diff --git a/carml/1.3.0/Microsoft.Compute/virtualMachines/deploy.bicep b/carml/1.3.0/Microsoft.Compute/virtualMachines/deploy.bicep
index fd2e77b77..42fbd330a 100644
--- a/carml/1.3.0/Microsoft.Compute/virtualMachines/deploy.bicep
+++ b/carml/1.3.0/Microsoft.Compute/virtualMachines/deploy.bicep
@@ -171,7 +171,7 @@ param extensionDomainJoinConfig object = {
enabled: false
}
-@description('Optional. The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed.')
+@description('Optional. The configuration for the [EntraID Join] extension. Must at least contain the ["enabled": true] property to be executed.')
param extensionAadJoinConfig object = {
enabled: false
}
diff --git a/carml/1.3.0/Microsoft.Compute/virtualMachines/readme.md b/carml/1.3.0/Microsoft.Compute/virtualMachines/readme.md
index 0cfd7e37c..5dc4b6c01 100644
--- a/carml/1.3.0/Microsoft.Compute/virtualMachines/readme.md
+++ b/carml/1.3.0/Microsoft.Compute/virtualMachines/readme.md
@@ -68,7 +68,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). |
| `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. |
| `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. |
-| `extensionAadJoinConfig` | object | `{object}` | | The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. |
+| `extensionAadJoinConfig` | object | `{object}` | | The configuration for the [EntraID Join] extension. Must at least contain the ["enabled": true] property to be executed. |
| `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. |
| `extensionAzureDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. |
| `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. |
diff --git a/carml/1.3.0/Microsoft.Network/virtualNetworkGateways/deploy.bicep b/carml/1.3.0/Microsoft.Network/virtualNetworkGateways/deploy.bicep
index 001a75fcd..1f4bcb1f5 100644
--- a/carml/1.3.0/Microsoft.Network/virtualNetworkGateways/deploy.bicep
+++ b/carml/1.3.0/Microsoft.Network/virtualNetworkGateways/deploy.bicep
@@ -166,7 +166,7 @@ param virtualNetworkGatewaydiagnosticLogCategoriesToEnable array = [
'allLogs'
]
-@description('Optional. Configuration for AAD Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided.')
+@description('Optional. Configuration for EntraID Authentication for P2S Tunnel Type, Cannot be configured if clientRootCertData is provided.')
param vpnClientAadConfiguration object = {}
@description('Optional. The name of metrics that will be streamed.')
diff --git a/carml/1.3.0/Microsoft.Storage/storageAccounts/deploy.bicep b/carml/1.3.0/Microsoft.Storage/storageAccounts/deploy.bicep
index a815e2794..e8c0544b2 100644
--- a/carml/1.3.0/Microsoft.Storage/storageAccounts/deploy.bicep
+++ b/carml/1.3.0/Microsoft.Storage/storageAccounts/deploy.bicep
@@ -73,7 +73,7 @@ param networkAcls object = {}
@description('Optional. A Boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.')
param requireInfrastructureEncryption bool = true
-@description('Optional. Allow or disallow cross AAD tenant object replication.')
+@description('Optional. Allow or disallow cross EntraID tenant object replication.')
param allowCrossTenantReplication bool = true
@description('Optional. Sets the custom domain name assigned to the storage account. Name is the CNAME source.')
@@ -159,7 +159,7 @@ param tags object = {}
@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
param enableDefaultTelemetry bool = true
-@description('Optional. Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet.')
+@description('Optional. Restrict copy to and from Storage Accounts within an EntraID tenant or with Private Links to the same VNet.')
@allowed([
''
'AAD'
diff --git a/carml/1.3.0/Microsoft.Storage/storageAccounts/readme.md b/carml/1.3.0/Microsoft.Storage/storageAccounts/readme.md
index d22bb6cad..032a946ca 100644
--- a/carml/1.3.0/Microsoft.Storage/storageAccounts/readme.md
+++ b/carml/1.3.0/Microsoft.Storage/storageAccounts/readme.md
@@ -55,8 +55,8 @@ This module is used to deploy a storage account, with the ability to deploy 1 or
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `allowBlobPublicAccess` | bool | `False` | | Indicates whether public access is enabled for all blobs or containers in the storage account. For security reasons, it is recommended to set it to false. |
-| `allowCrossTenantReplication` | bool | `True` | | Allow or disallow cross AAD tenant object replication. |
-| `allowedCopyScope` | string | `''` | `['', AAD, PrivateLink]` | Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. |
+| `allowCrossTenantReplication` | bool | `True` | | Allow or disallow cross EntraID tenant object replication. |
+| `allowedCopyScope` | string | `''` | `['', EntraID, PrivateLink]` | Restrict copy to and from Storage Accounts within an EntraID tenant or with Private Links to the same VNet. |
| `allowSharedKeyAccess` | bool | `True` | | Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Microsoft Entra ID. The default value is null, which is equivalent to true. |
| `azureFilesIdentityBasedAuthentication` | object | `{object}` | | Provides the identity based authentication settings for Azure Files. |
| `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Blob service and containers to deploy. |
diff --git a/workload/arm/brownfield/deployAppAttachToolsVM.json b/workload/arm/brownfield/deployAppAttachToolsVM.json
index 955e1799b..b3a21d264 100644
--- a/workload/arm/brownfield/deployAppAttachToolsVM.json
+++ b/workload/arm/brownfield/deployAppAttachToolsVM.json
@@ -632,7 +632,7 @@
"enabled": false
},
"metadata": {
- "description": "Optional. The configuration for the [AAD Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ "description": "Optional. The configuration for the [EntraID Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
}
},
"extensionAntiMalwareConfig": {
diff --git a/workload/arm/brownfield/deployNewSessionHostsToHostPools.json b/workload/arm/brownfield/deployNewSessionHostsToHostPools.json
index e15fb08fa..072bc2aa5 100644
--- a/workload/arm/brownfield/deployNewSessionHostsToHostPools.json
+++ b/workload/arm/brownfield/deployNewSessionHostsToHostPools.json
@@ -1281,7 +1281,7 @@
"timeZone": {
"value": "[variables('varTimeZoneSessionHosts')]"
},
- "systemAssignedIdentity": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('value', true()), createObject('value', false()))]",
+ "systemAssignedIdentity": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), createObject('value', true()), createObject('value', false()))]",
"availabilityZone": "[if(parameters('useAvailabilityZones'), createObject('value', take(skip(variables('varAllAvailabilityZones'), mod(range(1, parameters('count'))[copyIndex()], length(variables('varAllAvailabilityZones')))), 1)), createObject('value', createArray()))]",
"encryptionAtHost": {
"value": "[parameters('diskZeroTrust')]"
@@ -1350,7 +1350,7 @@
},
"extensionAadJoinConfig": {
"value": {
- "enabled": "[if(equals(parameters('identityServiceProvider'), 'AAD'), true(), false())]",
+ "enabled": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), true(), false())]",
"settings": "[if(parameters('createIntuneEnrollment'), createObject('mdmId', '0000000a-0000-0000-c000-000000000000'), createObject())]"
}
},
@@ -1699,7 +1699,7 @@
"enabled": false
},
"metadata": {
- "description": "Optional. The configuration for the [AAD Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ "description": "Optional. The configuration for the [EntraID Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
}
},
"extensionAntiMalwareConfig": {
diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json
index a2c4ea11e..f70724d38 100644
--- a/workload/arm/deploy-baseline.json
+++ b/workload/arm/deploy-baseline.json
