Bicep Module Documentation
← Back to Overview
Module virtual-desktop
virtualDesktop
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| hostPools (required) | hostPool[] | |
| workspaces (required) | workspace[] | |
| imagegallery | imagegallery | |
| storageAccount | storageAccount |
imagegallery
| Property | Value | Description |
|---|---|---|
| naming | naming | |
| isSoftDeleteEnabled | bool | Contains information about the soft deletion policy of the gallery. |
| images | galleryImage[] | Images in the gallery |
hostPool
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| resourceGroupName (required) | string | |
| hostPoolType (required) | 'BYODesktop' 'Personal' 'Pooled' |
HostPool type for desktop. |
| loadBalancerType (required) | 'BreadthFirst' 'DepthFirst' 'Persistent' |
The type of the load balancer. |
| preferredAppGroupType (required) | 'Desktop' 'None' 'RailApplications' |
The type of preferred application group type, default to Desktop Application Group |
| maxSessionLimit (required) | int | The max session limit of HostPool. |
| startVMOnConnect | bool | The flag to turn on/off StartVMOnConnect feature. |
| validationEnvironment | bool | Is validation environment. |
| customRdpProperty | string | Custom rdp property of HostPool. |
| publicNetworkAccess | 'Disabled' 'Enabled' 'EnabledForClientsOnly' 'EnabledForSessionHostsOnly' |
Enabled allows this resource to be accessed from both public and private networks, Disabled allows this resource to only be accessed via private endpoints |
| applicationGroups (required) | applicationGroup[] | |
| sessionHostConfigurations | sessionHostConfigurations | |
| SessionHostManagementProperties | SessionHostManagementProperties | Detailed properties for SessionHostManagement |
bootDiagnosticsInfo
| Property | Value | Description |
|---|---|---|
| storageUri (required) | string | Uri of the storage account to use for placing the console output and screenshot. If storageUri is not specified while enabling boot diagnostics, managed storage will be used |
domainCredentials
| Property | Value | Description |
|---|---|---|
| usernameKeyVaultSecretUri (required) | string | The uri to access the secret that the username is stored in. |
| passwordKeyVaultSecretUri (required) | string | The uri to access the secret that the password is stored in. |
activeDirectoryInfo
| Property | Value | Description |
|---|---|---|
| domainCredentials (required) | domainCredentials | |
| domainName | string | The domain a virtual machine connected to a hostpool will join. |
| ouPath (required) | string | The organizational unit(OU) path. |
azureActiveDirectoryInfo
| Property | Value | Description |
|---|---|---|
| mdmProviderGuid (required) | string | The Mobile Device Management(MDM) guid. |
domainInfo
| Property | Value | Description |
|---|---|---|
| joinType (required) | 'ActiveDirectory' 'AzureActiveDirectory' |
The type of domain join done by the virtual machine. |
| activeDirectoryInfo | activeDirectoryInfo | |
| azureActiveDirectoryInfo | azureActiveDirectoryInfo |
customInfo
| Property | Value | Description |
|---|---|---|
| resourceId (required) | string | The resource id of the custom image. |
marketplaceInfo
| Property | Value | Description |
|---|---|---|
| exactVersion (required) | string | The exact version of the image. |
| offer (required) | string | The offer of the image. |
| publisher (required) | string | The publisher of the image. |
| sku (required) | string | The sku of the image. |
imageInfo
| Property | Value | Description |
|---|---|---|
| customInfo | customInfo | The values to uniquely identify a custom image. Only one should be populated based on the image type. |
| marketplaceInfo | marketplaceInfo | |
| type (required) | 'Custom' 'Marketplace' |
The type of image session hosts use in the hostpool. |
networkInfo
| Property | Value | Description |
|---|---|---|
| subnetId (required) | string | The resource ID of the subnet. |
securityInfo
| Property | Value | Description |
|---|---|---|
| secureBootEnabled | bool | Whether to use secureBoot on the virtual machine. |
| type | 'ConfidentialVM' 'Standard' 'TrustedLaunch' |
The security type used by virtual machine in hostpool session host. Default is Standard. |
| vTpmEnabled | bool | Whether to use vTPM on the virtual machine. |
vmAdminCredentials
| Property | Value | Description |
|---|---|---|
| usernameKeyVaultSecretUri (required) | string | The uri to access the secret that the username is stored in. |
