Skip to content

Commit

Permalink
Update ALZ Repo Bicep with Entra product names (#621)
Browse files Browse the repository at this point in the history
Co-authored-by: Luis Chaves <luchaves@microsoft.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
  • Loading branch information
3 people authored Aug 31, 2023
1 parent 7d6cc97 commit d80af64
Show file tree
Hide file tree
Showing 13 changed files with 30 additions and 30 deletions.
10 changes: 5 additions & 5 deletions .github/scripts/Wipe-AlzTenant.ps1
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
[CmdletBinding()]
param (
#Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant
[Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Azure AD tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")]
[Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Microsoft Entra tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")]
[string]
$tenantRootGroupID = "<Insert the Tenant ID (GUID) of your Azure AD tenant>",
$tenantRootGroupID = "<Insert the Tenant ID (GUID) of your Microsoft Entra tenant>",

[Parameter(Mandatory = $true, Position = 2, HelpMessage = "Insert the name of your intermediate root Management Group e.g. 'Contoso'")]
[string]
Expand Down Expand Up @@ -52,12 +52,12 @@ $subDeployments | ForEach-Object -Parallel {
}


# Get all AAD Tenant level deployments
# Get all Microsoft Entra Tenant level deployments
$tenantDeployments = Get-AzTenantDeployment

Write-Information "Removing all Tenant level deployments"

# For each AAD Tenant level deployment, remove it
# For each Microsoft Entra Tenant level deployment, remove it
$tenantDeployments | ForEach-Object -Parallel {
Write-Information "Removing $($_.DeploymentName) ..."
Remove-AzTenantDeployment -Id $_.Id
Expand Down Expand Up @@ -99,4 +99,4 @@ $StopWatch.Stop()

# Display timer output as table
Write-Information "Time taken to complete task:"
$StopWatch.Elapsed | Format-Table
$StopWatch.Elapsed | Format-Table
12 changes: 6 additions & 6 deletions .github/scripts/mc-Wipe-AlzTenant.ps1
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
[CmdletBinding()]
param (
#Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant
[Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Azure AD tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")]
[Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Microsoft Entra ID tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")]
[string]
$tenantRootGroupID = "<Insert the Tenant ID (GUID) of your Azure AD tenant>",
$tenantRootGroupID = "<Insert the Tenant ID (GUID) of your Microsoft Entra ID tenant>",

[Parameter(Mandatory = $true, Position = 2, HelpMessage = "Insert the name of your intermediate root Management Group e.g. 'Contoso'")]
[string]
Expand Down Expand Up @@ -52,12 +52,12 @@ $subDeployments | ForEach-Object -Parallel {
}


# Get all AAD Tenant level deployments
$tenantDeployments = Get-AzTenantDeployment | Where-Object {$PSItem.DeploymentName -like "$intermediateRootGroupID*"}
# Get all Microsoft Entra ID Tenant level deployments
$tenantDeployments = Get-AzTenantDeployment | Where-Object { $PSItem.DeploymentName -like "$intermediateRootGroupID*" }

Write-Output "Removing all Tenant level deployments prefixed with $intermediateRootGroupID"

# For each AAD Tenant level deployment, remove it
# For each Microsoft Entra ID Tenant level deployment, remove it
$tenantDeployments | ForEach-Object -Parallel {
Write-Output "Removing $($_.DeploymentName) ..."
Remove-AzTenantDeployment -Id $_.Id
Expand Down Expand Up @@ -99,4 +99,4 @@ $StopWatch.Stop()

# Display timer output as table
Write-Output "Time taken to complete task:"
$StopWatch.Elapsed | Format-Table
$StopWatch.Elapsed | Format-Table
2 changes: 1 addition & 1 deletion docs/wiki/ACRDeployment.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ This document outlines the prerequisites, dependencies and flow to setup a Priva
## Prerequisites

1. Azure Active Directory Tenant.
1. Microsoft Entra Tenant.
2. Minimum 1 subscription. Subscription(s) are required when configuring `Azure Container Registry` services.
3. Deployment Identity with `Contributor` permission to the subscription.

