Azure · sihbher · Oct 24, 2024 · Oct 24, 2024 · Oct 24, 2024 · Oct 24, 2024
diff --git a/.gitignore b/.gitignore
@@ -55,5 +55,4 @@ Deploy-Baseline.ps1
 workload/bicep/parameters/deploy-baseline-parameters-MSA.json
 
 # local test files
-localTest
-
+localTest
diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
@@ -514,6 +514,24 @@ param deployAntiMalwareExt bool = true
 @sys.description('Additional customer-provided static routes to be added to the route tables.')
 param customStaticRoutes array = []
 
+//
+// Parameters for Microsoft Defender
+//
+@sys.description('Enable Microsoft Defender on the subscription. (Default: true)')
+param deployDefender bool = true
+
+@sys.description('Enable Microsoft Defender for servers. (Default: true)')
+param enableDefForServers bool = true
+
+@sys.description('Enable Microsoft Defender for storage. (Default: true)')
+param enableDefForStorage bool = true
+
+@sys.description('Enable Microsoft Defender for Key Vault. (Default: true)')
+param enableDefForKeyVault bool = true
+
+@sys.description('Enable Microsoft Defender for Azure Resource Manager. (Default: true)')
+param enableDefForArm bool = true
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -1609,3 +1627,17 @@ module gpuPolicies './modules/azurePolicies/gpuExtensionsSubscriptions.bicep' =
     sessionHosts
   ]
 }
+
+module defenderPolicySet './modules/azurePolicies/defenderSubscription.bicep' = if (deployDefender) {
+  scope: subscription('${avdWorkloadSubsId}')
+  name: 'Defender-Policies-${time}'
+  params: {
+    enableDefForServers: enableDefForServers
+    enableDefForStorage: enableDefForStorage
+    enableDefForKeyVault: enableDefForKeyVault
+    enableDefForArm: enableDefForArm
+  }
+  dependsOn: [
+    sessionHosts
+  ]
+}
diff --git a/workload/bicep/modules/azurePolicies/defenderSubscription.bicep b/workload/bicep/modules/azurePolicies/defenderSubscription.bicep
@@ -0,0 +1,176 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Name of the initiative definition.')
+param initiativeName string = 'Custom - Deploy Microsoft Defender for Cloud Security - AVD'
+
+@description('Display name of the initiative.')
+param initiativeDisplayName string = 'Custom - Deploy Microsoft Defender for Cloud Security - AVD'
+
+@description('Description of the initiative.')
+param initiativeDescription string = 'This initiative deploys Microsoft Defender for Cloud Security for AVD.'
+
+@description('Category of the initiative.')
+param initiativeCategory string = 'Security Center'
+
+@description('Effect for the policy.')
+@allowed([
+  'DeployIfNotExists'
+  'Disabled'
+])
+param effect string = 'DeployIfNotExists'
+
+@description('Enable or disable the Malware Scanning add-on feature.')
+@allowed([
+  'true'
+  'false'
+])
+param isOnUploadMalwareScanningEnabled string = 'true'
+
+@description('Cap GB scanned per month per storage account.')
+param capGBPerMonthPerStorageAccount int = 5000
+
+@description('Enable or disable the Sensitive Data Threat Detection add-on feature.')
+@allowed([
+  'true'
+  'false'
+])
+param isSensitiveDataDiscoveryEnabled string = 'true'
+
+@description('Select a Defender for Key Vault plan.')
+@allowed([
+  'PerTransaction'
+  'PerKeyVault'
+])
+param keyVaultSubPlan string = 'PerTransaction'
+
+@description('Select a Defender for Resource Manager plan.')
+@allowed([
+  'PerSubscription'
+  'PerApiCall'
+])
+param resourceManagerSubPlan string = 'PerApiCall'
+
+// =========== //
+// Variables for enabling policies selectively //
+// =========== //
+@description('Enable or disable the "Configure Azure Defender for servers to be enabled" policy.')
+param enableDefForServers bool = false
+
+@description('Enable or disable the "Configure Microsoft Defender for Storage to be enabled" policy.')
+param enableDefForStorage bool = false
+
+@description('Enable or disable the "Configure Microsoft Defender for Key Vault plan" policy.')
+param enableDefForKeyVault bool = false
+
+@description('Enable or disable the "Configure Azure Defender for Resource Manager to be enabled" policy.')
+param enableDefForArm bool = false
+