| passwordKeyVaultSecretUri (required) | string | The uri to access the secret that the password is stored in. |
sessionHostConfigurations
| Property | Value | Description |
|---|---|---|
| availabilityZones | int[] | Value for availability zones to be used by the session host. Should be from [1,2,3]. |
| bootDiagnosticsInfo | bootDiagnosticsInfo | |
| diskInfo (required) | 'Premium_LRS' 'StandardSSD_LRS' 'Standard_LRS' |
The disk type used by virtual machine in hostpool session host. |
| domainInfo (required) | domainInfo | |
| friendlyName | string | Friendly name to describe this version of the SessionHostConfiguration. |
| imageInfo (required) | imageInfo | Image configurations of HostPool. |
| networkInfo (required) | networkInfo | Network information |
| securityInfo | securityInfo | Security information. |
| vmAdminCredentials (required) | vmAdminCredentials | Local Admin credentials for session hosts. |
| vmLocation | string | The Location for the session host to be created in. It will default to the location of the hostpool if not provided. |
| vmNamePrefix (required) | string | The prefix that should be associated with session host names |
| vmResourceGroup | string | The ResourceGroup for the session hosts to be created in. It will default to the ResourceGroup of the hostpool if not provided. |
| vmSizeId (required) | string | The id of the size of a virtual machine connected to a hostpool. Example: Standard_D2as_v6. |
update
| Property | Value | Description |
|---|---|---|
| deleteOriginalVm | bool | Whether not to save original disk. False by default. |
| logOffDelayMinutes (required) | int | Grace period before logging off users in minutes. |
| logOffMessage | string | Log off message sent to user for logoff. Default value is an empty string. |
| maxVmsRemoved (required) | int | The maximum number of virtual machines to be removed during hostpool update. |
SessionHostManagementProperties
| Property | Value | Description |
|---|---|---|
| scheduledDateTimeZone (required) | string | Time zone for sessionHostManagement operations as defined in /dotnet/api/system.timezoneinfo.findsystemtimezonebyid. Must be set if useLocalTime is true. |
| update (required) | update | Parameters for a hostpool update. |
applicationGroup
| Property | Value | Description |
|---|---|---|
| applicationGroupType (required) | 'Desktop' 'RemoteApp' |
Resource Type of ApplicationGroup. |
| friendlyName (required) | string | Friendly name of ApplicationGroup. |
| applications | application[] | A list of applications |
application
| Property | Value | Description |
|---|---|---|
| applicationType | 'InBuilt' 'MsixApplication' |
Resource Type of Application. |
| commandLineArguments | string | Command Line Arguments for Application. |
| commandLineSetting (required) | 'Allow' 'DoNotAllow' 'Require' |
Specifies whether this published application can be launched with command line arguments provided by the client, command line arguments specified at publish time, or no command line arguments at all. |
| description | string | Description of Application. |
| filePath | string | Specifies a path for the executable file for the application. |
| friendlyName (required) | string | Friendly name of Application. |
| iconIndex | int | Index of the icon. |
| iconPath | string | Path to icon. |
| msixPackageApplicationId | string | Specifies the package application Id for MSIX applications |
| msixPackageFamilyName | string | Specifies the package family name for MSIX applications |
| showInPortal | bool | Specifies whether to show the RemoteApp program in the RD Web Access server. |
workspace
| Property | Value | Description |
|---|---|---|
| naming | naming | |
| friendlyName (required) | string | Friendly name of the workspace |
| hostPoolApplicationGroupIndexes (required) | applicationGroupIndex[] | List of application groups |
applicationGroupIndex
galleryDataDiskImage
| Property | Value | Description |
|---|---|---|
| hostCaching | 'None' 'ReadOnly' 'ReadWrite' |
The host caching of the disk. Valid values are None, ReadOnly, and ReadWrite |
| lun (required) | int | This property specifies the logical unit number of the data disk. This value is used to identify data disks within the Virtual Machine and therefore must be unique for each data disk attached to the Virtual Machine. |
| source (required) | source | The source for the disk image. |
