Yvand · Yvand · Sep 17, 2024 · May 3, 2024 · May 3, 2024 · Aug 23, 2024
diff --git a/Templates/SharePoint-ADFS/.vscode/tasks.json b/Templates/SharePoint-ADFS/.vscode/tasks.json
@@ -0,0 +1,24 @@
+{
+    // See https://go.microsoft.com/fwlink/?LinkId=733558
+    // for the documentation about the tasks.json format
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "generate azuredeploy.json",
+            "type": "shell",
+            "command": "az",
+            "args": [
+                "bicep",
+                "build",
+                "--file",
+                "main.bicep",
+                "--outfile",
+                "azuredeploy.json"
+            ],
+            "group": "build",
+            "presentation": {
+                "reveal": "silent"
+            }
+        }
+    ]
+}
diff --git a/Templates/SharePoint-ADFS/CHANGELOG.md b/Templates/SharePoint-ADFS/CHANGELOG.md
@@ -1,7 +1,33 @@
 # Change log for Azure template SharePoint-ADFS
 
+## Unreleased
+
+### Added
+
+- Template
+  - Add parameter `outboundAccessMethod`, to choose how the virtual machines connect to internet. Now, they can connect through either a public IP, or using Azure Firewall as an HTTP proxy
+  - Add value `Subscription-24H1` to parameter `sharePointVersion`, to install SharePoint Subscription with 24H1 update
+  - Add value `Subscription-24H2` to parameter `sharePointVersion`, to install SharePoint Subscription with 24H2 update
+
+### Changed
+
+- Template
+  - Convert the template to Bicep
+  - [BREAKING CHANGE] Rename most of the parameters
+  - Update the display name of most of the resources to be more consistent and reflect their relationship with each other
+  - Value `Subscription-Latest` for parameter `sharePointVersion` now installs the September 2024 CU for SharePoint Subscription
+- All DSC configurations
+  - Add a firewall rule to all virtual machines to allow remote event viewer connections
+  - Updated DSC module `ActiveDirectoryDsc` to 6.4.0
+  - Updated DSC module `ComputerManagementDsc` to 9.1.0
+  - Updated DSC module `SharePointDSC` to 5.5.0
+- DSC Configuration for DC
+  - Updated DSC module `AdfsDsc` to 1.4.0
+
 ## Enhancements & bug-fixes - Published in February 26, 2024
 
+### Changed
+
 - Template
   - Value `Subscription-Latest` for parameter `sharePointVersion` now installs the February 2024 CU for SharePoint Subscription
   - Remove SharePoint 2013

diff --git a/Templates/SharePoint-ADFS/Deploy-AzureResourceGroup.ps1 b/Templates/SharePoint-ADFS/Deploy-AzureResourceGroup.ps1
@@ -1,51 +1,49 @@
 #Requires -PSEdition Core
 #Requires -Module Az.Resources
 
-### Define variables
-$resourceGroupLocation = 'westeurope'
-# $resourceGroupLocation = 'francecentral'
-$resourceGroupName = "xydsp1"
+### Set variables
+$resourceGroupLocation = 'francecentral'
+$resourceGroupName = "xxydsp2"
 # $resourceGroupName = "gf(d)df_-sf.sm"
-$templateFileName = 'azuredeploy.json'
+$templateFileName = 'main.bicep'
 $templateParametersFileName = 'azuredeploy.parameters.json'
-$scriptRoot = $PSScriptRoot
-#$scriptRoot = "C:\Job\Dev\Github\AzureRM-Templates\SharePoint\SharePoint-ADFS"
-$TemplateFile = [System.IO.Path]::GetFullPath([System.IO.Path]::Combine($scriptRoot, $templateFileName))
-$templateParametersFile = [System.IO.Path]::GetFullPath([System.IO.Path]::Combine($scriptRoot, $templateParametersFileName))
 
 ### Set passwords
 # $securePassword = $password| ConvertTo-SecureString -AsPlainText -Force
 if ($null -eq $securePassword) { $securePassword = Read-Host "Type the password of admin and service accounts" -AsSecureString }
 $passwords = New-Object -TypeName HashTable
 $passwords.adminPassword = $securePassword
-$passwords.serviceAccountsPassword = $securePassword
+$passwords.otherAccountsPassword = $securePassword
 
