diff --git a/README.md b/README.md index d91d306b..ea1fd2de 100644 --- a/README.md +++ b/README.md @@ -115,7 +115,7 @@ The expandable table below summarizes the available parameters and the possible |deployAppConfig|Feature Flag: Deploy (or not) an Azure app configuration| |deployJumpHost|Feature Flag: Deploy (or not) an Azure virtual machine (to be used as jumphost)| |autoApproveAfdPrivateEndpoint|Default value: true. Set to true if you want to auto approve the Private Endpoint of the AFD Premium. See details [regarding approving the App Service private endpoint connection from Front Door](#approve-the-app-service-private-endpoint-connection-from-front-door-in-the-azure-portal) | false -|sqlServerAdministrators|The Azure Active Directory (AAD) administrator group used for SQL Server authentication. The Azure AD group must be created before running deployment. This has three values that need to be filled, as shown below
**login**: the name of the AAD Group
**sid**: the object id of the AAD Group
**tenantId**: The tenantId of the AAD || +|sqlServerAdministrators|The Microsoft Entra ID administrator group used for SQL Server authentication. The Microsoft Entra ID group must be created before running deployment. This has three values that need to be filled, as shown below
**login**: the name of the Microsoft Entra ID Group
**sid**: the object id of the Microsoft Entra ID Group
**tenantId**: The tenantId of the Microsoft Entra ID ||
@@ -146,8 +146,8 @@ The expandable table below summarizes the available parameters and the possible GitHub Actions pipelines are located in the [`.github/workflows`](.github/workflows/) directory with templates stored in the [`.github/actions`](.github/actions/) directory.i -1. Create an Azure AD Service Principal for OIDC Authentication - - Reference the following documentation to configure your Azure AD Service Principal: [OIDC authentication to Azure](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial). +1. Create an Microsoft Entra ID Service Principal for OIDC Authentication + - Reference the following documentation to configure your Microsoft Entra ID Service Principal: [OIDC authentication to Azure](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial). 1. Configure your GitHub Actions Secrets - In your forked repository, navigate to `Settings > Secrets and variables > Actions`. - Create the following secrets: diff --git a/docs/App-Service-LZA.vsdx b/docs/App-Service-LZA.vsdx index efbf7b1c..4d8b58ca 100644 Binary files a/docs/App-Service-LZA.vsdx and b/docs/App-Service-LZA.vsdx differ diff --git a/docs/Design-Areas/identity-access-mgmt.md b/docs/Design-Areas/identity-access-mgmt.md index ddb4a09e..a6cbdb80 100644 --- a/docs/Design-Areas/identity-access-mgmt.md +++ b/docs/Design-Areas/identity-access-mgmt.md @@ -2,7 +2,7 @@ ## Design Considerations - Decide on the type of access for your application: public, private, or both. - Decide on how to authenticate users that need to access your App Service: anonymous, internal corporate users, social accounts, other [identity provider](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet), or a mixture of these. -- Decide on whether to use system-assigned or user-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) for your App Service when connecting to AAD-protected backend resources. +- Decide on whether to use system-assigned or user-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) for your App Service when connecting to Microsoft Entra ID-protected backend resources. - Consider creating [custom roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create) following the principle of least privilege when out-of-box roles require modifications on existing permissions. Utilize [App Configuration](https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/appconfig-key-vault) to share common configuration values between applications, microservices, and serverless applications that are not passwords, secrets, or keys. ## Design Recommendations - If the App Service requires authentication: @@ -10,9 +10,9 @@ - Use the [Easy Auth](https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization) capabilities of App Services, instead of writing your own authentication and authorization code. - Use separate [application registrations](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) for separate [slots](https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots) or environments. - If the App Service is intended for internal users only, use [client certificate authentication](https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots) for increased security. - - If the App Service is intended for external users, utilize [Azure AD B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview) to authenticate to social accounts and Azure AD accounts. + - If the App Service is intended for external users, utilize [Microsoft Entra ID B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview) to authenticate to social accounts and Microsoft Entra ID accounts. - Use [Azure built-in roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#web-plan-contributor) to provide least privilege permissions to manage App Service Plans and Websites -- Utilize system-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) to securely access AAD-protected backend resources. +- Utilize system-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) to securely access Microsoft Entra ID-protected backend resources. - Ensure that users with access to Production resources in Azure are controlled and limited. - For automated deployment purposes, setup