source
| Property | Value | Description |
|---|---|---|
| communityGalleryImageId (required) | string | The resource Id of the source Community Gallery Image. Only required when using Community Gallery Image as a source. |
| id (required) | string | The id of the gallery artifact version source. Can specify a disk uri, snapshot uri, user image or storage account resource. |
galleryImageFeature
| Property | Value | Description |
|---|---|---|
| name (required) | string | The name of the gallery image feature. |
| value (required) | string | The value of the gallery image feature. |
galleryImageVersion
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name. Valid characters: Numbers and periods. (Each segment is converted to an int32. So each segment has a max value of 2,147,483,647.) |
| publishingProfile | publishingProfile | The publishing profile of a gallery image Version. |
| safetyProfile | safetyProfile | This is the safety profile of the Gallery Image Version. |
| storageProfile (required) | storageProfile | This is the storage profile of a Gallery Image Version. |
publishingProfile
| Property | Value | Description |
|---|---|---|
| endOfLifeDate | string | The end of life date of the gallery image version. This property can be used for decommissioning purposes. This property is updatable. |
| excludeFromLatest | bool | If set to true, Virtual Machines deployed from the latest version of the Image Definition wont use this Image Version. |
| replicaCount | int | The number of replicas of the Image Version to be created per region. This property would take effect for a region when regionalReplicaCount is not specified. This property is updatable. |
| replicationMode | 'Full' 'Shallow' |
Optional parameter which specifies the mode to be used for replication. This property is not updatable. |
| storageAccountType | 'Premium_LRS' 'Standard_LRS' 'Standard_ZRS' |
Specifies the storage account type to be used to store the image. This property is not updatable. |
| targetExtendedLocations | galleryTargetExtendedLocation[] | The target extended locations where the Image Version is going to be replicated to. This property is updatable. |
| targetRegions (required) | galleryVersionTargetRegion[] | The target regions where the Image Version is going to be replicated to. This property is updatable. |
safetyProfile
| Property | Value | Description |
|---|---|---|
| allowDeletionOfReplicatedLocations (required) | bool | Indicates whether or not removing this Gallery Image Version from replicated regions is allowed. |
osDiskImage
| Property | Value | Description |
|---|---|---|
| hostCaching (required) | 'None' 'ReadOnly' 'ReadWrite' |
The host caching of the disk. Valid values are None, ReadOnly, and ReadWrite |
| source (required) | source | The source for the disk image. |
storageProfile
| Property | Value | Description |
|---|---|---|
| dataDiskImages | galleryDataDiskImage[] | A list of data disk images. |
| osDiskImage (required) | osDiskImage | This is the OS disk image. |
| source | source | The source of the gallery artifact version. |
galleryImageVersionDataDiskImageEncryption
| Property | Value | Description |
|---|---|---|
| diskEncryptionSetId | string | A relative URI containing the resource ID of the disk encryption set. |
| lun (required) | int | This property specifies the logical unit number of the data disk. This value is used to identify data disks within the Virtual Machine and therefore must be unique for each data disk attached to the Virtual Machine. |
galleryImageVersionTargetOsDiskImage
| Property | Value | Description |
|---|---|---|
| diskEncryptionSetId (required) | string | A relative URI containing the resource ID of the disk encryption set. |
| securityProfile (required) | securityProfile | This property specifies the security profile of an OS disk image. |
securityProfile
| Property | Value | Description |
|---|---|---|
| confidentialVMEncryptionType (required) | 'EncryptedVMGuestStateOnlyWithPmk' 'EncryptedWithCmk' 'EncryptedWithPmk' |
confidential VM encryption types |
| secureVMDiskEncryptionSetId (required) | string | secure VM disk encryption set id |
galleryTargetExtendedLocation
| Property | Value | Description |
|---|---|---|
| encryption | encryption | Optional. Allows users to provide customer managed keys for encrypting the OS and data disks in the gallery artifact. |
| extendedLocation (required) | extendedLocation | The name of the extended location. |
