AVD Add-On: Integrate teir3 (#1030)

* Removed unnecessary params

* Added default values to params

* Removed unnecessary params

* Removed unnecessary params

* Removed unnecessary params

* Removed unnecessary properties

* Changed ip config names, merged NIC & VM deployments

* Removed unnecessary params

* Changed ip config name, Updated params

* Simplified subnets array, Removed unnecessary params

* Removed unnecessary params

* Removed unnecessary param

* Fixed params, Moved naming

* Moved naming

* Added param, Moved naming

* Added key vault diagnostics

* Deleted file

* Renamed files, Updated naming

* Updated params, Added parent property

* Added least privilege role assignment

* Updated naming

* Updated deployment scopes

* Fixed scope, Updated params

* Added spacing

* Updated naming

* Updated naming

* Fixed access modes

* Moved names to naming deployment

* Updated naming

* Updated naming

* Updated naming

* Updated scope & naming

* Updated scope & params

* Compiled bicep changes

* Fixed names for disks & NICs

* GitHub Action: Build Bicep to JSON

* Fixed NIC name

* GitHub Action: Build Bicep to JSON

* Fixed spacing

* Updated comment

* Compiled bicep changes

* GitHub Action: Build Bicep to JSON

* Fixed VM naming convention

* GitHub Action: Build Bicep to JSON

* Compiled bicep changes

* GitHub Action: Build Bicep to JSON

* Compiled bicep changes

* GitHub Action: Build Bicep to JSON

* Fixed VM name

* GitHub Action: Build Bicep to JSON

* Fixed names

* GitHub Action: Build Bicep to JSON

* More name fixes

* GitHub Action: Build Bicep to JSON

* Fixed pip names for diag settings

* GitHub Action: Build Bicep to JSON

* Fixed pip name

* GitHub Action: Build Bicep to JSON

* Fixed firewall name

* GitHub Action: Build Bicep to JSON

* Renamed parent folder

* Renamed parent folder

* Fixed resource name

* Renamed parent folder

* Renamed parent folder

* Added param

* Added tier3

* Complied bicep changes

* Added tier3 to AVD add-on

* Compiled bicep changes

* Renamed folder

* Fixed diagnostic setting names

* Updated output

* Sorted params, Removed params

* Removed params, Fixed resource names

* Added an output

* Fixed storage account name

* Fixed names

* Fixed file name

* Fixed params

* Updated params, Removed unnecessary deployments

* Added params

* Added params

* Sorted params, Added params, Fixed name

* Compiled bicep changes

* Added unique token to storage account names

* Compiled bicep changes

* GitHub Action: Build Bicep to JSON

---------

Co-authored-by: github-actions <github-actions@github.com>

README.md

@@ -34,7 +34,7 @@ Our intent is to enable IT Admins to use this software to:
 ## Mission Landing Zone Add-ons
 
 - [ESRI ArcGIS Pro & Enterprise with AVD](./docs/esri.md)
-- [AVD (Azure Virtual Desktop)](./src/bicep/add-ons/azureVirtualDesktop/README.md)
+- [AVD (Azure Virtual Desktop)](./src/bicep/add-ons/azure-virtual-desktop/README.md)
 - [Zero Trust Imaging](./src/bicep/add-ons/imaging/README.md)
 
 ## What is a Landing Zone?

docs/esri.md

@@ -46,14 +46,14 @@ If you already have an Azure Landing Zone, you can skip this step. For more on w
 
  :arrow_forward: The third step is to deploy the Azure Virtual Desktop (AVD) solution. This solution provides a fully operational [stamp](https://learn.microsoft.com/azure/architecture/patterns/deployment-stamp) in an Azure subscription adhering  to the [Zero Trust principles](https://learn.microsoft.com/security/zero-trust/azure-infrastructure-avd).
 
-This template represents the strategic design path and target technical state for Azure Virtual Desktop deployment. Many of the [common features](https://github.com/Azure/missionlz/tree/main/src/bicep/add-ons/azureVirtualDesktop/docs/features) used with AVD have been automated in this solution for your convenience.
+This template represents the strategic design path and target technical state for Azure Virtual Desktop deployment. Many of the [common features](https://github.com/Azure/missionlz/tree/main/src/bicep/add-ons/azure-virtual-desktop/docs/features) used with AVD have been automated in this solution for your convenience.
 