+// =========== //
+// Deployments //
+// =========== //
+resource initiative 'Microsoft.Authorization/policySetDefinitions@2023-04-01' = {
+  name: initiativeName
+  properties: {
+    displayName: initiativeDisplayName
+    description: initiativeDescription
+    version: '1.0.0'
+    metadata: {
+      category: initiativeCategory
+      version: '1.0.0'
+    }
+    policyDefinitions: concat(
+      [
+        {
+          policyDefinitionReferenceId: 'EnsureContactEmail'
+          policyDefinitionId: tenantResourceId('Microsoft.Authorization/policyDefinitions', '4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7')
+          parameters: {
+            effect: {
+              value: 'AuditIfNotExists'
+            }
+          }
+        }
+      ],
+      enableDefForServers
+        ? [
+            {
+              policyDefinitionReferenceId: 'DefenderForServers'
+              policyDefinitionId: tenantResourceId(
+                'Microsoft.Authorization/policyDefinitions',
+                '8e86a5b6-b9bd-49d1-8e21-4bb8a0862222'
+              )
+              parameters: {
+                effect: {
+                  value: effect
+                }
+              }
+            }
+          ]
+        : [],
+      enableDefForStorage
+        ? [
+            {
+              policyDefinitionReferenceId: 'DefenderForStorage'
+              policyDefinitionId: tenantResourceId(
+                'Microsoft.Authorization/policyDefinitions',
+                'cfdc5972-75b3-4418-8ae1-7f5c36839390'
+              )
+              parameters: {
+                effect: {
+                  value: effect
+                }
+                isOnUploadMalwareScanningEnabled: {
+                  value: isOnUploadMalwareScanningEnabled
+                }
+                capGBPerMonthPerStorageAccount: {
+                  value: capGBPerMonthPerStorageAccount
+                }
+                isSensitiveDataDiscoveryEnabled: {
+                  value: isSensitiveDataDiscoveryEnabled
+                }
+              }
+            }
+          ]
+        : [],
+      enableDefForKeyVault
+        ? [
+            {
+              policyDefinitionReferenceId: 'DefenderForKeyVault'
+              policyDefinitionId: tenantResourceId(
+                'Microsoft.Authorization/policyDefinitions',
+                '1f725891-01c0-420a-9059-4fa46cb770b7'
+              )
+              parameters: {
+                effect: {
+                  value: effect
+                }
+                subPlan: {
+                  value: keyVaultSubPlan
+                }
+              }
+            }
+          ]
+        : [],
+        enableDefForArm ? [
+          {
+            policyDefinitionReferenceId: 'DefenderForARM'
+            policyDefinitionId: tenantResourceId(
+              'Microsoft.Authorization/policyDefinitions',
+              'b7021b2b-08fd-4dc0-9de7-3c6ece09faf9'
+            )
+            parameters: {
+              effect: {
+                value: effect
+              }
+              subPlan: {
+                value: resourceManagerSubPlan
+              }
+            }
+          }
+        ]:[]
+    )
+
+  }
+}
diff --git a/workload/docs/cost-estimate.md b/workload/docs/cost-estimate.md
@@ -21,6 +21,11 @@ Azure Virtual Desktop resources and dependent services for establishing the base
 - Azure Files Storage with MSIX App Attach share, RBAC role assignment and private endpoint **
 - Application Security group
 - Key Vault and private endpoint
+- **Microsoft Defender Services** (enabled via policy):
+  - **Microsoft Defender for Servers**: Provides threat detection, vulnerability assessment, and real-time security alerts for virtual machines.
+  - **Microsoft Defender for Storage**: Secures Azure Files shares and other storage resources against unauthorized access or malware.
+  - **Microsoft Defender for Key Vault**: Monitors and protects access to cryptographic keys and secrets.
+  - **Microsoft Defender for Azure Resource Manager**: Detects suspicious management operations and protects the Azure management plane.
 