-### Set parameters
-$parameters = New-Object -TypeName HashTable
-$parameters.adminPassword = $securePassword
-$parameters.serviceAccountsPassword = $securePassword
-$paramFileContent = Get-Content $TemplateParametersFile -Raw | ConvertFrom-Json
-$paramFileContent.parameters | Get-Member -MemberType *Property | ForEach-Object { 
-    $parameters.($_.name) = $paramFileContent.parameters.($_.name).value; 
-}
+# ### Set parameters
+$scriptRoot = $PSScriptRoot
+#$scriptRoot = "C:\Job\Dev\Github\AzureRM-Templates\SharePoint\SharePoint-ADFS"
+$TemplateFile = [System.IO.Path]::GetFullPath([System.IO.Path]::Combine($scriptRoot, $templateFileName))
+$templateParametersFile = [System.IO.Path]::GetFullPath([System.IO.Path]::Combine($scriptRoot, $templateParametersFileName))
+# $parameters = New-Object -TypeName HashTable
+# $parameters.adminPassword = $securePassword
+# $parameters.otherAccountsPassword = $securePassword
+# $paramFileContent = Get-Content $TemplateParametersFile -Raw | ConvertFrom-Json
+# $paramFileContent.parameters | Get-Member -MemberType *Property | ForEach-Object { 
+#     $parameters.($_.name) = $paramFileContent.parameters.($_.name).value; 
+# }
 
-$resourceDeploymentName = "$resourceGroupName-deployment"
 Write-Host "Starting deployment of template in resource group '$resourceGroupName' in '$resourceGroupLocation'..." -ForegroundColor Green
 
-### Ensure connection to Azure RM
+### Validate connection to Azure
 $azurecontext = $null
 $azurecontext = Get-AzContext -ErrorAction SilentlyContinue
 if ($null -eq $azurecontext -or $null -eq $azurecontext.Account -or $null -eq $azurecontext.Subscription) {
-    Write-Host "Launching Azure authentication prompt..." -ForegroundColor Green
-    Connect-AzAccount
+    Write-Host "Connecting to Azure..." -ForegroundColor Green
+    Connect-AzAccount -UseDeviceAuthentication
     $azurecontext = Get-AzContext -ErrorAction SilentlyContinue
 }
 if ($null -eq $azurecontext -or $null -eq $azurecontext.Account -or $null -eq $azurecontext.Subscription) { 
     Write-Host "Unable to get a valid context." -ForegroundColor Red
     return
 }
 
-### Create Resource Group if it doesn't exist
+### Create the resource group if needed
 if ($null -eq (Get-AzResourceGroup -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue)) {
     New-AzResourceGroup `
         -Name $resourceGroupName `
@@ -63,10 +61,11 @@ $checkTemplate = Test-AzResourceGroupDeployment `
     @passwords
     # -TemplateParameterObject $parameters
 
+$resourceDeploymentName = "$resourceGroupName-deployment"
 if ($checkTemplate.Count -eq 0) {
     # Template is valid, deploy it
     $startTime = $(Get-Date)
-    Write-Host "Starting template deployment..." -ForegroundColor Green
+    Write-Host "Starting deployment of template..." -ForegroundColor Green
     $result = New-AzResourceGroupDeployment `
         -Name $resourceDeploymentName `
         -ResourceGroupName $resourceGroupName `

diff --git a/Templates/SharePoint-ADFS/README.md b/Templates/SharePoint-ADFS/README.md
@@ -1,14 +1,15 @@
 ---
-description: This template creates a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration that would take ages to perform manually, including a federated authentication with ADFS, an OAuth trust, the User Profiles service and a web application with 2 zones that contains multiple path based and host-named site collections. On the SharePoint virtual machines, Chocolatey is used to install the latest version of Notepad++, Visual Studio Code, Azure Data Studio, Fiddler, ULS Viewer and 7-Zip.
+description: This template creates a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...)..
 page_type: sample
 products:
 - azure
 - azure-resource-manager
 urlFragment: sharepoint-adfs
 languages:
+- bicep
 - json
 ---
-# SharePoint Subscription / 2019 / 2016 all configured
+# SharePoint Subscription / 2019 / 2016 fully configured
 
 ## Deploy the template
 
@@ -20,8 +21,10 @@ languages:
 
 ## Features
 
-This templates creates a SharePoint Subscription / 2019 / 2016  farm with an extensive configuration that would take ages to perform manually, including a federated authentication with ADFS, an OAuth trust, the User Profiles service and a web application with 2 zones and multiple path based and host-named site collections.  
-On the SharePoint virtual machines, [Chocolatey](https://chocolatey.org/) is used to install the latest version of Notepad++, Visual Studio Code, Azure Data Studio, Fiddler, ULS Viewer and 7-Zip.
+This template creates a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc...  
+The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed.  
+SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).
+
 There are some differences in the configuration, depending on the SharePoint version:
 
 ### Common to all SharePoint versions
@@ -47,44 +50,45 @@ There are some differences in the configuration, depending on the SharePoint ver
 - The HTTPS site certificate is positioned by the DSC script.
 - Federated authentication with ADFS is configured using SAML 1.1.
 