-Be sure to complete the necessary [prerequisites](https://github.com/Azure/missionlz/blob/main/src/bicep/add-ons/azureVirtualDesktop/docs/prerequisites.md) and to review the parameter descriptions to the understand the consequences of your selections. Also, please review Esri's guidance on [VDI and ArcGIS Pro](https://architecture.arcgis.com/en/framework/architecture-practices/architectural-foundations/deployment-concepts/vdi-and-arcgis-pro.html).
+Be sure to complete the necessary [prerequisites](https://github.com/Azure/missionlz/blob/main/src/bicep/add-ons/azure-virtual-desktop/docs/prerequisites.md) and to review the parameter descriptions to the understand the consequences of your selections. Also, please review Esri's guidance on [VDI and ArcGIS Pro](https://architecture.arcgis.com/en/framework/architecture-practices/architectural-foundations/deployment-concepts/vdi-and-arcgis-pro.html).
 
 This Azure Virtual Desktop Accelerator only deploys the specific Azure Virtual Desktop resources, shown in the architectural diagram above. It is assumed that an appropriate landing zone foundation is already setup. This means that policies and governance should already be in place.
 
 > [!WARNING]
-> Failure to complete the [prerequisites](https://github.com/Azure/missionlz/blob/main/src/bicep/add-ons/azureVirtualDesktop/docs/prerequisites.md) will result in an unsuccessful deployment.
+> Failure to complete the [prerequisites](https://github.com/Azure/missionlz/blob/main/src/bicep/add-ons/azure-virtual-desktop/docs/prerequisites.md) will result in an unsuccessful deployment.
 
 ## Step 4
 
@@ -112,14 +112,14 @@ This [Azure Zero Trust Imaging](https://github.com/Azure/missionlz/blob/main/src
 
 ## The Azure Virtual Desktop (AVD) solution
 
-The [Azure Virtual Desktop (AVD) solution](https://github.com/Azure/missionlz/tree/main/src/bicep/add-ons/azureVirtualDesktop#readme) provides an architectural approach and reference implementation to prepare landing zone subscriptions for a scalable Azure Virtual Desktop deployment. Be sure to complete the necessary [prerequisites](https://github.com/Azure/missionlz/blob/main/src/bicep/add-ons/azureVirtualDesktop/docs/prerequisites.md)
+The [Azure Virtual Desktop (AVD) solution](https://github.com/Azure/missionlz/tree/main/src/bicep/add-ons/azure-virtual-desktop#readme) provides an architectural approach and reference implementation to prepare landing zone subscriptions for a scalable Azure Virtual Desktop deployment. Be sure to complete the necessary [prerequisites](https://github.com/Azure/missionlz/blob/main/src/bicep/add-ons/azure-virtual-desktop/docs/prerequisites.md)
 
 <!-- markdownlint-disable MD013 -->
 1. Deploy The Azure Virtual Desktop (AVD) solution into `AzureCloud` or `AzureUsGovernment` from the Azure Portal:
 
     | Azure Commercial | Azure Government |
     | :--- | :--- |
-    |[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2FuiDefinition.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2FuiDefinition.json) |
+    |[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2FuiDefinition.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2FuiDefinition.json) |
 <!-- markdownlint-enable MD013 -->
 
 ## ArcGIS on Azure

src/bicep/add-ons/azureVirtualDesktop/README.md → src/bicep/add-ons/azure-virtual-desktop/README.md

@@ -13,8 +13,8 @@ This solution will deploy a fully operational Azure Virtual Desktop (AVD) [stamp
 
 This option opens the deployment UI for the solution in the Azure Portal. Be sure to select the button for the correct cloud. If your desired cloud is not listed, please use the template spec option below.
 
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2FuiDefinition.json)
-[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2FazureVirtualDesktop%2FuiDefinition.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2FuiDefinition.json)
+[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2Fsolution.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fmissionlz%2Fmain%2Fsrc%2Fbicep%2Fadd-ons%2Fazure-virtual-desktop%2FuiDefinition.json)
 