a [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) that has the minimum required permissions to deploy from the pipeline - Review and follow the recommendations outlined in the [Identity and Access Control section](https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json#identity-and-access-control) of the Azure security baseline for App Service. diff --git a/docs/Images/AppServiceLandingZoneArchitecture-multitenant.png b/docs/Images/AppServiceLandingZoneArchitecture-multitenant.png index 597dee09..e69c82f7 100644 Binary files a/docs/Images/AppServiceLandingZoneArchitecture-multitenant.png and b/docs/Images/AppServiceLandingZoneArchitecture-multitenant.png differ diff --git a/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-ASE.png b/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-ASE.png index a3477e0d..7957d05d 100644 Binary files a/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-ASE.png and b/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-ASE.png differ diff --git a/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-multitenant.png b/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-multitenant.png index 6729d965..e69c82f7 100644 Binary files a/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-multitenant.png and b/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-multitenant.png differ diff --git a/docs/Images/home-page.gif b/docs/Images/home-page.gif index 9e069c52..86cb25af 100644 Binary files a/docs/Images/home-page.gif and b/docs/Images/home-page.gif differ diff --git a/scenarios/secure-baseline-multitenant/README.md b/scenarios/secure-baseline-multitenant/README.md index f3fb717e..29b7a2c8 100644 --- a/scenarios/secure-baseline-multitenant/README.md +++ b/scenarios/secure-baseline-multitenant/README.md @@ -29,7 +29,7 @@ See: [Multitenant](/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-mu ## Core architecture components -- The application's users are authenticated by [Azure Active Directory (Azure AD)](https://azure.microsoft.com/services/active-directory/) or [Azure AD B2C](https://azure.microsoft.com/services/active-directory/external-identities/b2c/). The browser performs DNS lookups to resolve addresses to Azure Front Door. +- The application's users are authenticated by [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) or [Microsoft Entra ID B2C](https://azure.microsoft.com/services/active-directory/external-identities/b2c/). The browser performs DNS lookups to resolve addresses to Azure Front Door. - [Virtual Network](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works) enables Azure resources to securely communicate with each other, the internet, and on-premises networks by creating boundaries, isolation and segmentation of your workloads in the cloud, much like a physical network. - [Network Security Group](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview?toc=%2Fazure%2Fnetworking%2Ffundamentals%2Ftoc.json) is a set of security policies that Allow or Deny Inbound/Outbound traffic (Protocols/Ports). - [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) is a public front-end for all internet requests, acting as a global HTTP reverse proxy and cache in front of several Azure services. Front Door also provides automatic protection from layer 3 and 4 DDoS attacks, and a range of other features including WAF (web application firewall), caching, and custom rules to enhance the security and performance of your application. @@ -57,7 +57,7 @@ For network and subnet topology details, see the [Azure sample template](https:/ ## Alternatives -- Either Azure AD or Azure AD B2C can be used as an identity provider in this scenario. Azure AD is designed for internal applications and business-to-business (B2B) scenarios, while Azure AD B2C is designed for business-to-consumer (B2C) scenarios. +- Either Microsoft Entra ID or Microsoft Entra ID B2C can be used as an identity provider in this scenario. Microsoft Entra ID is designed for internal applications and business-to-business (B2B) scenarios, while Microsoft Entra ID B2C is designed for business-to-consumer (B2C) scenarios. - You can choose to bring your own DNS provider or use Azure-managed DNS, which is recommended. - Azure Application Gateway can be used solely instead of Azure Front Door when most users are located close to the Azure region that hosts your workload, and when content caching isn't required. Azure DDoS Network Protection is recommended for protecting internet-facing Application Gateway services. @@ -125,7 +125,7 @@ For more recommendations and information, see [Azure Redis Cache Security Baseli Deploy this reference architecture using this [Azure sample on GitHub](/scenarios/secure-baseline-multitenant/README.md). -- Azure AD, Azure AD B2C, and Azure DNS aren't deployed by this sample. +- Microsoft Entra ID, Microsoft Entra ID B2C, and Azure DNS aren't deployed by this sample. - Custom domain names and TLS/SSL certificates aren't created and configured. Default frontend DNS names are used instead. - The scripts are modular so you if you already have an existing environment, you can pick and choose the relevant section or adjust the relevant pieces according to your needs (deploy only SPOKE, replace SQL DB with PostgreSQL and etc.). diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md b/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md index f5648d93..01bf8a14 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/README.md @@ -41,7 +41,7 @@ The table below summarizes the available parameters and the possible values that |deployAppConfig|Feature Flag: Deploy (or not) an Azure app configuration| |deployJumpHost|Feature Flag: Deploy (or not) an Azure virtual machine (to be used as jumphost)| |deployOpenAi|Feature Flag: Deploy (or not) an Azure OpenAI account. ATTENTION: At the time of writing, [OpenAI is in preview](https://learn.microsoft.com/azure/ai-services/openai/chatgpt-quickstart#prerequisites) and available in limited regions. |false -|sqlServerAdministrators|The Azure Active Directory (AAD) administrator group used for SQL Server authentication. The Azure AD group must be created before running deployment. This has three values that need to be filled, as shown below