@@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "9406990619434457184"
+ "templateHash": "1588493415579051487"
},
"name": "AVD Accelerator - Baseline Deployment",
"description": "AVD Accelerator - Deployment Baseline"
@@ -87,7 +87,7 @@
"allowedValues": [
"ADDS",
"AADDS",
- "AAD"
+ "EntraID"
],
"metadata": {
"description": "Required, The service providing domain services for Azure Virtual Desktop. (Default: ADDS)"
@@ -11871,7 +11871,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "7326746777556089250"
+ "templateHash": "4804750058584801750"
}
},
"parameters": {
@@ -12072,7 +12072,7 @@
"applicationGroupType": "[if(equals(parameters('preferredAppGroupType'), 'Desktop'), 'Desktop', 'RemoteApp')]"
}
],
- "varHostPoolRdpPropertiesDomainServiceCheck": "[if(equals(parameters('identityServiceProvider'), 'AAD'), format('{0};targetisaadjoined:i:1;enablerdsaadauth:i:1', parameters('hostPoolRdpProperties')), parameters('hostPoolRdpProperties'))]",
+ "varHostPoolRdpPropertiesDomainServiceCheck": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), format('{0};targetisaadjoined:i:1;enablerdsaadauth:i:1', parameters('hostPoolRdpProperties')), parameters('hostPoolRdpProperties'))]",
"varRAppApplicationGroupsStandardApps": "[if(equals(parameters('preferredAppGroupType'), 'RailApplications'), createArray(createObject('name', 'Task Manager', 'description', 'Task Manager', 'friendlyName', 'Task Manager', 'showInPortal', true(), 'filePath', 'C:\\Windows\\system32\\taskmgr.exe'), createObject('name', 'WordPad', 'description', 'WordPad', 'friendlyName', 'WordPad', 'showInPortal', true(), 'filePath', 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe'), createObject('name', 'Microsoft Edge', 'description', 'Microsoft Edge', 'friendlyName', 'Edge', 'showInPortal', true(), 'filePath', 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'), createObject('name', 'Remote Desktop Connection', 'description', 'Remote Desktop Connection', 'friendlyName', 'Remote Desktop', 'showInPortal', true(), 'filePath', 'C:\\WINDOWS\\system32\\mtsc.exe')), createArray())]",
"varRAppApplicationGroupsOfficeApps": "[if(equals(parameters('preferredAppGroupType'), 'RailApplications'), createArray(createObject('name', 'Microsoft Excel', 'description', 'Microsoft Excel', 'friendlyName', 'Excel', 'showInPortal', true(), 'filePath', 'C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE'), createObject('name', 'Microsoft PowerPoint', 'description', 'Microsoft PowerPoint', 'friendlyName', 'PowerPoint', 'showInPortal', true(), 'filePath', 'C:\\Program Files\\Microsoft Office\\root\\Office16\\POWERPNT.EXE'), createObject('name', 'Microsoft Word', 'description', 'Microsoft Word', 'friendlyName', 'Outlook', 'showInPortal', true(), 'filePath', 'C:\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE'), createObject('name', 'Microsoft Outlook', 'description', 'Microsoft Word', 'friendlyName', 'Word', 'showInPortal', true(), 'filePath', 'C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE')), createArray())]",
"varRAppApplicationGroupsApps": "[if(equals(parameters('preferredAppGroupType'), 'RailApplications'), if(contains(parameters('osImage'), 'office'), union(variables('varRAppApplicationGroupsStandardApps'), variables('varRAppApplicationGroupsOfficeApps')), variables('varRAppApplicationGroupsStandardApps')), createArray())]",
@@ -14345,7 +14345,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "12068153438455870485"
+ "templateHash": "17207869172967484978"
}
},
"parameters": {
@@ -17118,7 +17118,7 @@
"name": "aadIdentityLoginRoleAssign",
"count": "[length(parameters('securityPrincipalIds'))]"
},
- "condition": "[and(equals(parameters('identityServiceProvider'), 'AAD'), not(empty(parameters('securityPrincipalIds'))))]",
+ "condition": "[and(equals(parameters('identityServiceProvider'), 'EntraID'), not(empty(parameters('securityPrincipalIds'))))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('VM-Login-Comp-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]",
@@ -17698,7 +17698,7 @@
"name": "aadIdentityLoginAccessServiceObjects",
"count": "[length(parameters('securityPrincipalIds'))]"
},
- "condition": "[and(equals(parameters('identityServiceProvider'), 'AAD'), not(empty(parameters('securityPrincipalIds'))))]",
+ "condition": "[and(equals(parameters('identityServiceProvider'), 'EntraID'), not(empty(parameters('securityPrincipalIds'))))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('VM-Login-Serv-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]",
@@ -24794,7 +24794,7 @@
"privateEndpoints": "[if(parameters('deployPrivateEndpointKeyvaultStorage'), createObject('value', createArray(createObject('name', variables('varWrklKvPrivateEndpointName'), 'subnetResourceId', if(parameters('createAvdVnet'), format('{0}/subnets/{1}', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Networking-{0}', parameters('time'))), '2022-09-01').outputs.virtualNetworkResourceId.value, variables('varVnetPrivateEndpointSubnetName')), parameters('existingVnetPrivateEndpointSubnetResourceId')), 'customNetworkInterfaceName', format('nic-01-{0}', variables('varWrklKvPrivateEndpointName')), 'service', 'vault', 'privateDnsZoneGroup', createObject('privateDNSResourceIds', createArray(if(parameters('createPrivateDnsZones'), reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Networking-{0}', parameters('time'))), '2022-09-01').outputs.KeyVaultDnsZoneResourceId.value, parameters('avdVnetPrivateDnsZoneKeyvaultId'))))))), createObject('value', createArray()))]",
"secrets": {
"value": {
- "secureList": "[if(not(equals(parameters('avdIdentityServiceProvider'), 'AAD')), createArray(createObject('name', 'vmLocalUserPassword', 'value', parameters('avdVmLocalUserPassword'), 'contentType', 'Session host local user credentials'), createObject('name', 'vmLocalUserName', 'value', parameters('avdVmLocalUserName'), 'contentType', 'Session host local user credentials'), createObject('name', 'domainJoinUserName', 'value', parameters('avdDomainJoinUserName'), 'contentType', 'Domain join credentials'), createObject('name', 'domainJoinUserPassword', 'value', parameters('avdDomainJoinUserPassword'), 'contentType', 'Domain join credentials')), createArray(createObject('name', 'vmLocalUserPassword', 'value', parameters('avdVmLocalUserPassword'), 'contentType', 'Session host local user credentials'), createObject('name', 'vmLocalUserName', 'value', parameters('avdVmLocalUserName'), 'contentType', 'Session host local user credentials'), createObject('name', 'domainJoinUserName', 'value', 'NoUsername', 'contentType', 'Domain join credentials'), createObject('name', 'domainJoinUserPassword', 'value', 'NoPassword', 'contentType', 'Domain join credentials')))]"
+ "secureList": "[if(not(equals(parameters('avdIdentityServiceProvider'), 'EntraID')), createArray(createObject('name', 'vmLocalUserPassword', 'value', parameters('avdVmLocalUserPassword'), 'contentType', 'Session host local user credentials'), createObject('name', 'vmLocalUserName', 'value', parameters('avdVmLocalUserName'), 'contentType', 'Session host local user credentials'), createObject('name', 'domainJoinUserName', 'value', parameters('avdDomainJoinUserName'), 'contentType', 'Domain join credentials'), createObject('name', 'domainJoinUserPassword', 'value', parameters('avdDomainJoinUserPassword'), 'contentType', 'Domain join credentials')), createArray(createObject('name', 'vmLocalUserPassword', 'value', parameters('avdVmLocalUserPassword'), 'contentType', 'Session host local user credentials'), createObject('name', 'vmLocalUserName', 'value', parameters('avdVmLocalUserName'), 'contentType', 'Session host local user credentials'), createObject('name', 'domainJoinUserName', 'value', 'NoUsername', 'contentType', 'Domain join credentials'), createObject('name', 'domainJoinUserPassword', 'value', 'NoPassword', 'contentType', 'Domain join credentials')))]"