-## Key parameters
+## Outbound access to internet
+
+During the provisionning, virtual machines require an outbound access to internet to be able to download and apply their configuration.  
+The outbound access method depends on variable `outboundAccessMethod`:
+- `PublicIPAddress`: Virtual machines use a [Public IP](https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-public-ip-address), associated to their network card.
+- `AzureFirewallProxy`: Virtual machines use [Azure Firewall](https://azure.microsoft.com/en-us/products/azure-firewall/) as an [HTTP proxy](https://learn.microsoft.com/en-us/azure/firewall/explicit-proxy).
+
+## Remote access
+
+The remote access to the virtual machines depends on the following parameters:
+
+- Parameter `rdpTrafficRule` specifies if a rule in the network security groups should allow the inbound RDP traffic:
+    - `No` (default): No rule is created, RDP traffic is blocked.
+    - `*` or `Internet`: RDP traffic is allowed from everywhere.
+    - CIDR notation (e.g. `192.168.99.0/24` or `2001:1234::/64`) or an IP address (e.g. `192.168.99.0` or `2001:1234::`): RDP traffic is allowed from the IP address / pattern specified.
+- parameter `enable_azure_bastion`:
+  - if `true`: Configure service [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) to allow a secure remote access to virtual machines.
+  - if `false` (default): Service [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) is not created.
+
+IMPORTANT: If you set variable `outboundAccessMethod` to `AzureFirewallProxy`, you have to either enable Azure Bastion, or manually add a public IP address later, to be able to connect to a virtual machine.
 
