diff --git a/.github/scripts/Wipe-AlzTenant.ps1 b/.github/scripts/Wipe-AlzTenant.ps1 index 1af4185a8..9c11f5650 100644 --- a/.github/scripts/Wipe-AlzTenant.ps1 +++ b/.github/scripts/Wipe-AlzTenant.ps1 @@ -1,9 +1,9 @@ [CmdletBinding()] param ( #Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant - [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Azure AD tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")] + [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Microsoft Entra tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")] [string] - $tenantRootGroupID = "", + $tenantRootGroupID = "", [Parameter(Mandatory = $true, Position = 2, HelpMessage = "Insert the name of your intermediate root Management Group e.g. 'Contoso'")] [string] @@ -52,12 +52,12 @@ $subDeployments | ForEach-Object -Parallel { } -# Get all AAD Tenant level deployments +# Get all Microsoft Entra Tenant level deployments $tenantDeployments = Get-AzTenantDeployment Write-Information "Removing all Tenant level deployments" -# For each AAD Tenant level deployment, remove it +# For each Microsoft Entra Tenant level deployment, remove it $tenantDeployments | ForEach-Object -Parallel { Write-Information "Removing $($_.DeploymentName) ..." Remove-AzTenantDeployment -Id $_.Id @@ -99,4 +99,4 @@ $StopWatch.Stop() # Display timer output as table Write-Information "Time taken to complete task:" -$StopWatch.Elapsed | Format-Table \ No newline at end of file +$StopWatch.Elapsed | Format-Table diff --git a/.github/scripts/mc-Wipe-AlzTenant.ps1 b/.github/scripts/mc-Wipe-AlzTenant.ps1 index e9209f115..d81bf8e9c 100644 --- a/.github/scripts/mc-Wipe-AlzTenant.ps1 +++ b/.github/scripts/mc-Wipe-AlzTenant.ps1 @@ -1,9 +1,9 @@ [CmdletBinding()] param ( #Added this back into parameters as error occurs if multiple tenants are found when using Get-AzTenant - [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Azure AD tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")] + [Parameter(Mandatory = $true, Position = 1, HelpMessage = "Please the Insert Tenant ID (GUID) of your Microsoft Entra tenant e.g.'f73a2b89-6c0e-4382-899f-ea227cd6b68f'")] [string] - $tenantRootGroupID = "", + $tenantRootGroupID = "", [Parameter(Mandatory = $true, Position = 2, HelpMessage = "Insert the name of your intermediate root Management Group e.g. 'Contoso'")] [string] @@ -52,12 +52,12 @@ $subDeployments | ForEach-Object -Parallel { } -# Get all AAD Tenant level deployments -$tenantDeployments = Get-AzTenantDeployment | Where-Object {$PSItem.DeploymentName -like "$intermediateRootGroupID*"} +# Get all Microsoft Entra Tenant level deployments +$tenantDeployments = Get-AzTenantDeployment | Where-Object { $PSItem.DeploymentName -like "$intermediateRootGroupID*" } Write-Output "Removing all Tenant level deployments prefixed with $intermediateRootGroupID" -# For each AAD Tenant level deployment, remove it +# For each Microsoft Entra Tenant level deployment, remove it $tenantDeployments | ForEach-Object -Parallel { Write-Output "Removing $($_.DeploymentName) ..." Remove-AzTenantDeployment -Id $_.Id @@ -99,4 +99,4 @@ $StopWatch.Stop() # Display timer output as table Write-Output "Time taken to complete task:" -$StopWatch.Elapsed | Format-Table \ No newline at end of file +$StopWatch.Elapsed | Format-Table diff --git a/docs/wiki/ACRDeployment.md b/docs/wiki/ACRDeployment.md index 08ad18614..b92c2df06 100644 --- a/docs/wiki/ACRDeployment.md +++ b/docs/wiki/ACRDeployment.md @@ -8,7 +8,7 @@ This document outlines the prerequisites, dependencies and flow to setup a Priva ## Prerequisites -1. Azure Active Directory Tenant. +1. Microsoft Entra Tenant. 2. Minimum 1 subscription. Subscription(s) are required when configuring `Azure Container Registry` services. 3. Deployment Identity with `Contributor` permission to the subscription. diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index 868ba41b3..1292b63ca 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -101,7 +101,7 @@ In order to setup the Accelerator framework with the production GitHub Action Wo ``` 1. Now that the remote branch has the latest commit(s), you can configure your OpenID Connect (OIDC) identity provider with GitHub which will give the workflows access to your Azure environment. - 1. [Create an Azure Active Directory service principal](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#create-an-azure-active-directory-application-and-service-principal) + 1. [Create an Microsoft Entra service principal](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#create-an-azure-active-directory-application-and-service-principal) 1. [Add your federated credentials](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#add-federated-credentials) 1. Add one federated credential with the entity type set to 'Branch' and with a value for "Based on Selection" set to 'main' 1. Add a secondary federated credential with the entity type set to 'Pull Request' diff --git a/docs/wiki/ConsumerGuide.md b/docs/wiki/ConsumerGuide.md