}
},
"tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'), variables('varWorkloadKeyvaultTag'))), createObject('value', union(variables('varAvdDefaultTags'), variables('varWorkloadKeyvaultTag'))))]"
@@ -26824,7 +26824,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "16306650625703107232"
+ "templateHash": "15817715667928545822"
}
},
"parameters": {
@@ -27079,7 +27079,7 @@
},
"extensionDomainJoinConfig": {
"value": {
- "enabled": "[if(equals(parameters('identityServiceProvider'), 'AAD'), false(), true())]",
+ "enabled": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), false(), true())]",
"settings": {
"name": "[parameters('identityDomainName')]",
"ouPath": "[if(not(empty(parameters('ouPath'))), parameters('ouPath'), null())]",
@@ -27091,7 +27091,7 @@
},
"extensionAadJoinConfig": {
"value": {
- "enabled": "[if(equals(parameters('identityServiceProvider'), 'AAD'), true(), false())]"
+ "enabled": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), true(), false())]"
}
},
"tags": {
@@ -27105,7 +27105,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "3205620537307637582"
+ "templateHash": "15426531948771861029"
}
},
"parameters": {
@@ -27439,7 +27439,7 @@
"enabled": false
},
"metadata": {
- "description": "Optional. The configuration for the [AAD Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ "description": "Optional. The configuration for the [EntraID Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
}
},
"extensionAntiMalwareConfig": {
@@ -31435,7 +31435,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "13591692348976261694"
+ "templateHash": "506522898706212102"
}
},
"parameters": {
@@ -31636,9 +31636,9 @@
"Transaction"
],
"varWrklStoragePrivateEndpointName": "[format('pe-{0}-file', parameters('storageAccountName'))]",
- "varDirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]",
+ "varDirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'EntraID'), 'AADKERB', 'None'))]",
"varSecurityPrincipalName": "[if(not(empty(parameters('securityPrincipalName'))), parameters('securityPrincipalName'), 'none')]",
- "varAdminUserName": "[if(equals(parameters('identityServiceProvider'), 'AAD'), parameters('vmLocalUserName'), parameters('domainJoinUserName'))]",
+ "varAdminUserName": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), parameters('vmLocalUserName'), parameters('domainJoinUserName'))]",
"varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -AdminUserName {8} -CustomOuPath {9} -OUName {10} -ShareName {11} -ClientId {12} -SecurityPrincipalName \"{13}\" -StorageAccountFqdn {14} ', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), variables('varAdminUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('fileShareName'), parameters('managedIdentityClientId'), variables('varSecurityPrincipalName'), parameters('storageAccountFqdn'))]"
},
"resources": [
@@ -31672,7 +31672,7 @@
"azureFilesIdentityBasedAuthentication": {
"value": {
"directoryServiceOptions": "[variables('varDirectoryServiceOptions')]",
- "activeDirectoryProperties": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('domainGuid', parameters('identityDomainGuid'), 'domainName', parameters('identityDomainName')), createObject())]"
+ "activeDirectoryProperties": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), createObject('domainGuid', parameters('identityDomainGuid'), 'domainName', parameters('identityDomainName')), createObject())]"
}
},
"accessTier": {
@@ -31708,7 +31708,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "14398504551168498076"
+ "templateHash": "6856542299042751588"
}
},
"parameters": {
@@ -31854,7 +31854,7 @@
"type": "bool",
"defaultValue": true,
"metadata": {
- "description": "Optional. Allow or disallow cross AAD tenant object replication."
+ "description": "Optional. Allow or disallow cross EntraID tenant object replication."
}
},
"customDomainName": {
@@ -32028,7 +32028,7 @@
"PrivateLink"
],
"metadata": {
- "description": "Optional. Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet."
+ "description": "Optional. Restrict copy to and from Storage Accounts within an EntraID tenant or with Private Links to the same VNet."
}
},
"publicNetworkAccess": {
@@ -35460,7 +35460,7 @@
"scriptArguments": {
"value": "[variables('varStorageToDomainScriptArgs')]"
},
- "adminUserPassword": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'vmLocalUserPassword')), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'domainJoinUserPassword')))]",
+ "adminUserPassword": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'vmLocalUserPassword')), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'domainJoinUserPassword')))]",
"baseScriptUri": {
"value": "[parameters('storageToDomainScriptUri')]"
}
@@ -35643,7 +35643,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "13591692348976261694"
+ "templateHash": "506522898706212102"
}
},
"parameters": {
@@ -35844,9 +35844,9 @@
"Transaction"
],
"varWrklStoragePrivateEndpointName": "[format('pe-{0}-file', parameters('storageAccountName'))]",
- "varDirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'AAD'), 'AADKERB', 'None'))]",
+ "varDirectoryServiceOptions": "[if(equals(parameters('identityServiceProvider'), 'AADDS'), 'AADDS', if(equals(parameters('identityServiceProvider'), 'EntraID'), 'AADKERB', 'None'))]",
"varSecurityPrincipalName": "[if(not(empty(parameters('securityPrincipalName'))), parameters('securityPrincipalName'), 'none')]",
- "varAdminUserName": "[if(equals(parameters('identityServiceProvider'), 'AAD'), parameters('vmLocalUserName'), parameters('domainJoinUserName'))]",
+ "varAdminUserName": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), parameters('vmLocalUserName'), parameters('domainJoinUserName'))]",
"varStorageToDomainScriptArgs": "[format('-DscPath {0} -StorageAccountName {1} -StorageAccountRG {2} -StoragePurpose {3} -DomainName {4} -IdentityServiceProvider {5} -AzureCloudEnvironment {6} -SubscriptionId {7} -AdminUserName {8} -CustomOuPath {9} -OUName {10} -ShareName {11} -ClientId {12} -SecurityPrincipalName \"{13}\" -StorageAccountFqdn {14} ', parameters('dscAgentPackageLocation'), parameters('storageAccountName'), parameters('storageObjectsRgName'), parameters('storagePurpose'), parameters('identityDomainName'), parameters('identityServiceProvider'), variables('varAzureCloudName'), parameters('workloadSubsId'), variables('varAdminUserName'), parameters('storageCustomOuPath'), parameters('ouStgPath'), parameters('fileShareName'), parameters('managedIdentityClientId'), variables('varSecurityPrincipalName'), parameters('storageAccountFqdn'))]"
},
"resources": [
@@ -35880,7 +35880,7 @@
"azureFilesIdentityBasedAuthentication": {
"value": {
"directoryServiceOptions": "[variables('varDirectoryServiceOptions')]",
- "activeDirectoryProperties": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('domainGuid', parameters('identityDomainGuid'), 'domainName', parameters('identityDomainName')), createObject())]"
+ "activeDirectoryProperties": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), createObject('domainGuid', parameters('identityDomainGuid'), 'domainName', parameters('identityDomainName')), createObject())]"
}
},
"accessTier": {
@@ -35916,7 +35916,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "14398504551168498076"
+ "templateHash": "6856542299042751588"
}
},
"parameters": {
@@ -36062,7 +36062,7 @@
"type": "bool",
"defaultValue": true,
"metadata": {
- "description": "Optional. Allow or disallow cross AAD tenant object replication."
