Docs

workload/docs/deploy-baseline.md

@@ -18,10 +18,19 @@
     - Groups - select from the drop down the groups to be granted access to Azure Virtual Desktop published items and to create sessions on VMs and single sign-on (SSO) when using Microsoft Entra ID as the identity provider.
     - Note: when using Microsoft Entra ID as the identity service provider, an additional role (virtual machine user login) will be granted to compute resource group during deployment.
   - **When selecting AD DS or Microsoft Entra DS:**
-    - Domain join credentials The Username and password with rights to join computers to the domain.
+    - Domain join credentials: The Username and password with rights to join computers to the domain.
   - **When selecting Microsoft Entra ID:**
-    - Enroll VM with Intune: check the box to enroll session hosts on tenant's.
+    - Enroll VM with Intune: Check the box to enroll session hosts on the tenant’s Intune.
   - **Session host local admin credentials** The Username and password to set for local administrator.
+  - **Microsoft Defender for Cloud Solutions**:
+    - This section enables advanced security monitoring for resources deployed within your Azure Virtual Desktop setup. Below are the Defender solutions available:
+      - **Deploy Microsoft Defender for Cloud**: Deploys a policy for enabling overall security monitoring for the platform and resources deployed as part of Azure Virtual Desktop.
+      - **Enable Microsoft Defender for Servers**: Deploys a policy for providing enhanced protection for session host virtual machines (VMs), including real-time threat detection, vulnerability assessment, and automated response.
+      - **Enable Microsoft Defender for Storage**: Deploys a policy for protecting Azure Storage resources (e.g., FSLogix file shares) against malicious threats and unauthorized access attempts.
+      - **Enable Microsoft Defender for Key Vault**: Deploys a policy to monitor Azure Key Vault access and prevent misuse or unauthorized activity.
+      - **Enable Microsoft Defender for Azure Resource Manager**: Deploys a policy for ensuring the integrity of management operations on Azure resources by monitoring for suspicious activity or privilege escalations.
+    - **Recommendation**:
+      - Enable relevant Defender solutions for better security posture in production environments. For cost estimation, refer to the [Azure Pricing Calculator](https://azure.microsoft.com/en-us/pricing/calculator/).
 - **Management plane** blade
   - **Deployment location** - The Azure Region where management plane resources (workspace, host pool, application groups) will be deployed. These resources are not available in all locations but are globally replicated and they can share the same location as the session hosts or not.
   - **Host pool type** - This option determines if a personal (aka single session) or pool (aka multi-session ) host pool will be configured.
@@ -37,11 +46,11 @@
   - **Deploy sessions hosts** - You can choose to not deploy session hosts just the Azure Virtual Desktop service objects.
   - **Session host region** - Provide the region to where you want to deploy the session hosts. This defaults to the Management Plane region but can be changed.
   - **Session hosts OU path (Optional)** - Provide OU where to locate session hosts, if not provided session hosts will be placed on the default (computers) OU. If left empty the computer account will be created in the default Computers OU. Example: OU=avd,DC=contoso,DC=com.
-  - **Availability zones** - If you deselect the checkbox, VMs will be deployed regionally and will be associated with a regional VMSS Flex (if VMSS is enabled). If you select the checkbox the accelerator  will distribute compute and storage resources across availability zones and will also associate the VMs with a VMSS Flex group created to use multiple availability zones.
-  - **VMSS Flex** - If you deselect the checkbox, no VMSS Flex will be created. If you select the checkbox, the accelerator will deploy a VMSS Flex and VMs will be associated with it.
+  - **Availability zones** - If you uncheck the checkbox, VMs will be deployed regionally and will be associated with a regional VMSS Flex (if VMSS is enabled). If you select the checkbox the accelerator  will distribute compute and storage resources across availability zones and will also associate the VMs with a VMSS Flex group created to use multiple availability zones.
+  - **VMSS Flex** - If you uncheck the checkbox, no VMSS Flex will be created. If you select the checkbox, the accelerator will deploy a VMSS Flex and VMs will be associated with it.
   - **VM size** -  Select the SKU size for the session hosts.
   - **VM count** - Select the number of session hosts to deploy.
-  - **OS disk type** - Select the OS Disk SKU type. Premium is recommended for performance and higher SLA.
+  - **OS disk type** - Select the OS Disk SKU type. Premium is recommended for performance and a higher SLA.
   - **Zero trust disk configuration** - Check the box to enable the zero trust configuration on the session host disks to ensure all the disks are encrypted, the OS and data disks are protected with double encryption with a customer managed key, and network access is disabled.
   - **Enable Antimalware extension** -  Enables Azure VM antimalware extension on session hosts
   - **Enable accelerated networking** - Check the box to ensure the network traffic on the session hosts is offloaded to the network interface to enhance performance. This feature is free and available as long a supported VM SKU and [OS](https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview?tabs=redhat#supported-operating-systems) is chosen. To check whether a VM size supports Accelerated Networking, see [Sizes for virtual machines in Azure](https://learn.microsoft.com/en-us/azure/virtual-machines/sizes). This feature is recommended as it will decrease CPU utilization for networking (offloading to NIC) and increase network performance/throughput to Azure VMs and Services, like Azure Files.
@@ -89,7 +98,7 @@ Take a look at the [Naming Standard and Tagging](./resource-naming.md) page for
 