Expand Down
2 changes: 1 addition & 1 deletion docs/wiki/Accelerator.md
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ In order to setup the Accelerator framework with the production GitHub Action Wo
```
1. Now that the remote branch has the latest commit(s), you can configure your OpenID Connect (OIDC) identity provider with GitHub which will give the workflows access to your Azure environment.
1. [Create an Azure Active Directory service principal](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#create-an-azure-active-directory-application-and-service-principal)
1. [Create an Microsoft Entra service principal](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#create-an-azure-active-directory-application-and-service-principal)
1. [Add your federated credentials](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#add-federated-credentials)
1. Add one federated credential with the entity type set to 'Branch' and with a value for "Based on Selection" set to 'main'
1. Add a secondary federated credential with the entity type set to 'Pull Request'
Expand Down
2 changes: 1 addition & 1 deletion docs/wiki/ConsumerGuide.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

> This guidance supports the [Deployment Flow](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow) guidance, it is not a replacement
The `ALZ-Bicep` repository (this repository) has been created to help customers and partners to deploy and deliver the [Azure Landing Zones (ALZ) conceptual architecture](https://aka.ms/alz#azure-landing-zone-conceptual-architecture) into an Azure AD Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language.
The `ALZ-Bicep` repository (this repository) has been created to help customers and partners to deploy and deliver the [Azure Landing Zones (ALZ) conceptual architecture](https://aka.ms/alz#azure-landing-zone-conceptual-architecture) into an Microsoft Entra Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language.

The style in which the Bicep modules have been authored in this repo are aimed at consumers of all skill levels. This is in an effort to make the modules as accessible as possible; especially for those that are newer to the world of IaC and/or Bicep.

Expand Down
4 changes: 2 additions & 2 deletions docs/wiki/DeploymentFlow.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ We have created a short 3-part series of video on the Azure Enablement Show that

## Prerequisites

1. Azure Active Directory Tenant.
1. Microsoft Entra Tenant.
2. Minimum 1 subscription. Subscription(s) are required when configuring `Log Analytics Workspace` & `Hub Networking` services. Each can be deployed in the same subscription or separate subscriptions based on deployment requirements.
3. Deployment Identity with `Owner` permission to the `/` root management group. Owner permission is required to allow the Service Principal Account to create role-based access control assignments. See [configuration instructions below](#deployment-identity).

Expand Down Expand Up @@ -82,7 +82,7 @@ The current available orchestration modules are listed below:
## Deployment Identity

When first working with Management Groups, the Azure AD Global Administrator must assign the User Access Administrator role to themselves at the `/` scope first before being able to further delegate. See [Elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) documentation for further information.
When first working with Management Groups, the Microsoft Entra Global Administrator must assign the User Access Administrator role to themselves at the `/` scope first before being able to further delegate. See [Elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) documentation for further information.

In addition, the identity that wants to create a Tenant scope deployment must have the *Owner* role assigned to the `/` root management group. Whether this is your user account (even if a Global Administrator) or a Service Principal. See [Required access for Tenant deployments on Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/templates/deploy-to-tenant?tabs=azure-powershell#required-access).

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ parSubscriptionName | Yes | Name of the subscription to be created. Will al
parSubscriptionBillingScope | Yes | The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in.
parTags | No | Tags you would like to be applied.
parManagementGroupId | No | The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional)
parSubscriptionOwnerId | No | The object ID of a responsible user, AAD group or service principal. (Optional)
parSubscriptionOwnerId | No | The object ID of a responsible user, Microsoft Entra group or service principal. (Optional)
