string
 
 @sys.description('Identity ID to grant RBAC role to access AVD application group.')
-param applicationGroupIdentitiesIds array
-
-@sys.description('Identity type to grant RBAC role to access AVD application group.')
-param applicationGroupIdentityType string
+param securityPrincipalIds array
 
 @sys.description('AVD OS image source.')
 param osImage string
@@ -240,11 +237,11 @@ module applicationGroups '../../../../carml/1.3.0/Microsoft.DesktopVirtualizatio
     hostpoolName: hostPoolName
     tags: tags
     applications: (applicationGroup.applicationGroupType == 'RemoteApp')  ? varRAppApplicationGroupsApps : []
-    roleAssignments: !empty(applicationGroupIdentitiesIds) ? [
+    roleAssignments: !empty(securityPrincipalIds) ? [
       {
       roleDefinitionIdOrName: 'Desktop Virtualization User'
-      principalIds: applicationGroupIdentitiesIds
-      principalType: applicationGroupIdentityType
+      principalIds: securityPrincipalIds
+      principalType: 'Group'
       }
     ]: []   
     diagnosticWorkspaceId: alaWorkspaceResourceId

diff --git a/workload/bicep/modules/identity/deploy.bicep b/workload/bicep/modules/identity/deploy.bicep
@@ -28,7 +28,7 @@ param enableStartVmOnConnect bool
 param identityServiceProvider string
 
 @sys.description('Required, Identity ID to grant RBAC role to access AVD application group.')
-param appGroupIdentitiesIds array
+param securityPrincipalIds array
 
 @sys.description('Deploy scaling plan.')
 param deployScalingPlan bool
@@ -62,6 +62,10 @@ var varStorageSmbShareContributorRole = {
   id: '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb'
   name: 'Storage File Data SMB Share Contributor'
 }
+var varDesktopVirtualizationVirtualMachineContributorRole = {
+  id:'	a959dbd1-f747-45e3-8ba6-dd80f235f97c'
+  name: 'Desktop Virtualization Virtual Machine Contributor'
+}
 var varDesktopVirtualizationPowerOnContributorRole = {
   id: '489581de-a3bd-480d-9518-53dea7416b33'
   name: 'Desktop Virtualization Power On Contributor'
@@ -182,7 +186,7 @@ module storageContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authoriza
 }]
 
 // Storage File Data SMB Share Contributor
-module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in appGroupIdentitiesIds: if (createStorageDeployment && (identityServiceProvider == 'AAD') && (!empty(appGroupIdentitiesIds))) {
+module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (createStorageDeployment && (identityServiceProvider == 'AAD') && (!empty(securityPrincipalIds))) {
   name: 'Stora-SmbContri-RolAssign-${take('${appGroupIdentitiesId}', 6)}-${time}'
   scope: resourceGroup('${subscriptionId}', '${storageObjectsRgName}')
   params: {
@@ -191,8 +195,18 @@ module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.A
   }
 }]
 
+//Management VM Desktop Virtualization Virtual Machine Contributor Role assignment
+module DesktopVirtualizationVirtualMachineContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (createStorageDeployment && (identityServiceProvider == 'AAD') && (!empty(securityPrincipalIds))) {
+  name: 'Stora-VMCont-RolAssign-${take('${appGroupIdentitiesId}', 6)}-${time}'
+  scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}')
+  params: {
+    roleDefinitionIdOrName: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${varDesktopVirtualizationVirtualMachineContributorRole.id}'
+    principalId: appGroupIdentitiesId
+  }
+}]
+
 // VM AAD access roles compute RG
-module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in appGroupIdentitiesIds: if (identityServiceProvider == 'AAD' && !empty(appGroupIdentitiesIds)) {
+module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'AAD' && !empty(securityPrincipalIds)) {
   name: 'VM-Login-Comp-${take('${appGroupIdentitiesId}', 6)}-${time}'
   scope: resourceGroup('${subscriptionId}', '${computeObjectsRgName}')
   params: {
@@ -202,7 +216,7 @@ module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorizati
 }]
 
 // VM AAD access roles service objects RG
-module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in appGroupIdentitiesIds: if (identityServiceProvider == 'AAD' && !empty(appGroupIdentitiesIds)) {
+module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'AAD' && !empty(securityPrincipalIds)) {
   name: 'VM-Login-Serv-${take('${appGroupIdentitiesId}', 6)}-${time}'
   scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}')
   params: {