 ## Post Deployment Considerations
 
-- When using Microsoft Entra ID as identity provider and deploying FSLogix storage, it is required to grant admin consent to the storage account service principal (your-storage-account-name.file.core.windows.net) created during deployemnt, additional information can be found in the
+- When using Microsoft Entra ID as identity provider and deploying FSLogix storage, it is required to grant admin consent to the storage account service principal (your-storage-account-name.file.core.windows.net) created during deployment, additional information can be found in the
 [Grant admin consent to the new service principal](https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal#grant-admin-consent-to-the-new-service-principal) guide.
 
 ## Redeployment Considerations
@@ -115,4 +124,4 @@ We have these other options available:
 
 ## Known Issues
 
-Please report issues using the projects [issues](https://github.com/Azure/avdaccelerator/issues) tracker.
+Please report issues using the project's [issues](https://github.com/Azure/avdaccelerator/issues) tracker.

workload/docs/getting-started-baseline.md

@@ -16,7 +16,7 @@ Prior to deploying the Baseline solution, you need to ensure you have met the fo
 - [x] Access to the Azure Virtual Desktop Azure subscription with owner permissions.
 - [x]  The following resource provider must be registered in the subscription to be used for deployment:
   - Microsoft.DesktopVirtualization
-  - Microsoft.Compute (When deploying Zero Trust mathe feature [EncryptionAtHost](https://learn.microsoft.com/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell) will need to be registered)
+  - Microsoft.Compute (When deploying Zero Trust match feature [EncryptionAtHost](https://learn.microsoft.com/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell) will need to be registered)
   - Microsoft.Network
   - Microsoft.Storage
 
@@ -58,15 +58,15 @@ Prior to deploying the Baseline solution, you need to ensure you have met the fo
     - Existing private DNS zones MUST be linked to the vNet where the custom DNS servers are connected, this is needed for the end-to-end setup of FSLogix and MSIX App Attach file shares to be successful. The DNS resolution requests will be sent to the custom DNS servers and its vNet is the one that needs to resolve private endpoint DNS records.
   - Scenario 2:
     - Specs: using private endpoints, creating a new Azure Virtual Desktop vNet and new private DNS zones.
-    - Custom DNS servers may NOT be used in the new vNet as this will cause FSLogix and/or MSIX App Attach file shares deployments to fail. This happens because the private DNS zones will be linked to the newly created vNet and only this vNet will be able to resolve the private endpoints DNS records. When using custom DNS servers, existing Private DNS zones link to the vNet wher custom DNS server are connected will need to be used.
+    - Custom DNS servers may NOT be used in the new vNet as this will cause FSLogix and/or MSIX App Attach file shares deployments to fail. This happens because the private DNS zones will be linked to the newly created vNet and only this vNet will be able to resolve the private endpoints DNS records. When using custom DNS servers, existing Private DNS zones link to the vNet where custom DNS servers are connected will need to be used.
   - Scenario 3:
     - Specs: using existing Azure Virtual Desktop vNet, and creating new private DNS zones.
     - Custom DNS servers may NOT be used (unless they are connected to the same vNet used for the Azure Virtual Desktop deployment) in order for FSlogix/MSIX App Attach deployment to be successful, given that the private DNS zone will be linked to the existing vNet and this will be the only network able to resolve private endpoint DNS records. This scenario is only recommended when using Microsoft Entra ID as identity service provider.
   - Scenario 4:
     - Specs: using private endpoints and an existing Azure Virtual Desktop vNet with custom DNS servers configured.
     - Existing private DNS zones MUST be linked to the vNet containing the custom DNS servers for FSLogix and/or MSIX App Attach file shares deployments to be successful, given DNS name resolution requests will go to custom DNS servers and their vNet will need to resolve private endpoints DNS records.
 