+ "description": "Optional. Allow or disallow cross EntraID tenant object replication."
}
},
"customDomainName": {
@@ -36236,7 +36236,7 @@
"PrivateLink"
],
"metadata": {
- "description": "Optional. Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet."
+ "description": "Optional. Restrict copy to and from Storage Accounts within an EntraID tenant or with Private Links to the same VNet."
}
},
"publicNetworkAccess": {
@@ -39668,7 +39668,7 @@
"scriptArguments": {
"value": "[variables('varStorageToDomainScriptArgs')]"
},
- "adminUserPassword": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'vmLocalUserPassword')), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'domainJoinUserPassword')))]",
+ "adminUserPassword": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'vmLocalUserPassword')), createObject('reference', createObject('keyVault', createObject('id', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('serviceObjectsRgName'))), 'Microsoft.KeyVault/vaults', parameters('wrklKvName'))), 'secretName', 'domainJoinUserPassword')))]",
"baseScriptUri": {
"value": "[parameters('storageToDomainScriptUri')]"
}
@@ -40341,7 +40341,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "14294076350463870661"
+ "templateHash": "148150929077879236"
}
},
"parameters": {
@@ -40638,7 +40638,7 @@
"timeZone": {
"value": "[parameters('timeZone')]"
},
- "systemAssignedIdentity": "[if(equals(parameters('identityServiceProvider'), 'AAD'), createObject('value', true()), createObject('value', false()))]",
+ "systemAssignedIdentity": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), createObject('value', true()), createObject('value', false()))]",
"availabilityZone": "[if(parameters('useAvailabilityZones'), createObject('value', take(skip(variables('varAllAvailabilityZones'), mod(range(1, parameters('count'))[copyIndex()], length(variables('varAllAvailabilityZones')))), 1)), createObject('value', createArray()))]",
"encryptionAtHost": {
"value": "[parameters('encryptionAtHost')]"
@@ -40714,7 +40714,7 @@
},
"extensionAadJoinConfig": {
"value": {
- "enabled": "[if(equals(parameters('identityServiceProvider'), 'AAD'), true(), false())]",
+ "enabled": "[if(equals(parameters('identityServiceProvider'), 'EntraID'), true(), false())]",
"settings": "[if(parameters('createIntuneEnrollment'), createObject('mdmId', '0000000a-0000-0000-c000-000000000000'), createObject())]"
}
},
@@ -40731,7 +40731,7 @@
"_generator": {
"name": "bicep",
"version": "0.23.1.45101",
- "templateHash": "3205620537307637582"
+ "templateHash": "15426531948771861029"
}
},
"parameters": {
@@ -41065,7 +41065,7 @@
"enabled": false
},
"metadata": {
- "description": "Optional. The configuration for the [AAD Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
+ "description": "Optional. The configuration for the [EntraID Join] extension. Must at least contain the [\"enabled\": true] property to be executed."
}
},
"extensionAntiMalwareConfig": {
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
index 343292269..580e50068 100644
--- a/workload/bicep/deploy-baseline.bicep
+++ b/workload/bicep/deploy-baseline.bicep
@@ -47,7 +47,7 @@ param avdVmLocalUserPassword string
@allowed([
'ADDS' // Active Directory Domain Services
'AADDS' // Microsoft Entra Domain Services
- 'AAD' // Microsoft Entra ID Join
+ 'EntraID' // Microsoft Entra ID Join
])
@sys.description('Required, The service providing domain services for Azure Virtual Desktop. (Default: ADDS)')
param avdIdentityServiceProvider string = 'ADDS'
@@ -992,7 +992,7 @@ module wrklKeyVault '../../carml/1.3.0/Microsoft.KeyVault/vaults/deploy.bicep' =
}
] : []
secrets: {
- secureList: (avdIdentityServiceProvider != 'AAD') ? [
+ secureList: (avdIdentityServiceProvider != 'EntraID') ? [
{
name: 'vmLocalUserPassword'
value: avdVmLocalUserPassword
diff --git a/workload/bicep/modules/avdManagementPlane/deploy.bicep b/workload/bicep/modules/avdManagementPlane/deploy.bicep
index 0964543d8..9f980ca15 100644
--- a/workload/bicep/modules/avdManagementPlane/deploy.bicep
+++ b/workload/bicep/modules/avdManagementPlane/deploy.bicep
@@ -115,7 +115,7 @@ var varApplicaitonGroups = [
applicationGroupType: (preferredAppGroupType == 'Desktop') ? 'Desktop' : 'RemoteApp'
}
]
-var varHostPoolRdpPropertiesDomainServiceCheck = (identityServiceProvider == 'AAD') ? '${hostPoolRdpProperties};targetisaadjoined:i:1;enablerdsaadauth:i:1' : hostPoolRdpProperties
+var varHostPoolRdpPropertiesDomainServiceCheck = (identityServiceProvider == 'EntraID') ? '${hostPoolRdpProperties};targetisaadjoined:i:1;enablerdsaadauth:i:1' : hostPoolRdpProperties
var varRAppApplicationGroupsStandardApps = (preferredAppGroupType == 'RailApplications') ? [
{
name: 'Task Manager'
diff --git a/workload/bicep/modules/avdSessionHosts/deploy-ama-backup.bicep b/workload/bicep/modules/avdSessionHosts/deploy-ama-backup.bicep
index c9f2c5f3b..57ab1a698 100644
--- a/workload/bicep/modules/avdSessionHosts/deploy-ama-backup.bicep
+++ b/workload/bicep/modules/avdSessionHosts/deploy-ama-backup.bicep
@@ -164,7 +164,7 @@ resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2019-12-10-preview'
}
// call on the keyvault
-resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (identityServiceProvider != 'AAD') {
+resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (identityServiceProvider != 'EntraID') {
name: wrklKvName
scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}')
}
@@ -180,7 +180,7 @@ module sessionHosts '../../../../carml/1.3.0/Microsoft.Compute/virtualMachines/d
userAssignedIdentities: createAvdFslogixDeployment ? {
'${storageManagedIdentityResourceId}': {}
} : {}
- systemAssignedIdentity: (identityServiceProvider == 'AAD' || deployMonitoring) ? true: false
+ systemAssignedIdentity: (identityServiceProvider == 'EntraID' || deployMonitoring) ? true: false
availabilityZone: useAvailabilityZones ? take(skip(varAllAvailabilityZones, i % length(varAllAvailabilityZones)), 1) : []
encryptionAtHost: encryptionAtHost
availabilitySetResourceId: useAvailabilityZones ? '' : '/subscriptions/${subscriptionId}/resourceGroups/${computeObjectsRgName}/providers/Microsoft.Compute/availabilitySets/${avsetNamePrefix}-${padLeft(((1 + (i + countIndex) / maxAvsetMembersCount)), 3, '0')}'
@@ -225,7 +225,7 @@ module sessionHosts '../../../../carml/1.3.0/Microsoft.Compute/virtualMachines/d
// ADDS or AADDS domain join.