**login**: the name of the AAD Group
**sid**: the object id of the AAD Group
**tenantId**: The tenantId of the AAD || +|sqlServerAdministrators|The Microsoft Entra ID administrator group used for SQL Server authentication. The Microsoft Entra ID group must be created before running deployment. This has three values that need to be filled, as shown below
**login**: the name of the Microsoft Entra ID Group
**sid**: the object id of the Microsoft Entra ID Group
**tenantId**: The tenantId of the Microsoft Entra ID || After the parameters have been initialized, you can deploy the Landing Zone Accelerator resources with the following `az cli` command: @@ -92,9 +92,9 @@ done ### Connect to the Jumpbox VM (deployed in the spoke resource group) -You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is AADJoined by default. This means that you can connect to the jumpbox, either with the local user/password compination (azureuser is the default username) or with a valid AAD account. In certain circumastances your organization may not allow the device to be enrolled. If the jumpbox VM is AAD joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands +You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is Microsoft Entra IDJoined by default. This means that you can connect to the jumpbox, either with the local user/password compination (azureuser is the default username) or with a valid Microsoft Entra ID account. In certain circumastances your organization may not allow the device to be enrolled. If the jumpbox VM is Microsoft Entra ID joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands -From a PowerShell terminal, connect to the DevOps VM using your Azure AD credentials (or Windows Hello). +From a PowerShell terminal, connect to the DevOps VM using your Microsoft Entra ID credentials (or Windows Hello). ```powershell az upgrade @@ -108,18 +108,18 @@ az network bastion rdp --name bast-bastion --resource-group rg-hub --target-reso More details on how to [connect to a windows VM with native rdp client, can be found here](https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows#connect-windows) -The Azure AD enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices) +The Microsoft Entra ID enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices) -If your organization requires device enrollment before accessing corporate resources (i.e. if you see an error "You can't get there from here." or "This device does not meet your organization's compliance requirements"),login to the VM with local user (i.e. azureuser) and enroll the Jumpbox to Azure AD by following the steps in Edge: +If your organization requires device enrollment before accessing corporate resources (i.e. if you see an error "You can't get there from here." or "This device does not meet your organization's compliance requirements"),login to the VM with local user (i.e. azureuser) and enroll the Jumpbox to Microsoft Entra ID by following the steps in Edge: - open Edge and click "Sign in to sync data", - select "Work or school account", - and then press OK on "Allow my organization to manage my device". It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete. -If you experience issues connecting to the DevOps VM using your AAD credentials, see [Unable to connect to DevOps VM using AAD credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials) +If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials) -Once completed, and if you provided a valid (AAD) administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Azure AD account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions: +Once completed, and if you provided a valid (Microsoft Entra ID administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions: ```sql CREATE USER [web-app-name] FROM EXTERNAL PROVIDER; diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json b/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json index 0a503af6..742c67ee 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json @@ -635,7 +635,7 @@ "type": "Microsoft.Common.TextBlock", "visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]", "options": { - "text": "Give the CredentialsCombo for your windows Jump-box. The VM will be AAD Joined, so you can use your AAD credentials to login. The password must contain at least 12 characters, with at least 1 uppercase, 1 lowercase and 1 number.", + "text": "Give the CredentialsCombo for your windows Jump-box. The VM will be Microsoft Entra ID Joined, so you can use your Microsoft Entra ID credentials to login. The password must contain at least 12 characters, with at least 1 uppercase, 1 lowercase and 1 number.", "link": { "label": "Learn more for Windows VM Password Policy", "uri": "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-" diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json index 10242391..a4ae154a 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.json @@ -171,7 +171,7 @@ "type": "object", "defaultValue": {}, "metadata": { - "description": "Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided." + "description": "Conditional. The Microsoft Entra ID administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided." } }, "sqlAdminLogin": { @@ -3347,7 +3347,7 @@ "type": "object", "defaultValue": {}, "metadata": { - "description": "Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided." + "description": "Conditional. The Microsoft Entra ID administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided." } }, "sqlAdminLogin": { @@ -8061,7 +8061,7 @@ "type": "bool", "defaultValue": true, "metadata": { - "description": "Optional, default is true. Disables all authentication methods other than AAD authentication." + "description": "Optional, default is true. Disables all authentication methods other than Microsoft Entra ID authentication." } }, "enablePurgeProtection": { @@ -11716,7 +11716,7 @@ "type": "object", "defaultValue": {}, "metadata": { - "description": "Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided." + "description": "Conditional. The Microsoft Entra ID administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided." } }, "sqlAdminLogin": { @@ -11835,21 +11835,21 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Conditional. The administrator username for the server. Required if no `administrators` object for AAD authentication is provided." + "description": "Conditional. The administrator username for the server. Required if no `administrators` object for Microsoft Entra ID authentication is provided." } }, "administratorLoginPassword": { "type": "securestring", "defaultValue": "", "metadata": { - "description": "Conditional. The administrator login password. Required if no `administrators` object for AAD authentication is provided." + "description": "Conditional. The administrator login password. Required if no `administrators` object for Microsoft Entra ID authentication is provided." } }, "administrators": { "type": "object", "defaultValue": {}, "metadata": { - "description": "Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided." + "description": "Conditional. The Microsoft Entra ID administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided." } }, "primaryUserAssignedIdentityId": { diff --git a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc index 13ef005d..e9c4f104 100644 --- a/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc +++ b/scenarios/secure-baseline-multitenant/azure-resource-manager/main.parameters.jsonc @@ -106,7 +106,7 @@ "deployment": "bicep" } }, - // The Azure Active Directory (AAD) administrator group used for SQL Server authentication + // The Microsoft Entra ID administrator group used for SQL Server authentication "sqlServerAdministrators": { "value": { // Azure AD group where your Azure administrators are members diff --git a/scenarios/secure-baseline-multitenant/bicep/README.md b/scenarios/secure-baseline-multitenant/bicep/README.md index 3a788ea3..b22e5ad5 100644 --- a/scenarios/secure-baseline-multitenant/bicep/README.md +++ b/scenarios/secure-baseline-multitenant/bicep/README.md @@ -41,7 +41,7 @@ The table below summarizes the available parameters and the possible values that |deployJumpHost|Feature Flag: Deploy (or not) an Azure virtual machine (to be used as jumphost)| |deployOpenAi|Feature Flag: Deploy (or not) an Azure OpenAI account. ATTENTION: At the time of writing, [OpenAI is in preview](https://learn.microsoft.com/azure/ai-services/openai/chatgpt-quickstart#prerequisites) and available in limited regions. |false |autoApproveAfdPrivateEndpoint|Default value: true. Set to true if you want to auto approve the Private Endpoint of the AFD Premium. See details [regarding approving the App Service private endpoint connection from Front Door](#approve-the-app-service-private-endpoint-connection-from-front-door-in-the-azure-portal) | false -|sqlServerAdministrators|The Azure Active Directory (AAD) administrator group used for SQL Server authentication. The Azure AD group must be created before running deployment. This has three values that need to be filled, as shown below
**login**: the name of the AAD Group
**sid**: the object id of the AAD Group
**tenantId**: The tenantId of the AAD || +|sqlServerAdministrators|The Microsoft Entra ID administrator group used for SQL Server authentication. The Microsoft Entra ID group must be created before running deployment. This has three values that need to be filled, as shown below
**login**: the name of the Microsoft Entra ID Group
**sid**: the object id of the Microsoft Entra ID Group
**tenantId**: The tenantId of the Microsoft Entra ID || After the parameters have been initialized, you can deploy the Landing Zone Accelerator resources with the following `az cli` command: @@ -106,9 +106,9 @@ Go to the portal, find the spoke resource group you have just deployed, and iden ### Connect to the Jumpbox VM (deployed in the spoke resource group) -You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is AADJoined by default. This means that you can connect to the jumpbox, either with the local user/password combination (azureuser is the default username) or with a valid AAD account. In certain circumstances your organization may not allow the device to be enrolled. If the jumpbox VM is AAD joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands +You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is Microsoft Entra ID Joined by default. This means that you can connect to the jumpbox, either with the local user/password combination (azureuser is the default username) or with a valid Microsoft