-  **Important**: for all scenatios that use custom DNS servers, conditional forwarding rules MUST be configured to send to Azure (168.63.129.16) the DNS requests targeting file.core.windows.net and vaultcore.azure.net name spaces.
+  **Important**: for all scenarios that use custom DNS servers, conditional forwarding rules MUST be configured to send to Azure (168.63.129.16) the DNS requests targeting file.core.windows.net and vaultcore.azure.net name spaces.
 - [x] Required private DNS zone name spaces:
   - Azure Commercial: privatelink.file.core.windows.net (Azure Files) and privatelink.vaultcore.azure.net (Key Vault).
   - Azure Government: privatelink.file.core.usgovcloudapi.net (Azure Files) and privatelink.vaultcore.usgovcloudapi.net (Key Vault).
@@ -77,17 +77,20 @@ Prior to deploying the Baseline solution, you need to ensure you have met the fo
 - [x]  If implementing AVD Private Link Service, ensure the subscription resource provider registration has been implemented:
   - [Azure Commercial Private Link Prerequisites](https://learn.microsoft.com/en-us/azure/virtual-desktop/private-link-setup?tabs=azure%2Cportal%2Cportal-2#tabpanel_1_azure)
   - [Azure Gov/China Private Link Prerequisites](https://learn.microsoft.com/en-us/azure/virtual-desktop/private-link-setup?tabs=us-gov-21vianet%2Cportal%2Cportal-2#tabpanel_1_us-gov-21vianet).
-- [x]  If enabling Start VM on Connect or Scaling Plans features, it is required to provide the ObjectID for the enterprise application Azure Virtual Desktop (Name can also be displayed as 'Windows Virtual Desktops'). To get the ObjectID got to Microsoft Entra ID > Enterprise applications, remove all filters and search for 'Virtual Desktops' and copy the ObjectID that is paired with the Application ID: 9cdead84-a844-4324-93f2-b2e6bb768d07.
+- [x]  If enabling Start VM on Connect or Scaling Plans features, it is required to provide the ObjectID for the enterprise application Azure Virtual Desktop (Name can also be displayed as 'Windows Virtual Desktops'). To get the ObjectID go to Microsoft Entra ID > Enterprise applications, remove all filters and search for 'Virtual Desktops' and copy the ObjectID that is paired with the Application ID: 9cdead84-a844-4324-93f2-b2e6bb768d07.
 - [x]  Account used for portal UI deployment, needs to be able to query Microsoft Entra tenant and get the ObjectID of the Azure Virtual Desktop enterprise app, query will be executed by the automation using the user context.
 - [x]  If complying with WAF, the Domain Controllers VMs if hosted in Azure should follow High Availability best practices as mentioned in [here](https://learn.microsoft.com/azure/architecture/example-scenario/identity/adds-extend-domain#reliability) and High availability for Entra Domain services can be setup using replica set as mentioned in [here](https://learn.microsoft.com/entra/identity/domain-services/concepts-replica-sets).
-- [x]  If customer selects "Compute gallery" as the image source then it is customer's responsibility to ensure the high availability of the images used and keep the number of replicas to a minumum for scaling the deployments, as mentioned in [here](https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery).
+- [x]  If customer selects "Compute gallery" as the image source then it is customer's responsibility to ensure the high availability of the images used and keep the number of replicas to a minimum for scaling the deployments, as mentioned in [here](https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery).
+
 
 ## Planning
 
 This section covers the high-level steps for planning an Azure Virtual Desktop deployment and the decisions that need to be made. The deployment will use the Microsoft provided Bicep/PowerShell/Azure CLI templates from this repository and the customer provided configuration files that contain the system specific information.
 
 This Azure Virtual Desktop accelerator supports deployment into greenfield scenarios (no Azure Virtual Desktop Azure infrastructure components exist) or brownfield scenarios (some Azure Virtual Desktop Azure infrastructure components exist).
 
+> **Note**: Enabling Microsoft Defender for Cloud solutions (e.g., Defender for Servers, Defender for Storage, Defender for Key Vault, Defender for Azure Resource Manager) may incur additional costs. Pricing depends on the specific service enabled and the associated usage. It is recommended to review the [Azure Defender Pricing](https://azure.microsoft.com/en-us/pricing/details/defender/) page for detailed information before enabling these features.
+
 ## Greenfield deployment
 
 In the Greenfield scenario, there are no existing Azure infrastructure components for Azure Virtual Desktop deployment. The automation framework will create an Azure Virtual Desktop workload in the desired Azure region, create a new VNet or reuse an existing VNet, and configure basic connectivity.
@@ -143,4 +146,4 @@ To learn more about the resource naming used in this accelerator take a look at
 
 Continue with:
 
-- [Azure Virtual Desktop LZA - Baseline - Deployment](./deploy-baseline.md) if you are ready to deploy an Azure Virtual Desktop workload from the market place, an updated and optimized image previously created by the custom image deployment, or the the Azure market place or from an Azure Compute Gallery.
+- [Azure Virtual Desktop LZA - Baseline - Deployment](./deploy-baseline.md) if you are ready to deploy an Azure Virtual Desktop workload from the market place, an updated and optimized image previously created by the custom image deployment, or the  Azure marketplace or from an Azure Compute Gallery.