| extendedLocationReplicaCount (required) | int | The number of replicas of the Image Version to be created per extended location. This property is updatable. |
| name (required) | string | The name of the region. |
| storageAccountType (required) | 'Premium_LRS' 'StandardSSD_LRS' 'Standard_LRS' 'Standard_ZRS' |
Specifies the storage account type to be used to store the image. This property is not updatable. |
encryption
| Property | Value | Description |
|---|---|---|
| dataDiskImages | galleryImageVersionDataDiskImageEncryption[] | A list of encryption specifications for data disk images. |
| osDiskImage (required) | galleryImageVersionTargetOsDiskImage | Contains encryption settings for an OS disk image. |
extendedLocation
| Property | Value | Description |
|---|---|---|
| name (required) | string | |
| type (required) | 'EdgeZone' 'Unknown' |
It is type of the extended location. |
galleryVersionTargetRegion
| Property | Value | Description |
|---|---|---|
| encryption | encryption | Optional. Allows users to provide customer managed keys for encrypting the OS and data disks in the gallery artifact. |
| excludeFromLatest | bool | Contains the flag setting to hide an image when users specify version=latest |
| name (required) | string | The name of the region. |
| regionalReplicaCount (required) | int | The number of replicas of the Image Version to be created per region. This property is updatable. |
| storageAccountType (required) | 'Premium_LRS' 'Standard_LRS' 'Standard_ZRS' |
Specifies the storage account type to be used to store the image. This property is not updatable. |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Cant end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they cant modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
| principalType (required) | 'Device' 'ForeignGroup' 'Group' 'ServicePrincipal' 'User' |
The principal type of the assigned principal ID |
storageAccountBlobServices
| Property | Value | Description |
|---|---|---|
| changeFeed | changeFeed | The blob service properties for change feed events. |
| containerDeleteRetentionPolicy | containerDeleteRetentionPolicy | |
| defaultServiceVersion | string | DefaultServiceVersion indicates the default version to use for requests to the Blob service if an incoming request’s version is not specified. Possible values include version 2008-10-27 and all more recent versions. |
| deleteRetentionPolicy | deleteRetentionPolicy | The blob service properties for blob soft delete. |
| isVersioningEnabled (required) | bool | Versioning is enabled if set to true. |
| lastAccessTimeTrackingPolicy | lastAccessTimeTrackingPolicy | When set to true last access time based tracking is enabled. |
| restorePolicy | restorePolicy |
changeFeed
| Property | Value | Description |
|---|---|---|
| enabled (required) | bool | Indicates whether change feed event logging is enabled for the Blob service. |
| retentionInDays (required) | int | Indicates the duration of changeFeed retention in days. Minimum value is 1 day and maximum value is 146000 days (400 years). A null value indicates an infinite retention of the change feed. |
containerDeleteRetentionPolicy
| Property | Value | Description |
|---|---|---|
| allowPermanentDelete (required) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots, This property only applies to blob service and does not apply to containers or file share. |
| days (required) | int | Indicates the number of days that the deleted item should be retained |
| enabled (required) | bool | Indicates whether DeleteRetentionPolicy is enabled. |
deleteRetentionPolicy
| Property | Value | Description |
|---|---|---|
| allowPermanentDelete (required) | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. This property cannot be used blob restore policy. This property only applies to blob service and does not apply to containers or file share. |
| days (required) | int | Indicates the number of days that the deleted item should be retained |
| enabled (required) | bool | Indicates whether DeleteRetentionPolicy is enabled. |
lastAccessTimeTrackingPolicy
| Property | Value | Description |
|---|---|---|
| enable (required) | bool | When set to true last access time based tracking is enabled. |
restorePolicy
| Property | Value | Description |
|---|---|---|
| days (required) | int | how long this blob can be restored. It should be great than zero and less than DeleteRetentionPolicy.days. |