 ### Template Spec
 
@@ -35,7 +35,7 @@ New-AzTemplateSpec `
     -Name $TemplateSpecName `
     -Version 1.0 `
     -Location $Location `
-    -TemplateFile '.\src\bicep\add-ons\azureVirtualDesktop\solution.json' `
-    -UIFormDefinitionFile '.\src\bicep\add-ons\azureVirtualDesktop\uiDefinition.json' `
+    -TemplateFile '.\src\bicep\add-ons\azure-virtual-desktop\solution.json' `
+    -UIFormDefinitionFile '.\src\bicep\add-ons\azure-virtual-desktop\uiDefinition.json' `
     -Force
 ````

src/bicep/add-ons/azureVirtualDesktop/artifacts/Set-NtfsPermissions.ps1 → src/bicep/add-ons/azure-virtual-desktop/artifacts/Set-NtfsPermissions.ps1

@@ -57,6 +57,10 @@ param
     [Parameter(Mandatory=$false)]
     [String]$TenantId,
 
+    [parameter(Mandatory)]
+    [string]
+    $UniqueToken,
+
     [Parameter(Mandatory=$false)]
     [String]$UserAssignedIdentityClientId
 )
@@ -159,7 +163,7 @@ try
                 $FileServer = '\\' + $SmbServerName + '.' + $Domain.DNSRoot
             }
             'AzureFiles' {
-                $StorageAccountName = $StorageAccountPrefix + ($i + $StorageIndex).ToString().PadLeft(2,'0')
+                $StorageAccountName = $($StorageAccountPrefix + ($i + $StorageIndex).ToString().PadLeft(2,'0') + $UniqueToken).Substring(0,24)
                 $FileServer = '\\' + $StorageAccountName + $FilesSuffix
 
                 # Connects to Azure using a User Assigned Managed Identity

src/bicep/add-ons/azureVirtualDesktop/artifacts/Set-SessionHostConfiguration.ps1 → src/bicep/add-ons/azure-virtual-desktop/artifacts/Set-SessionHostConfiguration.ps1

@@ -56,18 +56,6 @@ Param(
     [string]
     $PooledHostPool,
 
-    [parameter(Mandatory)]
-    [string]
-    $SecurityMonitoring,
-
-    [parameter(Mandatory)]
-    [string]
-    $SecurityWorkspaceId,
-
-    [parameter(Mandatory)]
-    [string]
-    $SecurityWorkspaceKey,
-
     [parameter(Mandatory)]
     [string]
     $StorageAccountPrefix,
@@ -86,7 +74,11 @@ Param(
 
     [parameter(Mandatory)]
     [string]
-    $StorageSuffix
+    $StorageSuffix,
+
+    [parameter(Mandatory)]
+    [string]
+    $UniqueToken
 )
 
 
@@ -216,10 +208,10 @@ try
             'AzureFiles' {
                 for($i = $StorageIndex; $i -lt $($StorageIndex + $StorageCount); $i++)
                 {
-                    $CloudCacheOfficeContainers += 'type=smb,connectionString=\\' + $StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $FilesSuffix + '\office-containers;'
-                    $CloudCacheProfileContainers += 'type=smb,connectionString=\\' + $StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $FilesSuffix + '\profile-containers;'
-                    $OfficeContainers += '\\' + $StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $FilesSuffix + '\office-containers'
-                    $ProfileContainers += '\\' + $StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $FilesSuffix + '\profile-containers'
+                    $CloudCacheOfficeContainers += 'type=smb,connectionString=\\' + $($StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $UniqueToken).Substring(0,24) + $FilesSuffix + '\office-containers;'
+                    $CloudCacheProfileContainers += 'type=smb,connectionString=\\' + $($StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $UniqueToken).Substring(0,24) + $FilesSuffix + '\profile-containers;'
+                    $OfficeContainers += '\\' + $($StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $UniqueToken).Substring(0,24) + $FilesSuffix + '\office-containers'
+                    $ProfileContainers += '\\' + $($StorageAccountPrefix + $i.ToString().PadLeft(2,'0') + $UniqueToken).Substring(0,24) + $FilesSuffix + '\profile-containers'
                 }
             }
             'AzureNetAppFiles' {
@@ -495,25 +487,6 @@ try
     Start-Sleep -Seconds 5 | Out-Null
 
 
-    ##############################################################
-    #  Dual-home Microsoft Monitoring Agent for Azure Sentinel or Defender for Cloud
-    ##############################################################
-    if($SecurityMonitoring -eq 'true')
-    {
-        $AzureEnvironment = switch($Environment)
-        {
-            AzureCloud {0}
