Added steps to install AzTS with central storage account

01-Setup and getting started/README.md

@@ -306,8 +306,6 @@ $DeploymentResult = Install-AzSKTenantSecuritySolution `
                 [-EnableAzTSUI] `
                 [-EnableVnetIntegration] `
                 [-EnableWAF] `
-                [-EnableCentralVisibility] `
-                [-CentralStorageAccountConnectionString <string>] `
                 -Verbose
 
   <# Note : Parameters that are provided in square brackets[] in the above installation command are optional parameters. UIAzureADAppId and WebAPIAzureADAppId are mandatory parameters if you are enabling AzTSUI and WAF.
@@ -382,7 +380,6 @@ For '-WebAPIAzureADAppId' and '-UIAzureADAppId' parameter,
 |EnableAzTSUI | Switch to enable AzTS UI. AzTS UI is created to see compliance status for subscription owners and perform adhoc scan. |FALSE|
 |EnableVnetIntegration | Switch to enable VNet integration for AzTS setup. Enabling VNet integration for AzTS setup, ensures that all critical resources like storage, function apps, log analytics workspace etc that are part of AzTS setup, are not accessible over public internet. |FALSE|
 |EnableWAF | Switch to enable Web Application Firewall (WAF) for AzTS UI and API. To provide additional security and to protect web applications from common exploits and vulnerabilities, it is recommended to enable WAF. By default [managed rule sets](https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/afds-overview#azure-managed-rule-sets) are configured and prevention mode is enabled for your WAF policy. You can create [custom rules](https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-create-portal#custom-rules) for your WAF policy as per your requirement. |FALSE|
-|EnableCentralVisibility|Switch to enable central visibility of AzTS scan logs. On enabling this switch, you have to also provide `CentralStorageAccountConnectionString` which is the connection string of the storage account. Read more about this workflow [here](../05-Cross-tenant%20subscription%20scan/README.md#3-onboard-azts-solution-per-tenant-with-central-visibility-for-scan-result).|FALSE|
 |CentralStorageAccountConnectionString|Connection string of the storage account to be used to store the scan logs centrally.|FALSE|
 |Verbose| Switch used to output detailed log |FALSE|
 

05-Cross-tenant subscription scan/README.md

@@ -80,18 +80,15 @@ After access is provided to target subscription, next scheduled trigger will pic
 
 To overcome limitation of second approach and to get visibility across trusted tenants, you can install standalone AzTS setup per tenant and leverage central repository to get security scan telemetry. 
 
-Below diagram depicts high level flow for Azure Lighthouse approach
+Below diagram depicts high level flow for central visibility approach
 
 ![Internals](../Images/05-CrossTenant_CentralVisibility_StorageAccount.png)
 
 Follow below steps to onboard AzTS Solution per Tenant with central visibility:
 
-a. To onboard AzTS Solution per Tenant, you will need to follow [setup steps](/01-Setup%20and%20getting%20started/README.md) for each Tenant. In [Step 6 of 6. Run Setup Command]() of this guide, you will have to run the installation command `Install-AzSKTenantSecuritySolution` with following parameter to store logs in the central storage account:
-1. `-EnableCentralVisibility`: Switch to configure the standalone AzTS setup to use central storage account for storing the scan results. 
-2. `-CentralStorageAccountConnectionString`: Connection string of the central storage account.
+a. To onboard AzTS Solution per Tenant, you will need to follow [setup steps](/01-Setup%20and%20getting%20started/README.md) for each Tenant. In [Step 6 of 6. Run Setup Command]() of this guide, you will have to run the installation command `Install-AzSKTenantSecuritySolution` with `-CentralStorageAccountConnectionString` parameter to store logs in the central storage account.
 