| enabled (required) | bool | Blob restore is enabled if set to true. |
storageAccountContainer
| Property | Value | Description |
|---|---|---|
| name (required) | string | Start with lowercase letter or number. Cant use consecutive hyphens. |
| defaultEncryptionScope | string | Default the container to use specified encryption scope for all writes. |
| denyEncryptionScopeOverride | bool | Block override of encryption scope from the container default. |
| enableNfsV3AllSquash | bool | Enable NFSv3 all squash on blob container. |
| enableNfsV3RootSquash | bool | Enable NFSv3 root squash on blob container. |
| immutableStorageWithVersioning | immutableStorageWithVersioning | |
| metadata | object | A name-value pair to associate with the container as metadata. |
| publicAccess | 'Blob' 'Container' 'None' |
Specifies whether data in the container may be accessed publicly and the level of access. (default: None) |
immutableStorageWithVersioning
| Property | Value | Description |
|---|---|---|
| enabled | bool | All the containers under such an account have object-level immutability enabled by default. |
| immutabilityPolicy (required) | immutabilityPolicy | Specifies the default account-level immutability policy which is inherited and applied to objects that do not possess an explicit immutability policy at the object level. |
storageAccountFileServices
| Property | Value | Description |
|---|---|---|
| protocolSettings | protocolSettings | Protocol settings for file service |
| shareDeleteRetentionPolicy | shareDeleteRetentionPolicy |
multichannel
| Property | Value | Description |
|---|---|---|
| enabled | bool | Indicates whether multichannel is enabled |
smb
| Property | Value | Description |
|---|---|---|
| authenticationMethods | 'Kerberos' 'NTLMv2' |
SMB authentication methods supported by server. Valid values are NTLMv2, Kerberos. |
| channelEncryption | 'AES-128-CCM' 'AES-128-GCM' 'AES-256-GCM' |
SMB channel encryption supported by server. Valid values are AES-128-CCM, AES-128-GCM, AES-256-GCM. |
| kerberosTicketEncryption | 'AES-256' 'RC4-HMAC' |
Kerberos ticket encryption supported by server. Valid values are RC4-HMAC, AES-256. |
| multichannel | multichannel | |
| versions | 'SMB2.1' 'SMB3.0' 'SMB3.1.1' |
SMB protocol versions supported by server |
protocolSettings
| Property | Value | Description |
|---|---|---|
| smb | smb | Setting for SMB protocol |
shareDeleteRetentionPolicy
| Property | Value | Description |
|---|---|---|
| allowPermanentDelete | bool | This property when set to true allows deletion of the soft deleted blob versions and snapshots. |
| days | int | Indicates the number of days that the deleted item should be retained. The minimum specified value can be 1 and the maximum value can be 365. |
| enabled | bool | Indicates whether DeleteRetentionPolicy is enabled. |
storageAccountIpRule
| Property | Value | Description |
|---|---|---|
| action (required) | 'Allow' | |
| value (required) | string | [[CIDR notation or IP address only IPv4] |
storageAccountQueue
| Property | Value | Description |
|---|---|---|
| name (required) | string | |
| properties | properties |
properties
| Property | Value | Description |
|---|---|---|
| id | string | A name-value pair to associate with the share as metadata. |
storageAccountShare
| Property | Value | Description |
|---|---|---|
| name (required) | string | share name:Lowercase letters, numbers, and hyphens. Cant start or end with hyphen. Cant use consecutive hyphens. |
| accessTier | 'Cool' 'Hot' 'Premium' 'TransactionOptimized' |
Access tier for specific share. |
| enabledProtocols | 'NFS' 'SMB' |
The authentication protocol that is used for the file share. |
| metadata | object | A name-value pair to associate with the share as metadata. |
| rootSquash | 'AllSquash' 'NoRootSquash' 'RootSquash' |
The property is for NFS share only |
| shareQuota (required) | int | The maximum size of the share, in gigabytes. |
| signedIdentifiers | storageAccountSignedIdentifiers[] | List of stored access policies specified on the share. |
storageAccountSignedIdentifiers
| Property | Value | Description |
|---|---|---|
| accessPolicy (required) | accessPolicy | |
| id (required) | string | An unique identifier of the stored access policy. |
accessPolicy
| Property | Value | Description |
|---|---|---|
| expiryTime (required) | string | Expiry time of the access policy |