extensionDomainJoinPassword: keyVault.getSecret('domainJoinUserPassword')
extensionDomainJoinConfig: {
- enabled: (identityServiceProvider == 'AAD') ? false: true
+ enabled: (identityServiceProvider == 'EntraID') ? false: true
settings: {
name: identityDomainName
ouPath: !empty(sessionHostOuPath) ? sessionHostOuPath : null
@@ -236,7 +236,7 @@ module sessionHosts '../../../../carml/1.3.0/Microsoft.Compute/virtualMachines/d
}
// Microsoft Entra ID (EntraID) Join.
extensionAadJoinConfig: {
- enabled: (identityServiceProvider == 'AAD') ? true: false
+ enabled: (identityServiceProvider == 'EntraID') ? true: false
settings: createIntuneEnrollment ? {
mdmId: '0000000a-0000-0000-c000-000000000000'
}: {}
diff --git a/workload/bicep/modules/avdSessionHosts/deploy.bicep b/workload/bicep/modules/avdSessionHosts/deploy.bicep
index 9601a9207..c95bb2573 100644
--- a/workload/bicep/modules/avdSessionHosts/deploy.bicep
+++ b/workload/bicep/modules/avdSessionHosts/deploy.bicep
@@ -158,7 +158,7 @@ resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2019-12-10-preview'
}
// call on the keyvault
-resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (identityServiceProvider != 'AAD') {
+resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = if (identityServiceProvider != 'EntraID') {
name: wrklKvName
scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}')
}
@@ -171,7 +171,7 @@ module sessionHosts '../../../../carml/1.3.0/Microsoft.Compute/virtualMachines/d
name: '${namePrefix}${padLeft((i + countIndex), 4, '0')}'
location: location
timeZone: timeZone
- systemAssignedIdentity: (identityServiceProvider == 'AAD') ? true : false
+ systemAssignedIdentity: (identityServiceProvider == 'EntraID') ? true : false
availabilityZone: useAvailabilityZones ? take(skip(varAllAvailabilityZones, i % length(varAllAvailabilityZones)), 1) : []
encryptionAtHost: encryptionAtHost
availabilitySetResourceId: useAvailabilityZones ? '' : '/subscriptions/${subscriptionId}/resourceGroups/${computeObjectsRgName}/providers/Microsoft.Compute/availabilitySets/${avsetNamePrefix}-${padLeft(((1 + (i + countIndex) / maxAvsetMembersCount)), 3, '0')}'
@@ -227,7 +227,7 @@ module sessionHosts '../../../../carml/1.3.0/Microsoft.Compute/virtualMachines/d
}
// Microsoft Entra ID Join.
extensionAadJoinConfig: {
- enabled: (identityServiceProvider == 'AAD') ? true : false
+ enabled: (identityServiceProvider == 'EntraID') ? true : false
settings: createIntuneEnrollment ? {
mdmId: '0000000a-0000-0000-c000-000000000000'
} : {}
diff --git a/workload/bicep/modules/identity/deploy.bicep b/workload/bicep/modules/identity/deploy.bicep
index b62337d69..dbae5abca 100644
--- a/workload/bicep/modules/identity/deploy.bicep
+++ b/workload/bicep/modules/identity/deploy.bicep
@@ -145,8 +145,8 @@ module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.A
}
}]
-// VM AAD access roles compute RG
-module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'AAD' && !empty(securityPrincipalIds)) {
+// VM EntraID access roles compute RG
+module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'EntraID' && !empty(securityPrincipalIds)) {
name: 'VM-Login-Comp-${take('${appGroupIdentitiesId}', 6)}-${time}'
scope: resourceGroup('${subscriptionId}', '${computeObjectsRgName}')
params: {
@@ -155,8 +155,8 @@ module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorizati
}
}]
-// VM AAD access roles service objects RG
-module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'AAD' && !empty(securityPrincipalIds)) {
+// VM EntraID access roles service objects RG
+module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'EntraID' && !empty(securityPrincipalIds)) {
name: 'VM-Login-Serv-${take('${appGroupIdentitiesId}', 6)}-${time}'
scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}')
params: {
diff --git a/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep b/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep
index 335fae4a9..26d09e1b4 100644
--- a/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep
+++ b/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep
@@ -158,7 +158,7 @@ module managementVm '../../../../../carml/1.3.0/Microsoft.Compute/virtualMachine
allowExtensionOperations: true
extensionDomainJoinPassword: avdWrklKeyVaultget.getSecret('domainJoinUserPassword')
extensionDomainJoinConfig: {
- enabled: (identityServiceProvider == 'AAD') ? false: true
+ enabled: (identityServiceProvider == 'EntraID') ? false: true
settings: {
name: identityDomainName
ouPath: !empty(ouPath) ? ouPath : null
@@ -169,7 +169,7 @@ module managementVm '../../../../../carml/1.3.0/Microsoft.Compute/virtualMachine
}
// Entra ID Join.