Entra ID account. In certain circumstances your organization may not allow the device to be enrolled. If the jumpbox VM is Microsoft Entra ID joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands -From a PowerShell terminal, connect to the DevOps VM using your Azure AD credentials (or Windows Hello). +From a PowerShell terminal, connect to the DevOps VM using your Microsoft Entra ID credentials (or Windows Hello). ```powershell az upgrade @@ -122,18 +122,18 @@ az network bastion rdp --name bast-bastion --resource-group rg-hub --target-reso More details on how to [connect to a windows VM with native rdp client, can be found here](https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows#connect-windows) -The Azure AD enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices) +The Microsoft Entra ID enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices) -If your organization requires device enrollment before accessing corporate resources (i.e. if you see an error "You can't get there from here." or "This device does not meet your organization's compliance requirements"),login to the VM with local user (i.e. azureuser) and enroll the Jumpbox to Azure AD by following the steps in Edge: +If your organization requires device enrollment before accessing corporate resources (i.e. if you see an error "You can't get there from here." or "This device does not meet your organization's compliance requirements"),login to the VM with local user (i.e. azureuser) and enroll the Jumpbox to Microsoft Entra ID by following the steps in Edge: - open Edge and click "Sign in to sync data", - select "Work or school account", - and then press OK on "Allow my organization to manage my device". It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete. -If you experience issues connecting to the DevOps VM using your AAD credentials, see [Unable to connect to DevOps VM using AAD credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials) +If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials) -Once completed, and if you provided a valid (AAD) administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Azure AD account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions: +Once completed, and if you provided a valid (Microsoft Entra ID) administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions: ```sql CREATE USER [web-app-name] FROM EXTERNAL PROVIDER; diff --git a/scenarios/secure-baseline-multitenant/bicep/deploy.spoke.bicep b/scenarios/secure-baseline-multitenant/bicep/deploy.spoke.bicep index 487a0ac2..f3643f94 100644 --- a/scenarios/secure-baseline-multitenant/bicep/deploy.spoke.bicep +++ b/scenarios/secure-baseline-multitenant/bicep/deploy.spoke.bicep @@ -85,7 +85,7 @@ param adminUsername string @secure() param adminPassword string -@description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided.') +@description('Conditional. The Microsoft Entra ID administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided.') param sqlServerAdministrators object = {} @description('Conditional. If sqlServerAdministrators is given, this is not required') diff --git a/scenarios/secure-baseline-multitenant/bicep/main.bicep b/scenarios/secure-baseline-multitenant/bicep/main.bicep index 8d745ad1..fab47306 100644 --- a/scenarios/secure-baseline-multitenant/bicep/main.bicep +++ b/scenarios/secure-baseline-multitenant/bicep/main.bicep @@ -66,7 +66,7 @@ param adminUsername string = 'azureuser' @secure() param adminPassword string -@description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided.') +@description('Conditional. The Microsoft Entra ID administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided.') param sqlServerAdministrators object = {} @description('Conditional. If sqlServerAdministrators is given, this is not required. ') diff --git a/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc b/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc index 13ef005d..e9c4f104 100644 --- a/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc +++ b/scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc @@ -106,7 +106,7 @@ "deployment": "bicep" } }, - // The Azure Active Directory (AAD) administrator group used for SQL Server authentication + // The Microsoft Entra ID administrator group used for SQL Server authentication "sqlServerAdministrators": { "value": { // Azure AD group where your Azure administrators are members diff --git a/scenarios/secure-baseline-multitenant/bicep/modules/sql-database.module.bicep b/scenarios/secure-baseline-multitenant/bicep/modules/sql-database.module.bicep index 3f6c26b0..e1530c9d 100644 --- a/scenarios/secure-baseline-multitenant/bicep/modules/sql-database.module.bicep +++ b/scenarios/secure-baseline-multitenant/bicep/modules/sql-database.module.bicep @@ -14,7 +14,7 @@ param location string @description('Optional. Tags of the resource.') param tags object = {} -@description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided.') +@description('Conditional. The Microsoft Entra ID administrator authentication. Required if no `sqlAdminLogin` & `sqlAdminPassword` is provided.') param administrators object = {} @description('Conditional. If sqlServerAdministrators is given, this is not required') diff --git a/scenarios/secure-baseline-multitenant/terraform/README.md b/scenarios/secure-baseline-multitenant/terraform/README.md index ca0991ab..ef875f7e 100644 --- a/scenarios/secure-baseline-multitenant/terraform/README.md +++ b/scenarios/secure-baseline-multitenant/terraform/README.md @@ -28,7 +28,7 @@ This section is organized using folders that match the steps outlined