parSubscriptionOfferType | No | The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production
parTenantId | No | The ID of the tenant. Defaults to = tenant().tenantId

Expand Down Expand Up @@ -42,7 +42,7 @@ The ID of the existing management group where the subscription will be placed. A

![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)

The object ID of a responsible user, AAD group or service principal. (Optional)
The object ID of a responsible user, Microsoft Entra group or service principal. (Optional)

### parSubscriptionOfferType

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ param parTags object = {}
@sys.description('The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional)')
param parManagementGroupId string = ''

@sys.description('The object ID of a responsible user, AAD group or service principal. (Optional)')
@sys.description('The object ID of a responsible user, Microsoft Entra group or service principal. (Optional)')
param parSubscriptionOwnerId string = ''

@allowed([
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Module supports the following custom roles:
- [*ManagementGroupId] Network management (NetOps)
- [*ManagementGroupId] Security operations (SecOps)

*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Azure AD tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary).
*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Microsoft Entra tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary).
For example, if the `ManagementGroupId` = **alz**, then each role will have this prefix **[alz]** like `[alz] Subscription owner`. See the [example output deployment](#example-deployment-output) below.

## Parameters
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"properties": {
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.",
"displayName": "Enforces the use of Premium Databricks workspaces",
"notScopes": [],
"parameters": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Deny non-premium Databricks sku",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.",
"metadata": {
"version": "1.0.0",
"category": "Databricks",
Expand Down Expand Up @@ -49,4 +49,4 @@
}
}
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Deny non-premium Databricks sku",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.",
"metadata": {
"version": "1.0.0",
"category": "Databricks",
Expand Down Expand Up @@ -49,4 +49,4 @@
}
}
}
}
}
10 changes: 5 additions & 5 deletions infra-as-code/bicep/modules/roleAssignments/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,18 @@ All templates require an input for `parAssigneeObjectId` and this value is depen
az identity show --resource-group <RESOURCE_GROUP> --name <IDENTITY_NAME> --query 'principalId'

# Identify Object Id for Service Principal (App Registration)
# Require read permission to query Azure Active Directory
# Require read permission to query Microsoft Entra
# Example: az ad sp show --id c705dc53-7c95-42bc-b1d5-75e172571370 --query id
az ad sp show --id <APP_REGISTRATION_APPLICATION_ID> --query id

# Identify Object Id for Service Principal (App Registration)
# Require read permission to query Azure Active Directory
# Require read permission to query Microsoft Entra
# Beware of duplicates, since app registation names are not unique.
# Example: az ad sp list --filter "displayName eq '<APP_REGISTRATION_NAME>'" --query '[].{name:appDisplayName, objectId:id}'
az ad sp list --filter "displayName eq '<APP_REGISTRATION_NAME>'" --query '[].{name:appDisplayName, objectId:id}'

# Identify Object Id for Security Group
# Require read permission to query Azure Active Directory
# Require read permission to query Microsoft Entra
# Example: az ad group show --group SG_ALZ_SECURITY --query id
az ad group show --group <SECURITY_GROUP_NAME> --query id
```
Expand All @@ -55,12 +55,12 @@ az ad group show --group <SECURITY_GROUP_NAME> --query id
(Get-AzADServicePrincipal -DisplayName '<IDENTITY_NAME>').Id
# Identify Object Id for Service Principal (App Registration)
# Require read permission to query Azure Active Directory
# Require read permission to query Microsoft Entra
# Example: (Get-AzADServicePrincipal -DisplayName 'Azure Landing Zone SPN').Id
(Get-AzADServicePrincipal -DisplayName '<APP_REGISTRATION_DISPLAY_NAME>').Id
# Identify Object Id for Security Group
# Require read permission to query Azure Active Directory
# Require read permission to query Microsoft Entra
# Example: Get-AzureADGroup -SearchString 'SG_ALZ_SECURITY'
Connect-AzureAD
(Get-AzureADGroup -SearchString '<SECURITY_GROUP_NAME>').ObjectId
Expand Down

0 comments on commit d80af64

Please sign in to comment.