Enable Defender on Portal Deployment

.gitignore

@@ -54,6 +54,13 @@ workload/bicep/parameters/deploy-baseline-parameters-MSA.json
 Deploy-Baseline.ps1
 workload/bicep/parameters/deploy-baseline-parameters-MSA.json
 
+*.bicepparam
+**/.bicepparam
 # local test files
 localTest
 
+#MAC
+# Local History for Visual Studio Code
+**/.DS_Store
+.history/.DS_Store
+.DS_Store

.vscode/launch.json

@@ -0,0 +1,15 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "PowerShell: Launch Script",
+            "type": "PowerShell",
+            "request": "launch",
+            "script": "Enter path or command to execute, for example: \"${workspaceFolder}/src/foo.ps1\" or \"Invoke-Pester\"",
+            "args": []
+        }
+    ]
+}

readme.md

@@ -32,7 +32,7 @@ As of today, we have a first reference implementation scenario that is one of th
 | Deployment Type | Link |
 |:--|:--|
 | Azure portal UI |[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Favdaccelerator%2Fmain%2Fworkload%2Farm%2Fdeploy-baseline.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Favdaccelerator%2Fmain%2Fworkload%2Fportal-ui%2Fportal-ui-baseline.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/?feature.deployapiver=2022-12-01#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Favdaccelerator%2Fmain%2Fworkload%2Farm%2Fdeploy-baseline.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Favdaccelerator%2Fmain%2Fworkload%2Fportal-ui%2Fportal-ui-baseline.json) [![Deploy to Azure China](https://aka.ms/deploytoazurechinabutton)](https://portal.azure.cn/?feature.deployapiver=2022-12-01#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Favdaccelerator%2Fmain%2Fworkload%2Farm%2Fdeploy-baseline.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Favdaccelerator%2Fmain%2Fworkload%2Fportal-ui%2Fportal-ui-baseline.json)|
-| Command line (Bicep/ARM) | [![Powershell/Azure CLI](./workload/docs/icons/powershell.png)](./workload/bicep/readme.md#avd-accelerator-baseline) |
+| Command line (Bicep/ARM) | [![Powershell/Azure CLI](./workload/docs/icons/powershell.png)](./workload/bicep/readme.md#avd-accelerator-baseline) | 
 | Terraform | [![Terraform](./workload/docs/icons/terraform.png)](./workload/terraform/greenfield/readme.md) |
 
 If you are having deployment challenges, refer to the [LZA baseline troubleshooting guide](/workload/docs/baseline-troubleshooting-guide.md) for guidance. For additional support please submit a GitHub issue.

workload/bicep/deploy-baseline.bicep

@@ -27,10 +27,10 @@ param deploymentEnvironment string = 'Dev'
 param diskEncryptionKeyExpirationInDays int = 60
 
 @sys.description('Required. Location where to deploy compute services.')
-param avdSessionHostLocation string 
+param avdSessionHostLocation string
 
 @sys.description('Required. Location where to deploy AVD management plane.')
-param avdManagementPlaneLocation string 
+param avdManagementPlaneLocation string
 
 @sys.description('AVD workload subscription ID, multiple subscriptions scenario. (Default: "")')
 param avdWorkloadSubsId string = ''
@@ -511,6 +511,24 @@ param enableKvPurgeProtection bool = true
 @sys.description('Deploys anti malware extension on session hosts. (Default: true)')
 param deployAntiMalwareExt bool = true
 
+//
+// Parameters for Microsoft Defender
+//
+@sys.description('Enable Microsoft Defender on the subscription. (Default: true)')
+param deployDefender bool = true
+
+@sys.description('Enable Microsoft Defender for servers. (Default: true)')
+param enableAscForServers bool = true
+
+@sys.description('Enable Microsoft Defender for storage. (Default: true)')
+param enableAscForStorage bool = true
+
+@sys.description('Enable Microsoft Defender for Key Vault. (Default: true)')
+param enableAscForKeyVault bool = true
+
+@sys.description('Enable Microsoft Defender for Azure Resource Manager. (Default: true)')
+param enableAscForArm bool = true
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -1152,7 +1170,9 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
     preferredAppGroupType: (hostPoolPreferredAppGroupType == 'RemoteApp') ? 'RailApplications' : 'Desktop'
     deployScalingPlan: varDeployScalingPlan
     scalingPlanExclusionTag: varScalingPlanExclusionTag
-    scalingPlanSchedules: (avdHostPoolType == 'Pooled') ? varPooledScalingPlanSchedules : varPersonalScalingPlanSchedules
+    scalingPlanSchedules: (avdHostPoolType == 'Pooled')
+      ? varPooledScalingPlanSchedules
+      : varPersonalScalingPlanSchedules
     scalingPlanName: varScalingPlanName
     hostPoolMaxSessions: hostPoolMaxSessions
     personalAssignType: avdPersonalAssignType
@@ -1483,7 +1503,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (va
 }
 