| permission (required) | string | List of abbreviated permissions. |
| startTime (required) | string | Start time of the access policy |
storageAccountTable
| Property | Value | Description |
|---|---|---|
| name (required) | string | |
| properties | properties |
storageAccountVirtualNetworkRule
| Property | Value | Description |
|---|---|---|
| id (required) | string | The virtual network Id which should be allowed |
galleryImage
| Property | Value | Description |
|---|---|---|
| function (required) | string | Function of the resource [can be app, db, security,...] |
| architecture | 'Arm64' 'x64' |
The architecture of the image. Applicable to OS disks only. (default: x64) |
| description (required) | string | The description of this gallery image definition resource. This property is updatable. |
| disallowed | disallowed | Describes the disallowed disk types. |
| eula | string | The Eula agreement for the gallery image definition. |
| features | galleryImageFeature[] | A list of gallery image features. |
| hyperVGeneration (required) | 'V1' 'V2' |
The hypervisor generation of the Virtual Machine. Applicable to OS disks only. |
| identifier (required) | identifier | This is the gallery image definition identifier. |
| osState | 'Generalized' 'Specialized' |
This property allows the user to specify whether the virtual machines created under this image are Generalized or Specialized. (default: generalized) |
| osType | 'Linux' 'Windows' |
This property allows you to specify the type of the OS that is included in the disk when creating a VM from a managed image. (default: windows) |
| privacyStatementUri | string | The privacy statement uri. |
| purchasePlan | purchasePlan | Describes the gallery image definition purchase plan. This is used by marketplace images. |
| recommended | recommended | The properties describe the recommended machine configuration for this Image Definition. These properties are updatable. |
| releaseNoteUri | string | The release note uri. |
| versions | galleryImageVersion[] | Image versions |
disallowed
| Property | Value | Description |
|---|---|---|
| diskTypes (required) | string[] | A list of disk types. |
identifier
| Property | Value | Description |
|---|---|---|
| offer (required) | string | The name of the gallery image definition offer. |
| publisher (required) | string | The name of the gallery image definition publisher. |
| sku (required) | string | The name of the gallery image definition SKU. |
purchasePlan
| Property | Value | Description |
|---|---|---|
| name (required) | string | The plan ID. |
| product (required) | string | The product ID. |
| publisher (required) | string | The publisher ID. |
memory
| Property | Value | Description |
|---|---|---|
| min (required) | int | |
| max (required) | int |
vCPUs
| Property | Value | Description |
|---|---|---|
| min (required) | int | |
| max (required) | int |
recommended
| Property | Value | Description |
|---|---|---|
| memory (required) | memory | |
| vCPUs (required) | vCPUs |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
storageAccount
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| privateLinkBlob | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkTable | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkQueue | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkFile | privateLink | Settings for the private endpoint and private link for this resource |
| privateLinkWeb | privateLink | Settings for the private endpoint and private link for this resource |
| sku (required) | 'Premium_LRS' 'Premium_ZRS' 'Standard_GRS' 'Standard_GZRS' 'Standard_LRS' 'Standard_RAGRS' 'Standard_RAGZRS' 'Standard_ZRS' |
The SKU name. Required for account creation |
| kind (required) | 'BlobStorage' 'BlockBlobStorage' 'FileStorage' 'Storage' 'StorageV2' |
Azure storage account kind classifies storage accounts based on feature set and replication options. |
| managedIdentityType | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
Type of managed identity associated with this resource (default: SystemAssigned) |
| managedIdentityId | string | User assigned managed identity id to access other resources |
| accessTier | 'Cool' 'Hot' 'Premium' |
Azure storage account access tier determines the cost and performance of storing and accessing data in Azure. |
| allowBlobPublicAccess | bool | is a boolean property that determines whether public access to blobs in the Azure Storage Account is allowed or not. |