 ### Input parameters
 
 - parameter `sharePointVersion` lets you choose which version of SharePoint to install:
-  - `Subscription-Latest` (default): Same as `Subscription-RTM`, then installs the latest cumulative update available at the time of publishing this version: February 2024 ([kb5002560](https://support.microsoft.com/help/5002560)).
+  - `Subscription-Latest` (default): Same as `Subscription-RTM`, then installs the latest cumulative update available at the time of publishing this version: September 2024 ([kb5002640](https://support.microsoft.com/help/5002640)).
+  - `Subscription-24H2`: Same as `Subscription-RTM`, then installs the [Feature Update 24H2](https://learn.microsoft.com/en-us/sharepoint/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-24h2-release) (September 2024 CU / [kb5002640](https://support.microsoft.com/help/5002640)).
+  - `Subscription-24H1`: Same as `Subscription-RTM`, then installs the [Feature Update 24H1](https://learn.microsoft.com/en-us/sharepoint/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-24h1-release) (March 2024 CU / [KB5002564](https://support.microsoft.com/help/5002564)).
   - `Subscription-23H2`: Same as `Subscription-RTM`, then installs the [Feature Update 23H2](https://learn.microsoft.com/en-us/SharePoint/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-23h2-release) (September 2023 CU / [KB5002474](https://support.microsoft.com/help/5002474)).
   - `Subscription-23H1`: Same as `Subscription-RTM`, then installs the [Feature Update 23H1](https://learn.microsoft.com/en-us/sharepoint/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-23h1-release) (March 2023 CU / [KB5002355](https://support.microsoft.com/help/5002355)).
   - `Subscription-22H2`: Same as `Subscription-RTM`, then installs the [Feature Update 22H2](https://learn.microsoft.com/en-us/sharepoint/what-s-new/new-and-improved-features-in-sharepoint-server-subscription-edition-22h2-release) (September 2022 CU / [KB5002270](https://support.microsoft.com/help/5002270) and [KB5002271](https://support.microsoft.com/help/5002271)).
   - `Subscription-RTM`: Uses a fresh Windows Server 2022 image, on which SharePoint Subscription RTM is downloaded and installed.
   - `2019`: Uses an image built and maintained by SharePoint Engineering, with SharePoint 2019 bits already installed.
   - `2016`: Uses an image built and maintained by SharePoint Engineering, with SharePoint 2016 bits already installed.
-- parameters `addPublicIPAddress` and `RDPTrafficAllowed`: See [this section](#remote-access-and-security) for detailed information.
-- parameter `numberOfAdditionalFrontEnd` lets you add up to 4 additional SharePoint servers to the farm with the [MinRole Front-end](https://learn.microsoft.com/en-us/sharepoint/install/planning-for-a-minrole-server-deployment-in-sharepoint-server).
-- parameter `enableHybridBenefitServerLicenses` allows you to enable Azure Hybrid Benefit to use your on-premises Windows Server licenses and reduce cost, if you are eligible. See [this page](https://docs.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing) for more information..
-
-### Output parameters
-
-The template returns multiple variables to record the logins, passwords and the public IP address of virtual machines.
-
-## Remote access and security
-
-The template creates 1 virtual network with 3 subnets (+1 if [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) is enabled), and each subnet is protected by a [Network Security Group](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview) which denies all incoming traffic by default.  
-The following parameters configure how to connect to the virtual machines, and the level of network security:
-
-- parameters `adminPassword` and `serviceAccountsPassword` require a [strong password](https://learn.microsoft.com/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-).
-- parameter `addPublicIPAddress`:
-  - if `"SharePointVMsOnly"` (default): Only SharePoint virtual machines get a public IP address with a DNS name and can be reached from Internet.
-  - If `"Yes"`: All virtual machines get a public IP address with a DNS name, and can be reached from Internet.
-  - if `"No"`: No public IP resource is created.
-  - The DNS name format of virtual machines is `"[resourceGroupName]-[vm_name].[region].cloudapp.azure.com"` and is recorded as output in the state file.
-- parameter `RDPTrafficAllowed` specifies if RDP traffic is allowed:
-  - If `"No"` (default): Firewall denies all incoming RDP traffic.
-  - If `"*"` or `"Internet"`: Firewall accepts all incoming RDP traffic from Internet (very, very much not recommended).
-  - If CIDR notation (e.g. `"192.168.99.0/24"` or `"2001:1234::/64"`) or IP address (e.g. `"192.168.99.0"` or `"2001:1234::"`): Firewall accepts incoming RDP traffic from the IP addresses specified.
-- parameter `addAzureBastion`:
-  - if `true`: Configure service [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) to allow a secure remote access to virtual machines.
-  - if `false` (default): Service [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) is not created.
+- Variable `frontEndServersCount` lets you add up to 4 additional SharePoint servers to the farm with the [MinRole Front-end](https://learn.microsoft.com/en-us/sharepoint/install/planning-for-a-minrole-server-deployment-in-sharepoint-server).
+- Variable `enableHybridBenefitServerLicenses` allows you to enable Azure Hybrid Benefit to use your on-premises Windows Server licenses and reduce cost, if you are eligible. See [this page](https://docs.microsoft.com/azure/virtual-machines/windows/hybrid-use-benefit-licensing) for more information..
+
+## Outputs
+
+The template returns multiple values to record the logins and the public IP address of virtual machines.
 
 ## Cost of the resources deployed
 
@@ -95,11 +99,11 @@ Here is the default size and storage type per virtual machine role:
 - SQL Server: Size [Standard_B2ms](https://docs.microsoft.com/azure/virtual-machines/sizes-b-series-burstable) (2 vCPU / 8 GiB RAM) and OS disk is a 128 GiB [standard SSD E10](https://learn.microsoft.com/azure/virtual-machines/disks-types#standard-ssds).
 - SharePoint: Size [Standard_B4ms](https://docs.microsoft.com/azure/virtual-machines/sizes-b-series-burstable) (4 vCPU / 16 GiB RAM) and OS disk is either a 32 GiB [standard SSD E4](https://learn.microsoft.com/azure/virtual-machines/disks-types#standard-ssds) (for SharePoint Subscription and 2019), or a 128 GiB [standard SSD E10](https://learn.microsoft.com/azure/virtual-machines/disks-types#standard-ssds) (for SharePoint 2016).
 
-You can visit <https://azure.com/e/c494029b0b034b8ca356c926dfd2688a> to estimate the monthly cost of the template in the region/currency of your choice, assuming it is created using the default settings and runs 24*7.
+You can visit <https://azure.com/e/ec984bb923214cd1b8ee36d7ffc54e8e> to estimate the monthly cost of the template in the region/currency of your choice, assuming it is created using the default settings and runs 24*7.
 
 ## Known issues
 
-- The password of the directory synchronization connection (set in parameter `serviceAccountsPassword`) needs to be re-entered in the "Edit synchronization connection" page, otherwise SharePoint is somehow unable to decrypt it and the import fails.
+- The password for the User Profile directory synchronization connection (value of parameter `otherAccountsPassword`) needs to be re-entered in the "Edit synchronization connection" page, otherwise the import fails (password decryption error).
 
 ## More information