extensionAadJoinConfig: {
- enabled: (identityServiceProvider == 'AAD') ? true: false
+ enabled: (identityServiceProvider == 'EntraID') ? true: false
}
tags: tags
}
diff --git a/workload/bicep/modules/storageAzureFiles/deploy.bicep b/workload/bicep/modules/storageAzureFiles/deploy.bicep
index 4e1369618..21c265222 100644
--- a/workload/bicep/modules/storageAzureFiles/deploy.bicep
+++ b/workload/bicep/modules/storageAzureFiles/deploy.bicep
@@ -109,9 +109,9 @@ var varAvdFileShareMetricsDiagnostic = [
'Transaction'
]
var varWrklStoragePrivateEndpointName = 'pe-${storageAccountName}-file'
-var varDirectoryServiceOptions = (identityServiceProvider == 'AADDS') ? 'AADDS': (identityServiceProvider == 'AAD') ? 'AADKERB': 'None'
+var varDirectoryServiceOptions = (identityServiceProvider == 'AADDS') ? 'AADDS': (identityServiceProvider == 'EntraID') ? 'AADKERB': 'None'
var varSecurityPrincipalName = !empty(securityPrincipalName)? securityPrincipalName : 'none'
-var varAdminUserName = (identityServiceProvider == 'AAD') ? vmLocalUserName : domainJoinUserName
+var varAdminUserName = (identityServiceProvider == 'EntraID') ? vmLocalUserName : domainJoinUserName
var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -StorageAccountName ${storageAccountName} -StorageAccountRG ${storageObjectsRgName} -StoragePurpose ${storagePurpose} -DomainName ${identityDomainName} -IdentityServiceProvider ${identityServiceProvider} -AzureCloudEnvironment ${varAzureCloudName} -SubscriptionId ${workloadSubsId} -AdminUserName ${varAdminUserName} -CustomOuPath ${storageCustomOuPath} -OUName ${ouStgPath} -ShareName ${fileShareName} -ClientId ${managedIdentityClientId} -SecurityPrincipalName "${varSecurityPrincipalName}" -StorageAccountFqdn ${storageAccountFqdn} '
// =========== //
@@ -138,7 +138,7 @@ module storageAndFile '../../../../carml/1.3.0/Microsoft.Storage/storageAccounts
largeFileSharesState: (storageSku == 'Standard_LRS') || (storageSku == 'Standard_ZRS') ? 'Enabled': 'Disabled'
azureFilesIdentityBasedAuthentication: {
directoryServiceOptions: varDirectoryServiceOptions
- activeDirectoryProperties: (identityServiceProvider == 'AAD') ? {
+ activeDirectoryProperties: (identityServiceProvider == 'EntraID') ? {
domainGuid: identityDomainGuid
domainName: identityDomainName
} : {}
@@ -195,7 +195,7 @@ module addShareToDomainScript './.bicep/azureFilesDomainJoin.bicep' = {
name: managementVmName
file: storageToDomainScript
scriptArguments: varStorageToDomainScriptArgs
- adminUserPassword: (identityServiceProvider == 'AAD') ? avdWrklKeyVaultget.getSecret('vmLocalUserPassword') : avdWrklKeyVaultget.getSecret('domainJoinUserPassword')
+ adminUserPassword: (identityServiceProvider == 'EntraID') ? avdWrklKeyVaultget.getSecret('vmLocalUserPassword') : avdWrklKeyVaultget.getSecret('domainJoinUserPassword')
baseScriptUri: storageToDomainScriptUri
}
dependsOn: [
diff --git a/workload/docs/baseline-troubleshooting-guide.md b/workload/docs/baseline-troubleshooting-guide.md
index 902d51aab..fe0e9f3e8 100644
--- a/workload/docs/baseline-troubleshooting-guide.md
+++ b/workload/docs/baseline-troubleshooting-guide.md
@@ -10,7 +10,7 @@ Follow the steps below to troubleshoot and resolve the issue:
### Validate environment and account configuration
-- **Check Configuration**: Review your Azure Virtual Desktop (AVD) virtual network configuration and ensure that DNS is properly configured and the virtual network is peered to the network Hub or Identity Services virtual network. When using AD DS or AAD DS commonly the virtual network will need to be setup with custom DNS servers settings that point to the domain controllers IPs.
+- **Check Configuration**: Review your Azure Virtual Desktop (AVD) virtual network configuration and ensure that DNS is properly configured and the virtual network is peered to the network Hub or Identity Services virtual network. When using AD DS or Microsoft Entra Domain Services commonly the virtual network will need to be setup with custom DNS servers settings that point to the domain controllers IPs.
- Resources:
- [Name resolution for resources in Azure virtual networks](https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat)
diff --git a/workload/docs/deploy-baseline.md b/workload/docs/deploy-baseline.md
index a3aa4a6af..b4048789f 100644
--- a/workload/docs/deploy-baseline.md
+++ b/workload/docs/deploy-baseline.md
@@ -10,16 +10,16 @@
- **Prefix** – A prefix of maximum 4 characters that will be appended to the names of Resource Groups and Azure resources within the Resource Groups.
- **Environment** – Deployment Environment type (Development/Test/Production), will be used for naming and tagging purposes.
- **Identity provider** blade
- - **Identity Service Provider** - Identity service provider (AD DS, AAD DS, AAD) that already exists and will be used for Azure Virtual Desktop.
+ - **Identity Service Provider** - Identity service provider (AD DS, EntraID DS, EntraID) that already exists and will be used for Azure Virtual Desktop.
- Microsoft Entra ID.
- Active Directory (AD DS).
- Microsoft Entra Domain Services.
- **Azure Virtual Desktop access assignment** - These identities will be granted access to Azure Virtual Desktop application groups (role "Desktop Virtualization User").
- - Groups - select from the drop down the groups to be granted access to Azure Virtual Desktop published items and to create sessions on VMs and single sign-on (SSO) when using AAD as identity provider.
- - Note: when using AAD as identity service provider, an additional role (virtual machine user login) will be granted to compute resource group during deployment.
- - **When selecting AD DS or AAD DS:**
+ - Groups - select from the drop down the groups to be granted access to Azure Virtual Desktop published items and to create sessions on VMs and single sign-on (SSO) when using EntraID as identity provider.
+ - Note: when using EntraID as identity service provider, an additional role (virtual machine user login) will be granted to compute resource group during deployment.
+ - **When selecting AD DS or Microsoft Entra DS:**
- Domain join credentials The Username and password with rights to join computers to the domain.
- - **When selecting ADD:**
+ - **When selecting EntraID:**
- Enroll VM with Intune: check the box to enroll session hosts on tenant's.
- **Session host local admin credentials** The Username and password to set for local administrator.
- **Management plane** blade
diff --git a/workload/docs/getting-started-baseline.md b/workload/docs/getting-started-baseline.md
index 80433d6ee..0f6cd3d0a 100644
--- a/workload/docs/getting-started-baseline.md
+++ b/workload/docs/getting-started-baseline.md
@@ -32,7 +32,7 @@ Prior to deploying the Baseline solution, you need to ensure you have met the fo
- Change Password
- Validate Write to DNS hostname
- Validate Write to Service Principal Name
-- [x] The Domain Controllers used for AD join purposes should be standard writable Domain Controllers, not Read Only Domain Controllers (when using AD DS or AAD DS).
+- [x] The Domain Controllers used for AD join purposes should be standard writable Domain Controllers, not Read Only Domain Controllers (when using AD DS or Microsoft Entra DS).
- [x] Ensure you have the appropriate [licenses](https://docs.microsoft.com/azure/virtual-desktop/prerequisites#operating-systems-and-licenses) for proper Azure Virtual Desktop entitlement.