below. Mak ### Create terraform.tfvars file -An Azure AD user for the DevOps VM admin account and an Azure AD group is required for the SQL Admins. The group must be created before running the Terraform code. This is the minimum required information for the `terraform.tfvars` file that can be created in the [solutions](./solutions) folder.: +An Microsoft Entra ID user for the DevOps VM admin account and an Microsoft Entra ID group is required for the SQL Admins. The group must be created before running the Terraform code. This is the minimum required information for the `terraform.tfvars` file that can be created in the [solutions](./solutions) folder.: ```bash application_name = "secure-webapp" @@ -38,7 +38,7 @@ location_short = "swe" tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" aad_admin_group_object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" -aad_admin_group_name = "Azure AD SQL Admins" +aad_admin_group_name = "Microsoft Entra ID SQL Admins" vm_aad_admin_username = "bob@contoso.com" # Optionally provide non-AAD admin credentials for the VM @@ -165,16 +165,16 @@ done ### Connect to the DevOps VM -From a PowerShell terminal, connect to the DevOps VM using your Azure AD credentials (or Windows Hello). The exact `az network bastion rdp` command will be provided in the output of the Terraform deployment. +From a PowerShell terminal, connect to the DevOps VM using your Microsoft Entra ID credentials (or Windows Hello). The exact `az network bastion rdp` command will be provided in the output of the Terraform deployment. ```powershell az upgrade az network bastion rdp --name bast-bastion --resource-group rg-hub --target-resource-id /subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Compute/virtualMachines/{vm-name} --disable-gateway ``` -If you experience issues connecting to the DevOps VM using your AAD credentials, see [Unable to connect to DevOps VM using AAD credentials](#unable-to-connect-to-devops-vm-using-aad-credentials) +If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](#unable-to-connect-to-devops-vm-using-aad-credentials) -Once completed, you should be able to connect to the SQL Server using the Azure AD account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions (the exact command will be provided in the output of the Terraform deployment): +Once completed, you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions (the exact command will be provided in the output of the Terraform deployment): ```sql CREATE USER [web-app-name] FROM EXTERNAL PROVIDER; @@ -204,8 +204,8 @@ az network front-door frontend-endpoint show --front-door-name ## Troubleshooting -### Unable to connect to DevOps VM using AAD credentials -The Azure AD enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices) +### Unable to connect to DevOps VM using Microsoft Entra ID credentials +The Microsoft Entra ID enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices) Verify in the Azure Portal if the `aad-login-for-windows` VM extension was deployed successfully. @@ -260,4 +260,4 @@ Connect to the VM using the local VM admin credentials and run `dsregcmd /status DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net ``` -If the VM is AAD joined, try to login in with the Azure AD credentials again after a few minutes. If it's not AAD joined, attempt to re-install the VM extension or manually enroll the VM to AAD by following the steps in Edge: open Edge and click "Sign in to sync data", select "Work or school account", and then press OK on "Allow my organization to manage my device". It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete. +If the VM is Microsoft Entra ID joined, try to login in with the Microsoft Entra ID credentials again after a few minutes. If it's not Microsoft Entra ID joined, attempt to re-install the VM extension or manually enroll the VM to Microsoft Entra ID by following the steps in Edge: open Edge and click "Sign in to sync data", select "Work or school account", and then press OK on "Allow my organization to manage my device". It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete. diff --git a/scenarios/secure-baseline-multitenant/terraform/spoke/README.md b/scenarios/secure-baseline-multitenant/terraform/spoke/README.md index f772148c..7d8c2631 100644 --- a/scenarios/secure-baseline-multitenant/terraform/spoke/README.md +++ b/scenarios/secure-baseline-multitenant/terraform/spoke/README.md @@ -1,6 +1,6 @@ -# spoke - - +# spoke + + ## Requirements | Name | Version | @@ -56,8 +56,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aad\_admin\_group\_name](#input\_aad\_admin\_group\_name) | The name of the Azure AD group that should be granted SQL Admin permissions to the SQL Server | `string` | n/a | yes | -| [aad\_admin\_group\_object\_id](#input\_aad\_admin\_group\_object\_id) | The object ID of the Azure AD group that should be granted SQL Admin permissions to the SQL Server | `string` | n/a | yes | +| [aad\_admin\_group\_name](#input\_aad\_admin\_group\_name) | The name of the Microsoft Entra ID group that should be granted SQL Admin permissions to the SQL Server | `string` | n/a | yes | +| [aad\_admin\_group\_object\_id](#input\_aad\_admin\_group\_object\_id) | The object ID of the Microsoft Entra ID group that should be granted SQL Admin permissions to the SQL Server | `string` | n/a | yes | | [application\_name](#input\_application\_name) | The name of your application | `string` | `"sec-baseline-1-spoke"` | no | | [appsvc\_options](#input\_appsvc\_options) | The options for the app service | 
object({
    service_plan = object({
      os_type        = string