 // VMSS Flex
-module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' =  if (avdDeploySessionHosts && deployVmssFlex) {
+module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' = if (avdDeploySessionHosts && deployVmssFlex) {
   name: 'AVD-VMSS-Flex-${time}'
   scope: resourceGroup('${avdWorkloadSubsId}', '${varComputeObjectsRgName}')
   params: {
@@ -1588,3 +1608,17 @@ module gpuPolicies './modules/azurePolicies/gpuExtensionsSubscriptions.bicep' =
     sessionHosts
   ]
 }
+
+module defenderPolicySet './modules/azurePolicies/defenderSubscription.bicep' = if (deployDefender) {
+  scope: subscription('${avdWorkloadSubsId}')
+  name: 'Defender-Policies-${time}'
+  params: {
+    enableAscForServers: enableAscForServers
+    enableAscForStorage: enableAscForStorage
+    enableAscForKeyVault: enableAscForKeyVault
+    enableAscForArm: enableAscForArm
+  }
+  dependsOn: [
+    sessionHosts
+  ]
+}

workload/bicep/modules/avdSessionHosts/deploy.bicep

@@ -139,6 +139,27 @@ param dataCollectionRuleId string
 @sys.description('Deploys anti malware extension on session hosts.')
 param deployAntiMalwareExt bool
 
+//
+// Parameters for Microsoft Defender
+//
+@sys.description('Enable Microsoft Defender on the subscription. (Default: true)')
+param deployDefender bool = true
+
+@sys.description('Enable Microsoft Defender for servers. (Default: true)')
+param enableAscForServers bool = true
+
+@sys.description('Enable Microsoft Defender for storage. (Default: true)')
+param enableAscForStorage bool = true
+
+@sys.description('Enable Microsoft Defender for Key Vault. (Default: true)')
+param enableAscForKeyVault bool = true
+
+@sys.description('Enable Microsoft Defender for Azure Resource Manager. (Default: true)')
+param enableAscForArm bool = true
+
+@sys.description('Enable Microsoft Defender for Cloud Security Posture Management. (Default: true)')
+param enableAscForCspm bool = true
+
 // =========== //
 // Variable declaration //
 // =========== //

workload/bicep/modules/azurePolicies/avdMonitoring.bicep

@@ -224,6 +224,9 @@ module policySetRemediation '../../../../avm/1.0.0/ptn/policy-insights/remediati
 }
 }]
 