| allowCrossTenantReplication | bool | is a boolean property that controls whether replication of data across tenants is permitted in the Azure Storage Account. |
| allowedCopyScope | string | specifies the set of Azure Resource Manager (ARM) templates that are allowed for copying resources in the Azure Storage Account. |
| allowSharedKeyAccess | bool | boolean property that indicates whether shared key access authentication is allowed for the Azure Storage Account, enabling access via account key or SAS (Shared Access Signature). |
| activeDirectoryProperties | activeDirectoryProperties | Provides the identity based authentication settings for Azure Files. |
| defaultSharePermission | 'None' 'StorageFileDataSmbShareContributor' 'StorageFileDataSmbShareElevatedContributor' 'StorageFileDataSmbShareReader' |
Default share permission for users using Kerberos authentication if RBAC role is not assigned. |
| directoryServiceOptions | 'AADDS' 'AADKERB' 'AD' 'None' |
Indicates the directory service used. Note that this enum may be extended in the future. |
| customDomain | customDomain | configure a custom domain name for your Azure Storage Account, enabling you to access your storage resources using a custom URL instead of the default Azure-generated URL. |
| defaultToOAuthAuthentication | bool | A boolean flag which indicates whether the default authentication is OAuth or not. The default interpretation is false for this property. |
| dnsEndpointType | 'AzureDnsZone' 'Standard' |
Allows you to specify the type of endpoint. Set this to AzureDNSZone to create a large number of accounts in a single subscription |
| encryption | object | the security feature in an Azure Storage Account that ensures data at rest is protected by encrypting it, providing an additional layer of data security. |
| requireInfrastructureEncryption | bool | boolean property that enforces the use of infrastructure encryption mechanisms to safeguard data in your Azure Storage Account, enhancing overall data security by ensuring encryption at the underlying infrastructure level. |
| services | services | List of services which support encryption. |
| immutableStorageWithVersioning | immutableStorageWithVersioning | When set to true, it enables object level immutability for all the new containers in the account by default. |
| isHnsEnabled | bool | Set Account HierarchicalNamespace? HierarchicalNamespace organizes the objects or files into a hierarchy of directories for efficient data access. |
| isLocalUserEnabled | bool | Enables local users feature, if set to true |
| isNfsV3Enabled | bool | Enables or disables support for NFSv3 protocol, allowing remote access to files stored in Azure. |
| isSftpEnabled | bool | Enables Secure File Transfer Protocol, if set to true |
| largeFileSharesState | 'Disabled' 'Enabled' |
Allow large file shares if sets to Enabled. It cannot be disabled once it is enabled. |
| minimumTlsVersion | 'TLS1_0' 'TLS1_1' 'TLS1_2' |
Set the minimum TLS version to be permitted on requests to storage. |
| networkAcls | networkAcls | Set firewall rules |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Allow or disallow public network access to Storage Account. Value is optional. |
| routingPreference | routingPreference | Maintains information about the network routing choice opted by the user for data transfer |
| sasPolicy | sasPolicy | SasPolicy assigned to the storage account. |
| supportsHttpsTrafficOnly | bool | Allows https traffic only to storage service if sets to true. |
| fileServices | storageAccountFileServices | |
| blobServices | storageAccountBlobServices | |
| fileShare | storageAccountShare[] | |
| storageAccountContainer | storageAccountContainer[] | |
| queueServices | storageAccountQueue[] | |
| tableServices | storageAccountTable[] |
activeDirectoryProperties
| Property | Value | Description |
|---|---|---|
| accountType (required) | 'Computer' 'User' |
Specifies the Active Directory account type for Azure Storage. |
| azureStorageSid | string | Specifies the security identifier (SID) for Azure Storage. |
| domainGuid | string | Specifies the domain GUID. |
| domainName | string | Specifies the primary domain that the AD DNS server is authoritative for. |
| domainSid | string | Specifies the security identifier (SID). |
| forestName | string | Specifies the Active Directory forest to get. |
| netBiosDomainName | string | Specifies the NetBIOS domain name. |