 > _Note:_
 > 1. _Currently, central visibility option is not supported with **VNet integration** feature._
-> 2. _If you are using [Control metadata editor tool (CMET)](../06-Customizing%20AzTS%20for%20your%20org/Extending%20AzTS/Prerequisites.md#access-to-cmet-control-metadata-editor-tool), then please ensure that this editor is only enabled in your central tenant._
 
 

TemplateFiles/DeploymentFiles/AzTSDeploymentTemplate.json

@@ -258,10 +258,6 @@
     "WebAppEndpointSuffix":{
       "type": "string"
     },
-    "EnableCentralVisibility": {
-      "type" : "bool",
-      "defaultValue": false
-    },
     "CentralStorageAccountConnectionString": {
       "type" : "string"
     }
@@ -778,7 +774,7 @@
           "appSettings": [
             {
               "name": "AzureWebJobsStorage",
-              "value": "[if(parameters('EnableCentralVisibility'), parameters('CentralStorageAccountConnectionString'), concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2019-06-01').keys[0].value))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2019-06-01').keys[0].value), parameters('CentralStorageAccountConnectionString'))]"
             },
             {
               "name": "AuthNSettings__ScannerIdentityConnectionString",
@@ -834,11 +830,11 @@
             },
             {
               "name": "AzureStorageSettings__ResourceId",
-              "value": "[if(parameters('EnableCentralVisibility'), json('null'), resourceId('Microsoft.Storage/storageAccounts/', variables('storageName')))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), resourceId('Microsoft.Storage/storageAccounts/', variables('storageName')), json('null'))]"
             },
             {
               "name": "AzureStorageSettings__ConnectionString",
-              "value": "[if(parameters('EnableCentralVisibility'), parameters('CentralStorageAccountConnectionString'), json('null'))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), json('null'), parameters('CentralStorageAccountConnectionString'))]"
             },
             {
               "name": "AzureStorageSettings__QueueName",
@@ -1073,7 +1069,7 @@
             },
             {
               "name": "AzureWebJobsStorage",
-              "value": "[if(parameters('EnableCentralVisibility'), parameters('CentralStorageAccountConnectionString'), concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2019-06-01').keys[0].value))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2019-06-01').keys[0].value), parameters('CentralStorageAccountConnectionString'))]"
             },
             {
               "name": "AuthNSettings__ScannerIdentityConnectionString",
@@ -1109,11 +1105,11 @@
             },
             {
               "name": "AzureStorageSettings__ResourceId",
-              "value": "[if(parameters('EnableCentralVisibility'), json('null'), resourceId('Microsoft.Storage/storageAccounts/', variables('storageName')))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), resourceId('Microsoft.Storage/storageAccounts/', variables('storageName')), json('null'))]"
             },
             {
               "name": "AzureStorageSettings__ConnectionString",
-              "value": "[if(parameters('EnableCentralVisibility'), parameters('CentralStorageAccountConnectionString'), json('null'))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), json('null'), parameters('CentralStorageAccountConnectionString'))]"
             },
             {
               "name": "AzureStorageSettings__QueueName",
@@ -1272,7 +1268,7 @@
             },
             {
               "name": "AzureWebJobsStorage",
-              "value": "[if(parameters('EnableCentralVisibility'), parameters('CentralStorageAccountConnectionString'), concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2019-06-01').keys[0].value))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2019-06-01').keys[0].value), parameters('CentralStorageAccountConnectionString'))]"
             },
             {
               "name": "AuthNSettings__ScannerIdentityConnectionString",
@@ -1308,11 +1304,11 @@
             },
             {
               "name": "AzureStorageSettings__ResourceId",
-              "value": "[if(parameters('EnableCentralVisibility'), json('null'), resourceId('Microsoft.Storage/storageAccounts/', variables('storageName')))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), resourceId('Microsoft.Storage/storageAccounts/', variables('storageName')), json('null'))]"
             },
             {
               "name": "AzureStorageSettings__ConnectionString",
-              "value": "[if(parameters('EnableCentralVisibility'), parameters('CentralStorageAccountConnectionString'), json('null'))]"
+              "value": "[if(empty(parameters('CentralStorageAccountConnectionString')), json('null'), parameters('CentralStorageAccountConnectionString'))]"
             },
             {
               "name": "LAConfigurations__ResourceId",

TemplateFiles/DeploymentFiles/AzTSSetup.ps1

@@ -30,9 +30,7 @@ function Install-AzSKTenantSecuritySolution
     .PARAMETER TemplateParameters
         Azure ARM template parameters used to deploy Azure Tenant Security Solution.
     .PARAMETER SendUsageTelemetry
-        Usage telemetry captures anonymous usage data and sends it to Microsoft servers. This will help in improving the product quality and prioritize meaningfully on the highly used features."
-    .PARAMETER EnableCentralVisibility
-        Switch to enable central visibility of AzTS scan logs.
+        Usage telemetry captures anonymous usage data and sends it to Microsoft servers. This will help in improving the product quality and prioritize meaningfully on the highly used features.
     .PARAMETER CentralStorageAccountConnectionString
         Connection string of the storage account to be used to store the scan logs centrally.
     .NOTES
@@ -136,10 +134,6 @@ function Install-AzSKTenantSecuritySolution
         [Parameter(Mandatory = $false, HelpMessage="Switch to enable WAF. Resources required for implementing WAF will be deployed only if this switch is ON.")]
         $EnableWAF = $false,
 
