Skip to content

Commit

Permalink
chore: update bicep and arm files with entra
Browse files Browse the repository at this point in the history
  • Loading branch information
@ibersanoMS
ibersanoMS committed Feb 20, 2024
1 parent 445210b commit 9026b24
Show file tree
Hide file tree
Showing 16 changed files with 59 additions and 59 deletions.
12 changes: 6 additions & 6 deletions scenarios/secure-baseline-multitenant/azure-resource-manager/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Multitenant App Service Secure Baseline - ARM Implementation
# Multi-tenant App Service Secure Baseline - ARM Implementation
You can deploy the current LZA directly in your azure subscription by hitting the button below.

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fappservice-landing-zone-accelerator%2Fmain%2Fscenarios%2Fsecure-baseline-multitenant%2Fazure-resource-manager%2Fmain-portal-ux.json)


Alternatively, you can clone the repo and follow the instractions below
Alternatively, you can clone the repo and follow the instructions below

## Prerequisites
- Clone this repo
Expand All @@ -24,7 +24,7 @@ The table below summarizes the available parameters and the possible values that
|location|Azure region where the resources will be deployed in||
|environment|Required. The name of the environment (e.g. "dev", "test", "prod", "preprod", "staging", "uat", "dr", "qa"). Up to 8 characters long.||
|vnetHubResourceId|If empty, then a new hub will be created. If you select not to deploy a new Hub resource group, set the resource id of the Hub Virtual Network that you want to peer to. In that case, no new hub will be created and a peering will be created between the new spoke and and existing hub vnet|/subscriptions/<subscription_id>/ resourceGroups/<rg_name>/providers/ Microsoft.Network/virtualNetworks/<vnet_name>|
|firewallInternalIp|If you select to create a new Hub, the UDR for locking the egress traffic will be created as well, no matter what value you set to that variable. However, if you select to connect to an existing hub, then you need to provide the internal IP of the azure firewal so that the deployment can create the UDR for locking down egress traffic. If not given, no UDR will be created||
|firewallInternalIp|If you select to create a new Hub, the UDR for locking the egress traffic will be created as well, no matter what value you set to that variable. However, if you select to connect to an existing hub, then you need to provide the internal IP of the azure firewall so that the deployment can create the UDR for locking down egress traffic. If not given, no UDR will be created||
|vnetHubAddressSpace|If you deploy a new hub, you need to set the appropriate CIDR of the newly created Hub virtual network|10.242.0.0/20|
|subnetHubFirewallAddressSpace|CIDR of the subnet that will host the azure Firewall|10.242.0.0/26|
|subnetHubBastionAddressSpace|CIDR of the subnet that will host the Bastion Service|10.242.0.64/26|
Expand Down Expand Up @@ -92,7 +92,7 @@ done

### Connect to the Jumpbox VM (deployed in the spoke resource group)

You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is Microsoft Entra IDJoined by default. This means that you can connect to the jumpbox, either with the local user/password compination (azureuser is the default username) or with a valid Microsoft Entra ID account. In certain circumastances your organization may not allow the device to be enrolled. If the jumpbox VM is Microsoft Entra ID joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands
You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is Microsoft Entra IDJoined by default. This means that you can connect to the jumpbox, either with the local user/password combination (azureuser is the default username) or with a valid Microsoft Entra ID account. In certain circumstances your organization may not allow the device to be enrolled. If the jumpbox VM is Microsoft Entra ID joined and properly Intune enrolled, you can use native rdp client to connect by running the below Az CLI commands

From a PowerShell terminal, connect to the DevOps VM using your Microsoft Entra ID credentials (or Windows Hello).

Expand All @@ -117,9 +117,9 @@ If your organization requires device enrollment before accessing corporate resou

It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete.