| samAccountName | string | Specifies the Active Directory SAMAccountName for Azure Storage. |
customDomain
| Property | Value | Description |
|---|---|---|
| name (required) | string | Gets or sets the custom domain name assigned to the storage account. Name is the CNAME source. |
| useSubDomainName | bool | Indicates whether indirect CName validation is enabled. Default value is false. This should only be set on updates. |
blob
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
file
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
queue
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
table
| Property | Value | Description |
|---|---|---|
| enabled | bool | A boolean indicating whether or not the service encrypts the data as it is stored. Encryption at rest is enabled by default today and cannot be disabled. |
| keyType (required) | 'Account' 'Service' |
Encryption key type to be used for the encryption service. Account key type implies that an account-scoped encryption key will be used. Service key type implies that a default service key is used. |
services
| Property | Value | Description |
|---|---|---|
| blob (required) | blob | The encryption function of the blob storage service. |
| file (required) | file | The encryption function of the file storage service. |
| queue (required) | queue | The encryption function of the queue storage service. |
| table (required) | table | The encryption function of the table storage service. |
immutabilityPolicy
| Property | Value | Description |
|---|---|---|
| allowProtectedAppendWrites | bool | When enabled, new blocks can be written to an append blob while maintaining immutability protection and compliance. |
| immutabilityPeriodSinceCreationInDays | int | The immutability period for the blobs in the container since the policy creation, in days. |
| state (required) | 'Disabled' 'Locked' 'Unlocked' |
The ImmutabilityPolicy state defines the mode of the policy |
networkAcls
| Property | Value | Description |
|---|---|---|
| bypass | 'AzureServices' 'None' |
(default: None) |
| defaultAction | 'Allow' 'Deny' |
(default: deny) |
| ipRules | storageAccountIpRule[] | Add allowed rules to keyvault [Array of IP rules] |
| virtualNetworkRules | storageAccountVirtualNetworkRule[] | Add allowed virtual networks to keyvault [ResourceIds] |
routingPreference
| Property | Value | Description |
|---|---|---|
| publishInternetEndpoints | bool | A boolean flag which indicates whether internet routing storage endpoints are to be published |
| publishMicrosoftEndpoints | bool | A boolean flag which indicates whether microsoft routing storage endpoints are to be published |
| routingChoice | 'InternetRouting' 'MicrosoftRouting' |
Routing Choice defines the kind of network routing opted by the user. |
sasPolicy
| Property | Value | Description |
|---|---|---|
| expirationAction | 'Log' | The SAS expiration action. Can only be Log. |
| sasExpirationPeriod | string | The SAS expiration period, DD.HH:MM:SS. |
Changelog
5.1.2 (2025-10-20)
Bug Fixes
- add dependsOn imageGallery to hostPool creation
5.1.1 (2025-10-14)
Bug Fixes
- avd naming managed identity
5.1.0 (2025-10-09)
Features
- adjust the new identity parameters description
5.0.0 (2025-10-07)
⚠ BREAKING CHANGES
- update hostpool identity parameter
Features
- update hostpool identity parameter
4.0.3 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
4.0.2 (2025-04-23)
Bug Fixes
- add missing AVD sessionHostConfiguration parameters
4.0.1 (2025-04-14)
Bug Fixes
- adjust the application group role assignment
4.0.0 (2025-04-09)
⚠ BREAKING CHANGES
- change workspaces abbreviation
Bug Fixes
- change workspaces abbreviation
3.0.1 (2025-03-20)
Bug Fixes
- revise descriptions
3.0.0 (2025-03-19)
⚠ BREAKING CHANGES
- update the azureFilesIdentityBaseAuthentication configuration
Bug Fixes
- update the azureFilesIdentityBaseAuthentication configuration
2.5.3 (2025-03-17)
Bug Fixes
- application group role-assignment
2.5.2 (2025-03-17)
Bug Fixes
- remove unneeded role assignment principalType
2.5.1 (2025-03-14)
Bug Fixes
- update module to latest standards
2.5.0 (2025-03-13)
Features
- update AVD workspace parameters
2.4.0 (2025-03-10)
Features
- add scalingplan and automated avd settings
2.3.1 (2025-02-28)
Bug Fixes
- add missing accessTier required property
2.3.0 (2025-01-02)
Features
- virtualdesktop sessionhostconfig
2.2.2 (2024-12-05)
Bug Fixes
- avd: set default preferredappgrouptype