+
+
+
 // =========== //
 // Outputs     //
 // =========== //

workload/bicep/modules/azurePolicies/defenderSubscription.bicep

@@ -0,0 +1,176 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Name of the initiative definition.')
+param initiativeName string = 'Custom - Deploy Microsoft Defender for Cloud Security - AVD'
+
+@description('Display name of the initiative.')
+param initiativeDisplayName string = 'Custom - Deploy Microsoft Defender for Cloud Security - AVD'
+
+@description('Description of the initiative.')
+param initiativeDescription string = 'This initiative deploys Microsoft Defender for Cloud Security for AVD.'
+
+@description('Category of the initiative.')
+param initiativeCategory string = 'Security Center'
+
+@description('Effect for the policy.')
+@allowed([
+  'DeployIfNotExists'
+  'Disabled'
+])
+param effect string = 'DeployIfNotExists'
+
+@description('Enable or disable the Malware Scanning add-on feature.')
+@allowed([
+  'true'
+  'false'
+])
+param isOnUploadMalwareScanningEnabled string = 'true'
+
+@description('Cap GB scanned per month per storage account.')
+param capGBPerMonthPerStorageAccount int = 5000
+
+@description('Enable or disable the Sensitive Data Threat Detection add-on feature.')
+@allowed([
+  'true'
+  'false'
+])
+param isSensitiveDataDiscoveryEnabled string = 'true'
+
+@description('Select a Defender for Key Vault plan.')
+@allowed([
+  'PerTransaction'
+  'PerKeyVault'
+])
+param keyVaultSubPlan string = 'PerTransaction'
+
+@description('Select a Defender for Resource Manager plan.')
+@allowed([
+  'PerSubscription'
+  'PerApiCall'
+])
+param resourceManagerSubPlan string = 'PerApiCall'
+
+// =========== //
+// Variables for enabling policies selectively //
+// =========== //
+@description('Enable or disable the "Configure Azure Defender for servers to be enabled" policy.')
+param enableAscForServers bool = false
+
+@description('Enable or disable the "Configure Microsoft Defender for Storage to be enabled" policy.')
+param enableAscForStorage bool = false
+
+@description('Enable or disable the "Configure Microsoft Defender for Key Vault plan" policy.')
+param enableAscForKeyVault bool = false
+
+@description('Enable or disable the "Configure Azure Defender for Resource Manager to be enabled" policy.')
+param enableAscForArm bool = false
+
+// =========== //
+// Deployments //
+// =========== //
+resource initiative 'Microsoft.Authorization/policySetDefinitions@2023-04-01' = {
+  name: initiativeName
+  properties: {
+    displayName: initiativeDisplayName
+    description: initiativeDescription
+    version: '1.0.0'
+    metadata: {
+      category: initiativeCategory
+      version: '1.0.0'
+    }
+    policyDefinitions: concat(
+      [
+        {
+          policyDefinitionReferenceId: 'EnsureContactEmail'
+          policyDefinitionId: tenantResourceId('Microsoft.Authorization/policyDefinitions', '4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7')
+          parameters: {
+            effect: {
+              value: 'AuditIfNotExists'
+            }
+          }
+        }
+      ],
+      enableAscForServers
+        ? [
+            {
+              policyDefinitionReferenceId: 'DefenderForServers'
+              policyDefinitionId: tenantResourceId(
+                'Microsoft.Authorization/policyDefinitions',
+                '8e86a5b6-b9bd-49d1-8e21-4bb8a0862222'
+              )
+              parameters: {
+                effect: {
+                  value: effect
+                }
+              }
+            }
+          ]
+        : [],
+      enableAscForStorage
+        ? [
+            {
+              policyDefinitionReferenceId: 'DefenderForStorage'
+              policyDefinitionId: tenantResourceId(
+                'Microsoft.Authorization/policyDefinitions',
+                'cfdc5972-75b3-4418-8ae1-7f5c36839390'
+              )
+              parameters: {
+                effect: {
+                  value: effect
+                }
+                isOnUploadMalwareScanningEnabled: {
+                  value: isOnUploadMalwareScanningEnabled
+                }
+                capGBPerMonthPerStorageAccount: {
+                  value: capGBPerMonthPerStorageAccount
+                }
+                isSensitiveDataDiscoveryEnabled: {
+                  value: isSensitiveDataDiscoveryEnabled
+                }
+              }
+            }
+          ]
+        : [],
+      enableAscForKeyVault
+        ? [
+            {
+              policyDefinitionReferenceId: 'DefenderForKeyVault'
+              policyDefinitionId: tenantResourceId(
+                'Microsoft.Authorization/policyDefinitions',
+                '1f725891-01c0-420a-9059-4fa46cb770b7'
+              )
+              parameters: {
+                effect: {
+                  value: effect
+                }
+                subPlan: {
+                  value: keyVaultSubPlan
+                }
+              }
+            }
+          ]
+        : [],
+        enableAscForArm ? [
+          {
+            policyDefinitionReferenceId: 'DefenderForARM'
+            policyDefinitionId: tenantResourceId(
+              'Microsoft.Authorization/policyDefinitions',
+              'b7021b2b-08fd-4dc0-9de7-3c6ece09faf9'
+            )
+            parameters: {
+              effect: {
+                value: effect
+              }
+              subPlan: {
+                value: resourceManagerSubPlan
+              }
+            }
+          }
+        ]:[]
+    )
+
+  }
+}