-            AzureUSGovernment {1}
-            AzureChina {2}
-            USNat {3}
-            USSec {4}
-        }
-
-        $mma = New-Object -ComObject 'AgentConfigManager.MgmtSvcCfg'
-        $mma.AddCloudWorkspace($SecurityWorkspaceId, $SecurityWorkspaceKey, $AzureEnvironment)
-        $mma.ReloadConfiguration() | Out-Null
-    }
-
     ##############################################################
     #  Restart VM
     ##############################################################

src/bicep/add-ons/azureVirtualDesktop/modules/cleanUp/cleanUp.bicep → src/bicep/add-ons/azure-virtual-desktop/modules/cleanUp/cleanUp.bicep

@@ -1,16 +1,16 @@
 targetScope = 'subscription' 
 
+param deploymentNameSuffix string
 param fslogixStorageService string
 param location string
 param resourceGroupManagement string
 param scalingTool bool
-param timestamp string
 param userAssignedIdentityClientId string
 param virtualMachineName string
 
 module removeManagementVirtualMachine 'removeVirtualMachine.bicep' = if (!scalingTool && !(fslogixStorageService == 'AzureFiles Premium')) {
   scope: resourceGroup(resourceGroupManagement)
-  name: 'RemoveManagementVirtualMachine_${timestamp}'
+  name: 'remove-mgmt-vm-${deploymentNameSuffix}'
   params: {
     Location: location
     UserAssignedIdentityClientId: userAssignedIdentityClientId

src/bicep/add-ons/azure-virtual-desktop/modules/common/roleAssignment.bicep

@@ -0,0 +1,12 @@
+param principalId string
+param principalType string
+param roleDefinitionId string
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(principalId, roleDefinitionId, resourceGroup().id)
+  properties: {
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+    principalId: principalId
+    principalType: principalType
+  }
+}

src/bicep/add-ons/azureVirtualDesktop/modules/controlPlane/applicationGroup.bicep → src/bicep/add-ons/azure-virtual-desktop/modules/controlPlane/applicationGroup.bicep

@@ -1,23 +1,24 @@
 param artifactsUri string
+param deploymentNameSuffix string
 param deploymentUserAssignedIdentityClientId string
 param desktopApplicationGroupName string
 param desktopFriendlyName string
 param hostPoolResourceId string
 param locationControlPlane string
 param locationVirtualMachines string
+param mlzTags object
 param resourceGroupManagement string
 param roleDefinitions object
 param securityPrincipalObjectIds array
 param tags object
-param timestamp string
 param virtualMachineName string
 
 resource applicationGroup 'Microsoft.DesktopVirtualization/applicationGroups@2021-03-09-preview' = {
   name: desktopApplicationGroupName
   location: locationControlPlane
   tags: union({
     'cm-resource-parent': hostPoolResourceId
-  }, contains(tags, 'Microsoft.DesktopVirtualization/applicationGroups') ? tags['Microsoft.DesktopVirtualization/applicationGroups'] : {})
+  }, contains(tags, 'Microsoft.DesktopVirtualization/applicationGroups') ? tags['Microsoft.DesktopVirtualization/applicationGroups'] : {}, mlzTags)
   properties: {
     hostPoolArmPath: hostPoolResourceId
     applicationGroupType: 'Desktop'
@@ -27,7 +28,7 @@ resource applicationGroup 'Microsoft.DesktopVirtualization/applicationGroups@202
 // Adds a friendly name to the SessionDesktop application for the desktop application group
 module applicationFriendlyName '../common/customScriptExtensions.bicep' = if (!empty(desktopFriendlyName)) {
   scope: resourceGroup(resourceGroupManagement)
-  name: 'ApplicationFriendlyName_${timestamp}'
+  name: 'deploy-vdapp-friendly-name-${deploymentNameSuffix}'
   params : {
     fileUris: [
       '${artifactsUri}Update-AvdDesktop.ps1'
@@ -37,7 +38,7 @@ module applicationFriendlyName '../common/customScriptExtensions.bicep' = if (!e
     scriptFileName: 'Update-AvdDesktop.ps1'
     tags: union({
       'cm-resource-parent': hostPoolResourceId
-    }, contains(tags, 'Microsoft.Compute/virtualMachines') ? tags['Microsoft.Compute/virtualMachines'] : {})
+    }, contains(tags, 'Microsoft.Compute/virtualMachines') ? tags['Microsoft.Compute/virtualMachines'] : {}, mlzTags)
     userAssignedIdentityClientId: deploymentUserAssignedIdentityClientId
     virtualMachineName: virtualMachineName
   }