If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials)
If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-microsoft-entra-id-credentials)

Once completed, and if you provided a valid (Microsoft Entra ID administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions:
Once completed, and if you provided a valid Microsoft Entra ID administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions:

```sql
CREATE USER [web-app-name] FROM EXTERNAL PROVIDER;
Expand Down
14 changes: 7 additions & 7 deletions scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -923,21 +923,21 @@
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Select the authentication method for the SQL Server administrator. Azure AD for SQL Server administrator authentication is suggested."
"text": "Select the authentication method for the SQL Server administrator. Microsoft Entra for SQL Server administrator authentication is suggested."
}
},
{
"name": "azureSqlAuthentication",
"type": "Microsoft.Common.DropDown",
"label": "Azure Sql Server Authentication",
"subLabel": "",
"defaultValue": "Azure AD",
"toolTip": "Select Azure AD for SQL Server administrator authentication for better security and passwordless access. If you select SQL Server local user, you will need to provide a password for the SQL Server administrator.",
"defaultValue": "Microsoft Entra",
"toolTip": "Select Microsoft Entra for SQL Server administrator authentication for better security and password-less access. If you select SQL Server local user, you will need to provide a password for the SQL Server administrator.",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Azure AD",
"label": "Microsoft Entra",
"value": "AAD"
},
{
Expand All @@ -955,17 +955,17 @@
"type": "Microsoft.Common.TextBlock",
"visible": "[equals(steps('SQL').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]",
"options": {
"text": "Replace AAD_SQL_ADMIN_GROUP with Azure AD group where your Azure administrators are members, sid value (xxxx-xxxx-xxxx-xxxx-xxxx) with Azure AD object ID of that group. The current tenantId value is already filled in."
"text": "Replace ENTRA_SQL_ADMIN_GROUP with Microsoft Entra group where your Azure administrators are members, sid value (xxxx-xxxx-xxxx-xxxx-xxxx) with Microsoft Entra object ID of that group. The current tenantId value is already filled in."
}
},
{
"name": "sqlServerAdministrators",
"type": "Microsoft.Common.TextBox",
"label": "Sql Server Administrators",
"subLabel": "",
"defaultValue": "[concat('{\n\t\"login\": \"AAD_SQL_ADMIN_GROUP\",\n\t\"sid\": \"xxxx-xxxx-xxxx-xxxx-xxxx\",\n\t\"tenantId\": \"', steps('basics').resourceScope.subscription.tenantId, '\"\n}')]",
"defaultValue": "[concat('{\n\t\"login\": \"ENTRA_SQL_ADMIN_GROUP\",\n\t\"sid\": \"xxxx-xxxx-xxxx-xxxx-xxxx\",\n\t\"tenantId\": \"', steps('basics').resourceScope.subscription.tenantId, '\"\n}')]",
"multiLine": true,
"toolTip": "Replace AAD_SQL_ADMIN_GROUP with Azure AD group where your Azure administrators are members, sid value with Azure AD object ID of that group and tenantId value with Azure AD tenant ID where the group is located",
"toolTip": "Replace ENTRA_SQL_ADMIN_GROUP with Microsoft Entra group where your Azure administrators are members, sid value with Microsoft Entra object ID of that group and tenantId value with Microsoft Entra tenant ID where the group is located",
"constraints": {
"required": false,
"regex": "",
Expand Down
18 changes: 9 additions & 9 deletions scenarios/secure-baseline-multitenant/azure-resource-manager/main.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1653,7 +1653,7 @@
]
},
{
"name": "allow-azure-ad-join",
"name": "allow-entra-join",
"protocols": [
{
"port": "443",
Expand Down Expand Up @@ -1707,7 +1707,7 @@
"*.manage-beta.microsoft.com",
"*.manage.microsoft.com"
],
"name": "allow-azure-ad-join",
"name": "allow-entra-join",
"protocols": [
{
"port": "443",
Expand Down Expand Up @@ -9962,7 +9962,7 @@
"subnetId": {
"value": "[parameters('subnetDevOpsId')]"
},
"enableAzureAdJoin": {
"enableEntraJoin": {
"value": true
},
"userAssignedIdentities": {
Expand Down Expand Up @@ -10047,7 +10047,7 @@
"description": "mandatory, the password of the admin user"
}
},
"enableAzureAdJoin": {
"enableEntraJoin": {
"type": "bool",
"defaultValue": true
},
Expand Down Expand Up @@ -10116,7 +10116,7 @@
}
},
"variables": {
"aadLoginExtensionName": "AADLoginForWindows",
"entraLoginExtensionName": "AADLoginForWindows",
"vmNameMaxLength": 64,