   ** Denotes resources only deployed in ADDS Identity scenario.
 

diff --git a/workload/docs/deploy-baseline.md b/workload/docs/deploy-baseline.md
@@ -18,10 +18,19 @@
     - Groups - select from the drop down the groups to be granted access to Azure Virtual Desktop published items and to create sessions on VMs and single sign-on (SSO) when using Microsoft Entra ID as the identity provider.
     - Note: when using Microsoft Entra ID as the identity service provider, an additional role (virtual machine user login) will be granted to compute resource group during deployment.
   - **When selecting AD DS or Microsoft Entra DS:**
-    - Domain join credentials The Username and password with rights to join computers to the domain.
+    - Domain join credentials: The Username and password with rights to join computers to the domain.
   - **When selecting Microsoft Entra ID:**
-    - Enroll VM with Intune: check the box to enroll session hosts on tenant's.
+    - Enroll VM with Intune: Check the box to enroll session hosts on the tenant’s Intune.
   - **Session host local admin credentials** The Username and password to set for local administrator.
+  - **Microsoft Defender for Cloud Solutions**:
+    - This section enables advanced security monitoring for resources deployed within your Azure Virtual Desktop setup. Below are the Defender solutions available:
+      - **Deploy Microsoft Defender for Cloud**: Deploys a policy for enabling overall security monitoring for the platform and resources deployed as part of Azure Virtual Desktop.
+      - **Enable Microsoft Defender for Servers**: Deploys a policy for providing enhanced protection for session host virtual machines (VMs), including real-time threat detection, vulnerability assessment, and automated response.
+      - **Enable Microsoft Defender for Storage**: Deploys a policy for protecting Azure Storage resources (e.g., FSLogix file shares) against malicious threats and unauthorized access attempts.
+      - **Enable Microsoft Defender for Key Vault**: Deploys a policy to monitor Azure Key Vault access and prevent misuse or unauthorized activity.
+      - **Enable Microsoft Defender for Azure Resource Manager**: Deploys a policy for ensuring the integrity of management operations on Azure resources by monitoring for suspicious activity or privilege escalations.
+    - **Recommendation**:
+      - Enable relevant Defender solutions for better security posture in production environments. For cost estimation, refer to the [Azure Pricing Calculator](https://azure.microsoft.com/en-us/pricing/calculator/).
 - **Management plane** blade
   - **Deployment location** - The Azure Region where management plane resources (workspace, host pool, application groups) will be deployed. These resources are not available in all locations but are globally replicated and they can share the same location as the session hosts or not.
   - **Host pool type** - This option determines if a personal (aka single session) or pool (aka multi-session ) host pool will be configured.
@@ -37,11 +46,11 @@
   - **Deploy sessions hosts** - You can choose to not deploy session hosts just the Azure Virtual Desktop service objects.
   - **Session host region** - Provide the region to where you want to deploy the session hosts. This defaults to the Management Plane region but can be changed.
   - **Session hosts OU path (Optional)** - Provide OU where to locate session hosts, if not provided session hosts will be placed on the default (computers) OU. If left empty the computer account will be created in the default Computers OU. Example: OU=avd,DC=contoso,DC=com.
-  - **Availability zones** - If you deselect the checkbox, VMs will be deployed regionally and will be associated with a regional VMSS Flex (if VMSS is enabled). If you select the checkbox the accelerator  will distribute compute and storage resources across availability zones and will also associate the VMs with a VMSS Flex group created to use multiple availability zones.
-  - **VMSS Flex** - If you deselect the checkbox, no VMSS Flex will be created. If you select the checkbox, the accelerator will deploy a VMSS Flex and VMs will be associated with it.
+  - **Availability zones** - If you uncheck the checkbox, VMs will be deployed regionally and will be associated with a regional VMSS Flex (if VMSS is enabled). If you select the checkbox the accelerator  will distribute compute and storage resources across availability zones and will also associate the VMs with a VMSS Flex group created to use multiple availability zones.
+  - **VMSS Flex** - If you uncheck the checkbox, no VMSS Flex will be created. If you select the checkbox, the accelerator will deploy a VMSS Flex and VMs will be associated with it.
   - **VM size** -  Select the SKU size for the session hosts.
   - **VM count** - Select the number of session hosts to deploy.
-  - **OS disk type** - Select the OS Disk SKU type. Premium is recommended for performance and higher SLA.
+  - **OS disk type** - Select the OS Disk SKU type. Premium is recommended for performance and a higher SLA.
   - **Zero trust disk configuration** - Check the box to enable the zero trust configuration on the session host disks to ensure all the disks are encrypted, the OS and data disks are protected with double encryption with a customer managed key, and network access is disabled.
   - **Enable Antimalware extension** -  Enables Azure VM antimalware extension on session hosts
   - **Enable accelerated networking** - Check the box to ensure the network traffic on the session hosts is offloaded to the network interface to enhance performance. This feature is free and available as long a supported VM SKU and [OS](https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview?tabs=redhat#supported-operating-systems) is chosen. To check whether a VM size supports Accelerated Networking, see [Sizes for virtual machines in Azure](https://learn.microsoft.com/en-us/azure/virtual-machines/sizes). This feature is recommended as it will decrease CPU utilization for networking (offloading to NIC) and increase network performance/throughput to Azure VMs and Services, like Azure Files.
@@ -89,7 +98,7 @@ Take a look at the [Naming Standard and Tagging](./resource-naming.md) page for
 
 ## Post Deployment Considerations
 
-- When using Microsoft Entra ID as identity provider and deploying FSLogix storage, it is required to grant admin consent to the storage account service principal (your-storage-account-name.file.core.windows.net) created during deployemnt, additional information can be found in the
+- When using Microsoft Entra ID as identity provider and deploying FSLogix storage, it is required to grant admin consent to the storage account service principal (your-storage-account-name.file.core.windows.net) created during deployment, additional information can be found in the
 [Grant admin consent to the new service principal](https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal#grant-admin-consent-to-the-new-service-principal) guide.
 
 ## Redeployment Considerations
@@ -115,4 +124,4 @@ We have these other options available:
 
 ## Known Issues
 
-Please report issues using the projects [issues](https://github.com/Azure/avdaccelerator/issues) tracker.
+Please report issues using the project's [issues](https://github.com/Azure/avdaccelerator/issues) tracker.