index 77b0d04b0..6640aa4a0 100644 --- a/docs/wiki/ConsumerGuide.md +++ b/docs/wiki/ConsumerGuide.md @@ -6,7 +6,7 @@ > This guidance supports the [Deployment Flow](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow) guidance, it is not a replacement -The `ALZ-Bicep` repository (this repository) has been created to help customers and partners to deploy and deliver the [Azure Landing Zones (ALZ) conceptual architecture](https://aka.ms/alz#azure-landing-zone-conceptual-architecture) into an Azure AD Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language. +The `ALZ-Bicep` repository (this repository) has been created to help customers and partners to deploy and deliver the [Azure Landing Zones (ALZ) conceptual architecture](https://aka.ms/alz#azure-landing-zone-conceptual-architecture) into an Microsoft Entra Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language. The style in which the Bicep modules have been authored in this repo are aimed at consumers of all skill levels. This is in an effort to make the modules as accessible as possible; especially for those that are newer to the world of IaC and/or Bicep. diff --git a/docs/wiki/DeploymentFlow.md b/docs/wiki/DeploymentFlow.md index d3b6cfa76..8d5b45a5b 100644 --- a/docs/wiki/DeploymentFlow.md +++ b/docs/wiki/DeploymentFlow.md @@ -25,7 +25,7 @@ We have created a short 3-part series of video on the Azure Enablement Show that ## Prerequisites -1. Azure Active Directory Tenant. +1. Microsoft Entra Tenant. 2. Minimum 1 subscription. Subscription(s) are required when configuring `Log Analytics Workspace` & `Hub Networking` services. Each can be deployed in the same subscription or separate subscriptions based on deployment requirements. 3. Deployment Identity with `Owner` permission to the `/` root management group. Owner permission is required to allow the Service Principal Account to create role-based access control assignments. See [configuration instructions below](#deployment-identity). @@ -82,7 +82,7 @@ The current available orchestration modules are listed below: ## Deployment Identity -When first working with Management Groups, the Azure AD Global Administrator must assign the User Access Administrator role to themselves at the `/` scope first before being able to further delegate. See [Elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) documentation for further information. +When first working with Management Groups, the Microsoft Entra Global Administrator must assign the User Access Administrator role to themselves at the `/` scope first before being able to further delegate. See [Elevate access to manage all Azure subscriptions and management groups](https://learn.microsoft.com/azure/role-based-access-control/elevate-access-global-admin) documentation for further information. In addition, the identity that wants to create a Tenant scope deployment must have the *Owner* role assigned to the `/` root management group. Whether this is your user account (even if a Global Administrator) or a Service Principal. See [Required access for Tenant deployments on Azure Docs](https://learn.microsoft.com/azure/azure-resource-manager/templates/deploy-to-tenant?tabs=azure-powershell#required-access). diff --git a/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md b/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md index 6510148c0..83cd0c7ce 100644 --- a/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md +++ b/infra-as-code/bicep/CRML/subscriptionAlias/generateddocs/subscriptionAlias.bicep.md @@ -10,7 +10,7 @@ parSubscriptionName | Yes | Name of the subscription to be created. Will al parSubscriptionBillingScope | Yes | The full resource ID of billing scope associated to the EA, MCA or MPA account you wish to create the subscription in. parTags | No | Tags you would like to be applied. parManagementGroupId | No | The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional) -parSubscriptionOwnerId | No | The object ID of a responsible user, AAD group or service principal. (Optional) +parSubscriptionOwnerId | No | The object ID of a responsible user, Microsoft Entra group or service principal. (Optional) parSubscriptionOfferType | No | The offer type of the EA, MCA or MPA subscription to be created. Defaults to = Production parTenantId | No | The ID of the tenant. Defaults to = tenant().tenantId @@ -42,7 +42,7 @@ The ID of the existing management group where the subscription will be placed. A ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) -The object ID of a responsible user, AAD group or service principal. (Optional) +The object ID of a responsible user, Microsoft Entra group or service principal. (Optional) ### parSubscriptionOfferType diff --git a/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep b/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep index 969262290..815165259 100644 --- a/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep +++ b/infra-as-code/bicep/CRML/subscriptionAlias/subscriptionAlias.bicep @@ -24,7 +24,7 @@ param parTags object = {} @sys.description('The ID of the existing management group where the subscription will be placed. Also known as its parent management group. (Optional)') param parManagementGroupId string = '' -@sys.description('The object ID of a responsible user, AAD group or service principal. (Optional)') +@sys.description('The object ID of a responsible user, Microsoft Entra group or service principal. (Optional)') param parSubscriptionOwnerId string = '' @allowed([ diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/README.md b/infra-as-code/bicep/modules/customRoleDefinitions/README.md index c288fa975..9340eaf1a 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/README.md +++ b/infra-as-code/bicep/modules/customRoleDefinitions/README.md @@ -9,7 +9,7 @@ Module supports the following custom roles: - [*ManagementGroupId] Network management (NetOps) - [*ManagementGroupId] Security operations (SecOps) -*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Azure AD tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary). +*The custom role names are prefixed with `[ManagementGroupId]` since custom roles scoped at Management Group level must be unique within the Microsoft Entra tenant. This will alleviate any conflicts if you chose to deploy a [canary environment](https://aka.ms/alz/canary). For example, if the `ManagementGroupId` = **alz**, then each role will have this prefix **[alz]** like `[alz] Subscription owner`. See the [example output deployment](#example-deployment-output) below. ## Parameters diff --git a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json index 47c94a045..7a50a3093 100644 --- a/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json +++ b/infra-as-code/bicep/modules/policy/assignments/lib/policy_assignments/policy_assignment_es_deny_databricks_sku.tmpl.json @@ -3,7 +3,7 @@ "type": "Microsoft.Authorization/policyAssignments", "apiVersion": "2019-09-01", "properties": { - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra.", "displayName": "Enforces the use of Premium Databricks workspaces", "notScopes": [], "parameters": { @@ -19,4 +19,4 @@ "identity": { "type": "None" } -} +} \ No newline at end of file diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json index 8e404a8aa..7bb89b4f2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/china/policy_definitions/policy_definition_es_mc_Deny-Databricks-Sku.json @@ -7,7 +7,7 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "Deny non-premium Databricks sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra.", "metadata": { "version": "1.0.0", "category": "Databricks", diff --git a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json index 8e404a8aa..7bb89b4f2 100644 --- a/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json +++ b/infra-as-code/bicep/modules/policy/definitions/lib/policy_definitions/policy_definition_es_Deny-Databricks-Sku.json @@ -7,7 +7,7 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "Deny non-premium Databricks sku", - "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.", + "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra.", "metadata": { "version": "1.0.0", "category": "Databricks", diff --git a/infra-as-code/bicep/modules/roleAssignments/README.md b/infra-as-code/bicep/modules/roleAssignments/README.md index e2419c382..b110d303b 100644 --- a/infra-as-code/bicep/modules/roleAssignments/README.md +++ b/infra-as-code/bicep/modules/roleAssignments/README.md @@ -31,18 +31,18 @@ All templates require an input for `parAssigneeObjectId` and this value is depen az identity show --resource-group --name --query 'principalId' # Identify Object Id for Service Principal (App Registration) -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: az ad sp show --id c705dc53-7c95-42bc-b1d5-75e172571370 --query id az ad sp show --id --query id # Identify Object Id for Service Principal (App Registration) -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Beware of duplicates, since app registation names are not unique. # Example: az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' az ad sp list --filter "displayName eq ''" --query '[].{name:appDisplayName, objectId:id}' # Identify Object Id for Security Group -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: az ad group show --group SG_ALZ_SECURITY --query id az ad group show --group --query id ``` @@ -55,12 +55,12 @@ az ad group show --group --query id (Get-AzADServicePrincipal -DisplayName '').Id # Identify Object Id for Service Principal (App Registration) -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: (Get-AzADServicePrincipal -DisplayName 'Azure Landing Zone SPN').Id (Get-AzADServicePrincipal -DisplayName '').Id # Identify Object Id for Security Group -# Require read permission to query Azure Active Directory +# Require read permission to query Microsoft Entra # Example: Get-AzureADGroup -SearchString 'SG_ALZ_SECURITY' Connect-AzureAD (Get-AzureADGroup -SearchString '').ObjectId