-        [switch]
-        [Parameter(Mandatory = $true, ParameterSetName = "CentralVisibility", HelpMessage="Switch to enable central visibility of AzTS scan logs.")]
-        $EnableCentralVisibility = $false,
-
         [string]
         [Parameter(Mandatory = $true, ParameterSetName = "CentralVisibility", HelpMessage="Connection string of the storage account to be used to store the scan logs centrally.")]
         $CentralStorageAccountConnectionString
@@ -374,7 +368,6 @@ function Install-AzSKTenantSecuritySolution
                 }
 
                 $TemplateParameters.Add("AzureEnvironmentName", $AzureEnvironmentName)
-                $TemplateParameters.Add("EnableCentralVisibility", $EnableCentralVisibility.IsPresent)
                 $TemplateParameters.Add("CentralStorageAccountConnectionString", $CentralStorageAccountConnectionString)
 
                 # Get package version
@@ -630,7 +623,7 @@ function Install-AzSKTenantSecuritySolution
                     try
                     {
                         Write-Verbose "$(Get-TimeStamp)Creating Storage queue in central storage account. This queue will be used to request subscription scan."
-                        if($EnableCentralVisibility -eq $true -and ![string]::IsNullOrWhiteSpace($CentralStorageAccountConnectionString))
+                        if(![string]::IsNullOrWhiteSpace($CentralStorageAccountConnectionString))
                         {
                             $storageContext = New-AzStorageContext -ConnectionString $CentralStorageAccountConnectionString -ErrorAction Stop
                             $storageQueue = Get-AzStorageQueue -Name $storageQueueName -Context $storageContext -ErrorAction SilentlyContinue
@@ -650,7 +643,7 @@ function Install-AzSKTenantSecuritySolution
                         {
                             Write-Host $_.Exception.Message -ForegroundColor $([Constants]::MessageType.Error)
                         }
-                        Write-Host "Failed to create storage queue [$($storageQueueName)] in central storage account. You can create this queue directly from portal with the name [$($storageQueueName)]. For steps to create a queue, please refer https://docs.microsoft.com/en-us/azure/storage/queues/storage-quickstart-queues-portal#create-a-queue.`n`nPlease note that central storage repository feature is currently not supported if your central storage account has network restrictions. In this case, you will have to switch to the standalone mode by running this installation command again without '-EnableCentralVisibility' parameter." -ForegroundColor $([Constants]::MessageType.Error)
+                        Write-Host "Failed to create storage queue [$($storageQueueName)] in central storage account. You can create this queue directly from portal with the name [$($storageQueueName)]. For steps to create a queue, please refer https://docs.microsoft.com/en-us/azure/storage/queues/storage-quickstart-queues-portal#create-a-queue.`n`nPlease note that central storage repository feature is currently not supported if your central storage account has network restrictions. In this case, you will have to switch to the standalone mode by running this installation command again without '-CentralStorageAccountConnectionString' parameter." -ForegroundColor $([Constants]::MessageType.Error)
                     }
 
 

TemplateFiles/DeploymentFiles/ExecutionScript.ps1

@@ -225,8 +225,7 @@ $SendAlertNotificationToEmailIds =  @('<EmailId1>', '<EmailId2>', '<EmailId3>')
         # OTHER SUPPORTED PARAMETERS (read more about its usage in AzTS github doc):
         # 1. -EnableVnetIntegration 
         # 2. -EnableWAF 
-        # 3. -EnableCentralVisibility 
-        # 4. -CentralStorageAccountConnectionString "<ConnectionString>" 
+        # 3. -CentralStorageAccountConnectionString "<ConnectionString>" 
 
 
         # iii) Save internal user-assigned managed identity name generated using below command. This will be used to grant Graph permission to internal MI.