### Networking requirements
diff --git a/workload/portal-ui/portal-ui-baseline.json b/workload/portal-ui/portal-ui-baseline.json
index 4f454c3bc..fe91f7af2 100644
--- a/workload/portal-ui/portal-ui-baseline.json
+++ b/workload/portal-ui/portal-ui-baseline.json
@@ -140,7 +140,7 @@
"allowedValues": [
{
"label": "Microsoft Entra ID",
- "value": "AAD"
+ "value": "EntraID"
},
{
"label": "Active Directory (AD DS)",
@@ -156,7 +156,7 @@
{
"name": "identityServiceProviderIntuneEnrollment",
"type": "Microsoft.Common.CheckBox",
- "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD')]",
+ "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID')]",
"label": "Intune enrollment",
"defaultValue": false,
"toolTip": "If Intune is configured in your Microsoft Entra ID tenant, you can choose to have the VM automatically enrolled during the deployment by selecting this box."
@@ -164,7 +164,7 @@
{
"name": "identityServiceProviderInfo",
"type": "Microsoft.Common.InfoBox",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"options": {
"text": "Identity service provider must already exist, as it is a prerequisite for the Azure Virtual Desktop LZA deployment.",
"uri": "https://github.com/Azure/avdaccelerator/blob/main/workload/docs/getting-started.md",
@@ -229,7 +229,7 @@
{
"name": "identityDomainCredentials",
"type": "Microsoft.Common.Section",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"label": "Domain join credentials",
"elements": [
{
@@ -570,7 +570,7 @@
{
"name": "identityDomainOuPath",
"type": "Microsoft.Common.TextBox",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"label": "Custom OU path (Optional)",
"toolTip": "Provide OU where to locate session hosts, if not provided session hosts will be placed on the default (computers) OU.",
"placeholder": "Example: OU=session-hosts,OU=avd,DC=contoso,DC=com",
@@ -877,7 +877,7 @@
{
"name": "identityDomainOuPathStorageExisting",
"type": "Microsoft.Common.TextBox",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"label": "Custom OU path (Optional)",
"toolTip": "Provide OU where to locate storage account file share. If not provided, file share will be placed on the default (computers) OU.",
"placeholder": "Example: OU=storage,OU=avd,DC=contoso,DC=com",
@@ -948,7 +948,7 @@
{
"name": "StorageDeploymentDisabledAad",
"type": "Microsoft.Common.InfoBox",
- "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD')]",
+ "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID')]",
"options": {
"text": "Granting admin consent to the storage account service principal (your-storage-account-name.file.core.windows.net) is a requirememt, the link in this box contains the steps to grant the consent.",
"uri": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-azure-active-directory-enable?tabs=azure-portal#grant-admin-consent-to-the-new-service-principal",
@@ -1014,7 +1014,7 @@
{
"name": "StorageDeploymentDisabledAad",
"type": "Microsoft.Common.InfoBox",
- "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD')]",
+ "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID')]",
"options": {
"text": "FSLogix storage for Microsoft Entra ID joined session hosts is currently only available for hybrid identities.",
"uri": "https://learn.microsoft.com/azure/virtual-desktop/create-profile-container-azure-ad",
@@ -1032,9 +1032,9 @@
{
"name": "virtualNetworklInfoBox",
"type": "Microsoft.Common.InfoBox",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"options": {
- "text": "Azure Virtual Desktop LZA requires connectivity to identity services (ADDS, AADDS or AAD).",
+ "text": "Azure Virtual Desktop LZA requires connectivity to identity services (ADDS, AADDS or EntraID).",
"uri": "https://docs.microsoft.com/azure/virtual-desktop/authentication",
"style": "info"
}
@@ -1371,7 +1371,7 @@
{
"name": "virtualNetworkPeeringInfoBox1",
"type": "Microsoft.Common.InfoBox",
- "visible": "[and(equals(steps('network').createAvdVirtualNetwork, true),not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD')))]",
+ "visible": "[and(equals(steps('network').createAvdVirtualNetwork, true),not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID')))]",
"options": {
"text": "vNet peering will be created to existing vNet hub with access to identity and DNS services .",
"uri": "https://docs.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?context=/azure/virtual-desktop/context/context",
@@ -1381,7 +1381,7 @@
{
"name": "hubVirtualNetworkPeeringInfoBox2",
"type": "Microsoft.Common.InfoBox",
- "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD')]",
+ "visible": "[equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID')]",
"options": {
"text": "vNet peering to identity services is not required when Microsoft Entra ID as identity service provider .",
"uri": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-azure-active-directory-join",
@@ -1399,7 +1399,7 @@
{
"name": "hubVirtualNetworkSub",
"type": "Microsoft.Common.DropDown",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"label": "Hub vNet Subscription",
"toolTip": "",
"multiselect": false,
@@ -1423,7 +1423,7 @@
{
"name": "existingHubVirtualNetwork",
"type": "Microsoft.Common.DropDown",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"label": "Hub vNet",
"toolTip": "",
"multiselect": false,
@@ -1439,7 +1439,7 @@
{
"name": "hubVirtualNetworkGateway",
"type": "Microsoft.Common.CheckBox",
- "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'))]",
+ "visible": "[not(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'))]",
"label": "Gateway on hub",
"defaultValue": false,
"toolTip": "This information will be used to set remote gateway settings on vNet peering."
@@ -2081,7 +2081,7 @@
"name": "resourceTaggingParentCostInfo",
"type": "Microsoft.Common.InfoBox",
"options": {
- "text": "By default, the following tags will be created:
- Parent resource cost management tag (cm-resource-parent): reports all resources cost to the host pool (ResourceID).
- Environment (Environment): environment selected during deployment (Dev/Test/prod).
- Service Workload (ServiceWorkload): defaults to Azure Virtual Desktop.
- Creation time (CreationTimeUTC): deployment time in UTC.
- Domain Name (DomainName): identity service domain name (applied only to compute and storage).
- Identity service provider (IdentityServiceProvider): identity provider selected (ADDS/AADDS/AAD).",
+ "text": "By default, the following tags will be created:
- Parent resource cost management tag (cm-resource-parent): reports all resources cost to the host pool (ResourceID).
- Environment (Environment): environment selected during deployment (Dev/Test/prod).
- Service Workload (ServiceWorkload): defaults to Azure Virtual Desktop.
- Creation time (CreationTimeUTC): deployment time in UTC.
- Domain Name (DomainName): identity service domain name (applied only to compute and storage).
