Replace this with a brief description of what this Pull Request fixes, changes, etc.
This PR fixes/adds/changes/removes
Adding logic for DSC package to properly handle AAD scenarios.
Updating default domain join credentials when using AAD.
Changes on NTFS permission applied for AAD scenarios:
Old:
Write-Log "setting up NTFS permission for FSLogix"
icacls ${DriveLetter}: /remove "BUILTIN\Administrators"
icacls ${DriveLetter}: /grant "Creator Owner:(OI)(CI)(IO)(M)"
icacls ${DriveLetter}: /remove "Authenticated Users"
icacls ${DriveLetter}: /remove "Builtin\Users"
Write-Log "ACLs set"
AVD group permissions
if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
}
else {
$Group = $DomainName + '\' + $SecurityPrincipalName
icacls ${DriveLetter}: /grant "${Group}:(M)"
Write-Log "AD group $Group ACLs set"
}
if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') {
Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set"
}
else {
icacls ${DriveLetter}: /remove "Authenticated Users"
$Group = $DomainName + '\' + $SecurityPrincipalName
icacls ${DriveLetter}: /grant "${Group}:(M)"
Write-Log "AD group $Group ACLs set"
}
Breaking Changes
Renaming parameters or adding new ones on the storage bicep template:
domainJoinUserPassword changed to adminUserPassword
New: vmLocalUserName
DSC package parameter updates:
DomainAdminUserName changed to AdminUserName
DomainAdminUserPassword changed to AdminUserPassword
Testing Evidence
Replace this with any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).
As part of this Pull Request I have
[ ] Read the Contribution Guide and ensured this PR is compliant with the guide
[ ] Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
Overview/Summary
Replace this with a brief description of what this Pull Request fixes, changes, etc.
This PR fixes/adds/changes/removes
AVD group permissions
if ($SecurityPrincipalName -eq 'none' -or $IdentityServiceProvider -eq 'AAD') { Write-Log "AD group not provided or using Microsoft Entra ID joined session hosts, ACLs for AD group not set" } else { $Group = $DomainName + '\' + $SecurityPrincipalName icacls ${DriveLetter}: /grant "${Group}:(M)" Write-Log "AD group $Group ACLs set" }
New: Write-Log "setting up NTFS permission for FSLogix" icacls ${DriveLetter}: /inheritance:r icacls ${DriveLetter}: /remove "BUILTIN\Administrators" icacls ${DriveLetter}: /grant "Creator Owner:(OI)(CI)(IO)(M)" icacls ${DriveLetter}: /remove "BUILTIN\Users" Write-Log "ACLs set"
AVD group permissions
Breaking Changes
Testing Evidence
Replace this with any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).
As part of this Pull Request I have
.bicep
file/s I am adding/editing are using the latest API version possiblemain
branch