      sku_name       = string
      worker_count   = optional(number)
      zone_redundant = optional(bool)
    })
    web_app = object({
      slots = list(string)

      application_stack = object({
        current_stack       = string # required for windows
        dotnet_version      = optional(string)
        docker_image        = optional(string) # linux only
        docker_image_tag    = optional(string) # linux only
        php_version         = optional(string)
        node_version        = optional(string)
        java_version        = optional(string)
        python              = optional(bool)   # windows only
        python_version      = optional(string) # linux only
        java_server         = optional(string) # linux only
        java_server_version = optional(string) # linux only
        go_version          = optional(string) # linux only
        ruby_version        = optional(string) # linux only
      })
    })
  })
| 
{
  "service_plan": {
    "os_type": "Windows",
    "sku_name": "S1"
  },
  "web_app": {
    "application_stack": {
      "current_stack": "dotnet",
      "dotnet_version": "6.0"
    },
    "slots": []
  }
}
| no | | [appsvc\_subnet\_cidr](#input\_appsvc\_subnet\_cidr) | The CIDR block for the subnet. | `list(string)` | 
[
  "10.240.0.0/26"
]
| no | @@ -81,11 +81,11 @@ | [private\_link\_subnet\_cidr](#input\_private\_link\_subnet\_cidr) | The CIDR block for the subnet. | `list(string)` | 
[
  "10.240.11.0/24"
]
| no | | [spoke\_vnet\_cidr](#input\_spoke\_vnet\_cidr) | [Optional] The CIDR block(s) for the virtual network for whitelisting on the firewall. Defaults to 10.240.0.0/20 | `list(string)` | 
[
  "10.240.0.0/20"
]
| no | | [tags](#input\_tags) | [Optional] Additional tags to assign to your resources | `map(string)` | `{}` | no | -| [tenant\_id](#input\_tenant\_id) | The Azure AD tenant ID for the identities. If no value provided, will use current deployment environment tenant. | `string` | `null` | no | -| [vm\_aad\_admin\_object\_id](#input\_vm\_aad\_admin\_object\_id) | The Azure AD object ID for the VM admin user/group. If vm\_aad\_admin\_username is not specified, this value will be used. | `string` | `null` | no | -| [vm\_aad\_admin\_username](#input\_vm\_aad\_admin\_username) | [Optional] The Azure AD username for the VM admin account. If vm\_aad\_admin\_object\_id is not specified, this value will be used. | `string` | `null` | no | -| [vm\_admin\_password](#input\_vm\_admin\_password) | The password for the local VM admin account. Autogenerated if null. Prefer using the Azure AD admin account. | `string` | `null` | no | -| [vm\_admin\_username](#input\_vm\_admin\_username) | The username for the local VM admin account. Autogenerated if null. Prefer using the Azure AD admin account. | `string` | `null` | no | +| [tenant\_id](#input\_tenant\_id) | The Microsoft Entra ID tenant ID for the identities. If no value provided, will use current deployment environment tenant. | `string` | `null` | no | +| [vm\_aad\_admin\_object\_id](#input\_vm\_aad\_admin\_object\_id) | The Microsoft Entra ID object ID for the VM admin user/group. If vm\_aad\_admin\_username is not specified, this value will be used. | `string` | `null` | no | +| [vm\_aad\_admin\_username](#input\_vm\_aad\_admin\_username) | [Optional] The Microsoft Entra ID username for the VM admin account. If vm\_aad\_admin\_object\_id is not specified, this value will be used. | `string` | `null` | no | +| [vm\_admin\_password](#input\_vm\_admin\_password) | The password for the local VM admin account. Autogenerated if null. Prefer using the Microsoft Entra ID admin account. | `string` | `null` | no | +| [vm\_admin\_username](#input\_vm\_admin\_username) | The username for the local VM admin account. Autogenerated if null. Prefer using the Microsoft Entra ID admin account. | `string` | `null` | no | ## Outputs @@ -102,4 +102,4 @@ | [web\_app\_name](#output\_web\_app\_name) | n/a | | [web\_app\_slot\_name](#output\_web\_app\_slot\_name) | n/a | | [web\_app\_uri](#output\_web\_app\_uri) | n/a | - + diff --git a/scenarios/shared/bicep/app-configuration.bicep b/scenarios/shared/bicep/app-configuration.bicep index afb6166f..6df9668e 100644 --- a/scenarios/shared/bicep/app-configuration.bicep +++ b/scenarios/shared/bicep/app-configuration.bicep @@ -22,7 +22,7 @@ param userAssignedIdentities object = {} @description('Optional. Pricing tier of App Configuration.') param sku string = 'Standard' -@description('Optional, default is true. Disables all authentication methods other than AAD authentication.') +@description('Optional, default is true. Disables all authentication methods other than Microsoft Entra ID authentication.') param disableLocalAuth bool = true @description('Optional default is false. Property specifying whether protection against purge is enabled for this configuration store.') diff --git a/scenarios/shared/bicep/databases/sql.bicep b/scenarios/shared/bicep/databases/sql.bicep index 728ec036..881384f7 100644 --- a/scenarios/shared/bicep/databases/sql.bicep +++ b/scenarios/shared/bicep/databases/sql.bicep @@ -10,14 +10,14 @@ param tags object = {} @description('Whether the resource has private links or not') param hasPrivateLinks bool -@description('Conditional. The administrator username for the server. Required if no `administrators` object for AAD authentication is provided.') +@description('Conditional. The administrator username for the server. Required if no `administrators` object for Microsoft Entra ID authentication is provided.') param administratorLogin string = '' -@description('Conditional. The