- Identity service provider (IdentityServiceProvider): identity provider selected (ADDS/AADDS/EntraID).",
"uri": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources#use-the-cm-resource-parent-tag-to-automatically-group-costs-by-host-pool",
"style": "Info"
}
@@ -2314,11 +2314,11 @@
"hostPoolMaxSessions": "[if(equals(steps('managementPlane').managementPlaneHostPoolSettings.hostPoolType, 'Pooled'), steps('managementPlane').managementPlaneHostPoolSettings.maxSessions, 1)]",
"avdPersonalAssignType": "[if(equals(steps('managementPlane').managementPlaneHostPoolSettings.hostPoolType, 'Personal'), steps('managementPlane').managementPlaneHostPoolSettings.assignmentType, 'Automatic')]",
"avdIdentityServiceProvider": "[steps('identity').identityDomainInformation.identityServiceProvider]",
- "createIntuneEnrollment": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'), steps('identity').identityDomainInformation.identityServiceProviderIntuneEnrollment, false)]",
+ "createIntuneEnrollment": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'), steps('identity').identityDomainInformation.identityServiceProviderIntuneEnrollment, false)]",
"identityDomainName": "[if(and(or(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'ADDS'), equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AADDS')), or(steps('storage').storageFslogix.fslogixDeployment, steps('storage').storageMsix.msixDeployment)), steps('storage').storageGeneralSettings.identityDomainName, 'none')]",
- "avdOuPath": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'), 'no', steps('sessionHosts').sessionHostsComputeStorageSection.identityDomainOuPath)]",
- "avdDomainJoinUserName": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'), 'no', steps('identity').identityDomainCredentials.identityDomainJoinUserName)]",
- "avdDomainJoinUserPassword": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'AAD'), 'no', steps('identity').identityDomainCredentials.identityDomainJoinUserPassword)]",
+ "avdOuPath": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'), 'no', steps('sessionHosts').sessionHostsComputeStorageSection.identityDomainOuPath)]",
+ "avdDomainJoinUserName": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'), 'no', steps('identity').identityDomainCredentials.identityDomainJoinUserName)]",
+ "avdDomainJoinUserPassword": "[if(equals(steps('identity').identityDomainInformation.identityServiceProvider, 'EntraID'), 'no', steps('identity').identityDomainCredentials.identityDomainJoinUserPassword)]",
"avdVmLocalUserName": "[steps('identity').identityLocalCredentials.identityLocalUserName]",
"avdVmLocalUserPassword": "[steps('identity').identityLocalCredentials.identityLocalUserPassword.password]",
"createAvdVnet": "[steps('network').createAvdVirtualNetwork]",
diff --git a/workload/scripts/DSCStorageScripts/1.0.0/Script-DomainJoinStorage.ps1 b/workload/scripts/DSCStorageScripts/1.0.0/Script-DomainJoinStorage.ps1
index 894d71d9a..1457ecb07 100644
--- a/workload/scripts/DSCStorageScripts/1.0.0/Script-DomainJoinStorage.ps1
+++ b/workload/scripts/DSCStorageScripts/1.0.0/Script-DomainJoinStorage.ps1
@@ -63,7 +63,7 @@ $ErrorActionPreference = "Stop"
. (Join-Path $ScriptPath "Logger.ps1")
-if ($IdentityServiceProvider -ne 'AAD') {
+if ($IdentityServiceProvider -ne 'EntraID') {
Write-Log "Forcing group policy updates"
gpupdate /force
@@ -171,7 +171,7 @@ Try {
icacls ${DriveLetter}: /remove "BUILTIN\Users"
Write-Log "ACLs set"
#AVD group permissions
- if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
+ if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'EntraID') {
Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
}
else {
diff --git a/workload/scripts/Manual-DSC-Storage-Scripts.ps1 b/workload/scripts/Manual-DSC-Storage-Scripts.ps1
index 699b64d5a..63190f1d9 100644
--- a/workload/scripts/Manual-DSC-Storage-Scripts.ps1
+++ b/workload/scripts/Manual-DSC-Storage-Scripts.ps1
@@ -65,12 +65,12 @@ param (
)
Write-Host "Add domain join account as local administrator"
-if ($IdentityServiceProvider -ne 'AAD') {
+if ($IdentityServiceProvider -ne 'EntraID') {
Add-LocalGroupMember -Group "Administrators" -Member $AdminUserName
Write-Host "Domain join account added to local administrators group"
}
else {
- Write-Host "Using AAD, no domain join account to add to local administrators group"
+ Write-Host "Using EntraID, no domain join account to add to local administrators group"
}
Write-Host "Downloading the DSCStorageScripts.zip from $DscPath"
diff --git a/workload/scripts/Set-SessionHostConfiguration.ps1 b/workload/scripts/Set-SessionHostConfiguration.ps1
index 8277f92ac..b72c0add5 100644
--- a/workload/scripts/Set-SessionHostConfiguration.ps1
+++ b/workload/scripts/Set-SessionHostConfiguration.ps1
@@ -249,7 +249,7 @@ try {
}
)
}
- if ($IdentityServiceProvider -eq "AAD" -and $Fslogix -eq 'true') {
+ if ($IdentityServiceProvider -eq "EntraID" -and $Fslogix -eq 'true') {
$Settings += @(
[PSCustomObject]@{
Name = 'CloudKerberosTicketRetrievalEnabled'
@@ -276,7 +276,7 @@ try {
##############################################################
# Add Microsoft Entra ID Join Setting
##############################################################
- if ($IdentityServiceProvider -eq "AAD") {
+ if ($IdentityServiceProvider -eq "EntraID") {
$Settings += @(
# Enable PKU2U: https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-azure-ad-connections#windows-desktop-client
@@ -357,7 +357,7 @@ try {
##############################################################
# Install the AVD Agent
##############################################################
- # Disabling this method for installing the AVD agent until AAD Join can completed successfully
+ # Disabling this method for installing the AVD agent until EntraID Join can completed successfully
$BootInstaller = 'AVD-Bootloader.msi'
Get-WebFile -FileName $BootInstaller -URL 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrxrH'
Start-Process -FilePath 'msiexec.exe' -ArgumentList "/i $BootInstaller /quiet /qn /norestart /passive" -Wait -Passthru
@@ -373,7 +373,7 @@ try {
##############################################################
# Restart VM
##############################################################
- if ($IdentityServiceProvider -eq "AAD" -and $AmdVmSize -eq 'false' -and $NvidiaVmSize -eq 'false') {
+ if ($IdentityServiceProvider -eq "EntraID" -and $AmdVmSize -eq 'false' -and $NvidiaVmSize -eq 'false') {
Start-Process -FilePath 'shutdown' -ArgumentList '/r /t 30'
}
}
diff --git a/workload/terraform/greenfield/readme.md b/workload/terraform/greenfield/readme.md
index 4dc570baa..da1a31dad 100644
--- a/workload/terraform/greenfield/readme.md
+++ b/workload/terraform/greenfield/readme.md
@@ -44,8 +44,8 @@ This folder is laid out hierarchically so that different levels of modules may b
| ------------------- | ------------------------------------------------------------ |
| [modules](../modules) | This folder contains re-usable modules that create infrastructure components that are used to compose more complex scenarios |
| [ADDS scenarios](./ADDSscenario/readme.md) | This folder contains scenario root modules that deploy AVD with ADDS join session host. |
-| [AAD scenarios](./AADscenario/readme.md) | This folder contains scenario root modules that deploy AVD with Microsoft Entra ID join session host. |
-| [AAD Zero Trust scenarios](./zerotrust/readme.md) | This folder contains scenario root modules that deploy AVD with Microsoft Entra ID join session host following zero trust principles. |
+| [EntraID scenarios](./AADscenario/readme.md) | This folder contains scenario root modules that deploy AVD with Microsoft Entra ID join session host. |
+| [EntraID Zero Trust scenarios](./zerotrust/readme.md) | This folder contains scenario root modules that deploy AVD with Microsoft Entra ID join session host following zero trust principles. |
Click to expand