"vmName": "[if(greater(length(parameters('name')), variables('vmNameMaxLength')), substring(parameters('name'), 0, variables('vmNameMaxLength')), parameters('name'))]",
"computerNameLength": 15,
Expand Down Expand Up @@ -10190,14 +10190,14 @@
]
},
{
"condition": "[parameters('enableAzureAdJoin')]",
"condition": "[parameters('enableEntraJoin')]",
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2022-11-01",
"name": "[format('{0}/{1}', variables('vmName'), variables('aadLoginExtensionName'))]",
"name": "[format('{0}/{1}', variables('vmName'), variables('entraLoginExtensionName'))]",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.ActiveDirectory",
"type": "[variables('aadLoginExtensionName')]",
"type": "[variables('entraLoginExtensionName')]",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true
},
Expand Down Expand Up @@ -12972,7 +12972,7 @@
"type": "bool",
"defaultValue": true,
"metadata": {
"description": "Optional. Allow only Azure AD authentication. Should be enabled for security reasons."
"description": "Optional. Allow only Microsoft Entra authentication. Should be enabled for security reasons."
}
},
"cMKKeyVaultResourceId": {
Expand Down
8 changes: 4 additions & 4 deletions scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,11 +109,11 @@
// The Microsoft Entra ID administrator group used for SQL Server authentication
"sqlServerAdministrators": {
"value": {
// Azure AD group where your Azure administrators are members
"login": "Azure AD SQL Admins",
// Azure AD object ID of the group
// Microsoft Entra group where your Azure administrators are members
"login": "Microsoft Entra SQL Admins",
// Microsoft Entra object ID of the group
"sid": "xxx-xxxx-xxxx-xxxx",
// Azure AD tenant ID where the group is located
// Microsoft Entra tenant ID where the group is located
"tenantId": "xxxx-xxxxxx-xxxxx-xxxxx-xxx"
}
}
Expand Down
2 changes: 1 addition & 1 deletion scenarios/secure-baseline-multitenant/bicep/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ If your organization requires device enrollment before accessing corporate resou

It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete.

If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials)
If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-microsoft-entra-id-credentials)

Once completed, and if you provided a valid (Microsoft Entra ID) administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions:

Expand Down
4 changes: 2 additions & 2 deletions scenarios/secure-baseline-multitenant/bicep/deploy.hub.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ var applicationRules = [
]
}
{
name: 'allow-azure-ad-join'
name: 'allow-entra-join'
protocols: [
{
port: '443'
Expand Down Expand Up @@ -195,7 +195,7 @@ var applicationRules = [
'*.manage-beta.microsoft.com'
'*.manage.microsoft.com'
]
name: 'allow-azure-ad-join'
name: 'allow-entra-join'
protocols: [
{
port: '443'
Expand Down
2 changes: 1 addition & 1 deletion scenarios/secure-baseline-multitenant/bicep/main.parameters.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@
},
"sqlServerAdministrators": {
"value": {
"login": "Azure AD SQL Admins",
"login": "Microsoft Entra SQL Admins",
"sid": "xxx-xxxx-xxxx-xxxx",
"tenantId": "xxx-xxxx-xxxx-xxxx"
}
Expand Down
8 changes: 4 additions & 4 deletions scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,11 +109,11 @@
// The Microsoft Entra ID administrator group used for SQL Server authentication
"sqlServerAdministrators": {
"value": {
// Azure AD group where your Azure administrators are members
"login": "Azure AD SQL Admins",
// Azure AD object ID of the group
// Microsoft Entra group where your Azure administrators are members
"login": "Microsoft Entra SQL Admins",
// Microsoft Entra object ID of the group
"sid": "xxx-xxxx-xxxx-xxxx",
// Azure AD tenant ID where the group is located
// Microsoft Entra tenant ID where the group is located
"tenantId": "xxxx-xxxxxx-xxxxx-xxxxx-xxx"
}
}
Expand Down
2 changes: 1 addition & 1 deletion scenarios/secure-baseline-multitenant/bicep/modules/vmJumphost.module.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ module vmWindows '../../../shared/bicep/compute/jumphost-win11.bicep' = {
adminPassword: adminPassword
adminUsername: adminUsername
subnetId: subnetDevOpsId
enableAzureAdJoin: true
enableEntraJoin: true
userAssignedIdentities: {
'${vmJumpHostUserAssignedManagedIdentity.outputs.id}': {}
}
Expand Down
Loading

0 comments on commit 9026b24

Please sign in to comment.