administrator login password. Required if no `administrators` object for AAD authentication is provided.') +@description('Conditional. The administrator login password. Required if no `administrators` object for Microsoft Entra ID authentication is provided.') @secure() param administratorLoginPassword string = '' -@description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.') +@description('Conditional. The Microsoft Entra ID administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.') param administrators object = {} @description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.') diff --git a/scenarios/shared/bicep/role-assignments/roledefinitions.json b/scenarios/shared/bicep/role-assignments/roledefinitions.json index 83d1fd78..b84c913e 100644 --- a/scenarios/shared/bicep/role-assignments/roledefinitions.json +++ b/scenarios/shared/bicep/role-assignments/roledefinitions.json @@ -1026,7 +1026,7 @@ }, { "ID": "/subscriptions/0a52391c-0d81-434e-90b4-d04f5c670e8a/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", - "description": "Lets your app server access SignalR Service with AAD auth options.", + "description": "Lets your app server access SignalR Service with Microsoft Entra ID auth options.", "roleName": "SignalR App Server" }, { diff --git a/scenarios/shared/terraform-modules/key-vault/README.md b/scenarios/shared/terraform-modules/key-vault/README.md index 4681451b..cc6ea84a 100644 --- a/scenarios/shared/terraform-modules/key-vault/README.md +++ b/scenarios/shared/terraform-modules/key-vault/README.md @@ -1,6 +1,6 @@ -# key-vault - - +# key-vault + + ## Requirements No requirements. @@ -44,7 +44,7 @@ No modules. | [secret\_reader\_identities](#input\_secret\_reader\_identities) | The list of identities that will be granted secret reader permissions | `list(string)` | n/a | yes | | [sku\_name](#input\_sku\_name) | The sku name for the app service plan | `string` | `"standard"` | no | | [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `{}` | no | -| [tenant\_id](#input\_tenant\_id) | The Azure AD tenant ID for the identities. If no value provided, will use current deployment environment tenant. | `string` | `null` | no | +| [tenant\_id](#input\_tenant\_id) | The Microsoft Entra ID tenant ID for the identities. If no value provided, will use current deployment environment tenant. | `string` | `null` | no | | [unique\_id](#input\_unique\_id) | The unique id | `string` | n/a | yes | ## Outputs @@ -53,4 +53,4 @@ No modules. |------|-------------| | [vault\_name](#output\_vault\_name) | n/a | | [vault\_uri](#output\_vault\_uri) | n/a | - + diff --git a/scenarios/shared/terraform-modules/windows-vm-ext/README.md b/scenarios/shared/terraform-modules/windows-vm-ext/README.md index 37748485..abe8b942 100644 --- a/scenarios/shared/terraform-modules/windows-vm-ext/README.md +++ b/scenarios/shared/terraform-modules/windows-vm-ext/README.md @@ -1,6 +1,6 @@ -# windows-vm-ext - - +# windows-vm-ext + + ## Requirements No requirements. @@ -26,7 +26,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [enable\_azure\_ad\_join](#input\_enable\_azure\_ad\_join) | True to enable Azure AD join of the VM. | `bool` | `true` | no | +| [enable\_azure\_ad\_join](#input\_enable\_azure\_ad\_join) | True to enable Microsoft Entra ID join of the VM. | `bool` | `true` | no | | [enroll\_with\_mdm](#input\_enroll\_with\_mdm) | True to enroll the device with an approved MDM provider like Intune. | `bool` | `true` | no | | [install\_extensions](#input\_install\_extensions) | n/a | `bool` | `false` | no | | [mdm\_id](#input\_mdm\_id) | The default value is the MDM Id for Intune, but you can use your own MDM id if you want to use a different MDM service. | `string` | `"0000000a-0000-0000-c000-000000000000"` | no | @@ -36,4 +36,4 @@ No modules. ## Outputs No outputs. - + diff --git a/scenarios/shared/terraform-modules/windows-vm/README.md b/scenarios/shared/terraform-modules/windows-vm/README.md index 3aa4ecdd..10fed98d 100644 --- a/scenarios/shared/terraform-modules/windows-vm/README.md +++ b/scenarios/shared/terraform-modules/windows-vm/README.md @@ -1,6 +1,6 @@ -# windows-vm - - +# windows-vm + + ## Requirements No requirements. @@ -35,8 +35,8 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aad\_admin\_object\_id](#input\_aad\_admin\_object\_id) | The Azure AD object ID for the VM admin user/group. If aad\_admin\_username is not specified, this value will be used. | `string` | `null` | no | -| [aad\_admin\_username](#input\_aad\_admin\_username) | [Optional] The Azure AD username for the VM admin account. If aad\_admin\_object\_id is not specified, this value will be used. | `string` | `null` | no | +| [aad\_admin\_object\_id](#input\_aad\_admin\_object\_id) | The Microsoft Entra ID object ID for the VM admin user/group. If aad\_admin\_username is not specified, this value will be used. | `string` | `null` | no | +| [aad\_admin\_username](#input\_aad\_admin\_username) | [Optional] The Microsoft Entra ID username for the VM admin account. If aad\_admin\_object\_id is not specified, this value will be used. | `string` | `null` | no | | [admin\_password](#input\_admin\_password) | n/a | `string` | `null` | no | | [admin\_username](#input\_admin\_username) | n/a | `string` | `null` | no | | [global\_settings](#input\_global\_settings) | Global settings for the naming convention module. | `any` | n/a | yes | @@ -62,4 +62,4 @@ No modules. | [principal\_id](#output\_principal\_id) | n/a | | [private\_ip\_address](#output\_private\_ip\_address) | n/a | | [vm\_key\_vault\_secret\_ids](#output\_vm\_key\_vault\_secret\_ids) | n/a | - +