Azure-Samples
diff --git a/‎.github/dependabot.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/dependabot.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/azure-dev.yml‎
Lines changed: 59 additions & 61 deletions b/‎.github/workflows/azure-dev.yml‎
Lines changed: 59 additions & 61 deletions
diff --git a/‎.github/workflows/terraform-validate.yml‎
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/terraform-validate.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/test-runner.yaml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/test-runner.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 13 additions & 5 deletions b/‎README.md‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎azd-hooks/scripts/hooks/postprovision/deploy_power_platform_solution.ps1‎
Lines changed: 1 addition & 1 deletion b/‎azd-hooks/scripts/hooks/postprovision/deploy_power_platform_solution.ps1‎
Lines changed: 1 addition & 1 deletion
@@ -7,7 +7,7 @@ updates:
     commit-message:
       prefix: "chore(deps):"
     groups:
-      all-dependencies:
+      devcontainer:
         patterns:
           - "*"
   - package-ecosystem: "terraform"
@@ -19,7 +19,7 @@ updates:
     commit-message:
       prefix: "chore(deps):"
     groups:
-      all-dependencies:
+      terraform-providers:
         patterns:
           - "*"
   - package-ecosystem: "github-actions"
@@ -29,6 +29,6 @@ updates:
     commit-message:
       prefix: "chore(deps):"
     groups:
-      all-dependencies:
+      github-actions:
         patterns:
           - "*"
@@ -23,6 +23,8 @@ on:
 # GitHub Actions workflow to deploy to Azure using azd
 
 permissions:
+  actions: read # Needed for uploading SARIF reports
+  security-events: write  # Needed for uploading SARIF reports
   id-token: write
   contents: read
 
@@ -37,23 +39,23 @@ jobs:
 
     steps:
       - name: Checkout the branch ${{ github.ref_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.ref_name }}
 
       - name: Install azd
-        uses: Azure/setup-azd@v2
+        uses: Azure/setup-azd@ae0f8b5482eeac61e940f447327d84c73beb8b1e # v2.1.0
         with:
           version: '1.17.2'  # Specify your desired azd version here
 
       - name: Install Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: 1.9.0
 
 
       - name: Install TFLint
-        uses: terraform-linters/setup-tflint@v4
+        uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
         with:
           tflint_version: v0.49.0
           github_token: ${{ secrets.GITHUB_TOKEN }}  # Used to avoid rate
@@ -68,84 +70,80 @@ jobs:
           gitleaks version
 
       - name: Setup .NET SDK
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@55ec9447dda3d1cf6bd587150f3262f30ee10815 # v3.4.2
         with:
           dotnet-version: '8.0.x'
 
+      - name: Install Power Platform Tools
+        uses: microsoft/powerplatform-actions/actions-install@51f663ea104eb227c3712215ceb2f82827d81c27 # v1.9.0
+      
       - name: Install Power Platform CLI
         run: |
-          dotnet tool install --global Microsoft.PowerApps.CLI.Tool
+          dotnet tool install --global Microsoft.PowerApps.CLI.Tool --version 1.44.2
           pac help
 
+
       - name: Set Up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
         with:
           python-version: "3.x"
 
       - name: Install Checkov
         run: pip install checkov
 
-
       - name: Login to Azure with Federated Identity
-        uses: azure/login@v2
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
       - name: Provision Infrastructure
         env:
-          POWER_PLATFORM_USE_CLI: false
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
-          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
-          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
-          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          POWER_PLATFORM_USE_OIDC: "true"
+          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+
           ARM_USE_AZUREAD: "true"
           ARM_STORAGE_USE_AZUREAD: "true"
           ARM_USE_OIDC: "true"
           ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
           ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
-          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          POWER_PLATFORM_USE_OIDC: "true"
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          
+          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
+          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
+          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
+          
+          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+      
           GITHUB_PAT: ${{ secrets.MCS_RUNNER }}
           GITHUB_REPO_OWNER: ${{ github.repository_owner }}
           GITHUB_REPO_NAME: ${{ github.event.repository.name }}
           GITHUB_RUNNER_IMAGE_NAME: "github-runner"
           GITHUB_RUNNER_IMAGE_TAG: "latest"
           GITHUB_RUNNER_IMAGE_BRANCH: ${{ github.ref_name }}
-        shell: pwsh
+        shell: bash
         run: |
           azd config set auth.useAzCliAuth "true"
-          azd env new $env:AZURE_ENV_NAME --location $env:AZURE_LOCATION --no-prompt
-          azd env set RESOURCE_SHARE_USER "$env:RESOURCE_SHARE_USER"
-          azd env set POWER_PLATFORM_USE_CLI "false"
-
-          azd env set RS_STORAGE_ACCOUNT $env:RS_STORAGE_ACCOUNT
-          azd env set RS_CONTAINER_NAME $env:RS_CONTAINER_NAME
-          azd env set RS_RESOURCE_GROUP $env:RS_RESOURCE_GROUP
-
-          azd env set GITHUB_PAT $env:GITHUB_PAT
-          azd env set GITHUB_REPO_OWNER $env:GITHUB_REPO_OWNER
-          azd env set GITHUB_REPO_NAME $env:GITHUB_REPO_NAME
-          azd env set GITHUB_RUNNER_IMAGE_NAME $env:GITHUB_RUNNER_IMAGE_NAME
-          azd env set GITHUB_RUNNER_IMAGE_TAG $env:GITHUB_RUNNER_IMAGE_TAG
-          azd env set GITHUB_RUNNER_IMAGE_BRANCH $env:GITHUB_RUNNER_IMAGE_BRANCH
+          azd env new "$AZURE_ENV_NAME" --location "$AZURE_LOCATION" --no-prompt
+          azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER"
 
+          azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT"
+          azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME"
+          azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP"
 
-          azd env set GITHUB_PAT $env:GITHUB_PAT
-          azd env set GITHUB_REPO_OWNER $env:GITHUB_REPO_OWNER
-          azd env set GITHUB_REPO_NAME $env:GITHUB_REPO_NAME
-          azd env set GITHUB_RUNNER_IMAGE_NAME $env:GITHUB_RUNNER_IMAGE_NAME
-          azd env set GITHUB_RUNNER_IMAGE_TAG $env:GITHUB_RUNNER_IMAGE_TAG
-          azd env set GITHUB_RUNNER_IMAGE_BRANCH $env:GITHUB_RUNNER_IMAGE_BRANCH
+          azd env set GITHUB_PAT "$GITHUB_PAT"
+          azd env set GITHUB_REPO_OWNER "$GITHUB_REPO_OWNER"
+          azd env set GITHUB_REPO_NAME "$GITHUB_REPO_NAME"
+          azd env set GITHUB_RUNNER_IMAGE_NAME "$GITHUB_RUNNER_IMAGE_NAME"
+          azd env set GITHUB_RUNNER_IMAGE_TAG "$GITHUB_RUNNER_IMAGE_TAG"
+          azd env set GITHUB_RUNNER_IMAGE_BRANCH "$GITHUB_RUNNER_IMAGE_BRANCH"
 
           azd provision --no-prompt
 
-
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: success() || failure()
         with:
           name: sarif-reports
@@ -154,42 +152,42 @@ jobs:
             ./checkov-results.sarif/results_sarif.sarif
 
       - name: Upload Gitleaks SARIF report to Github
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         with:
           sarif_file: ./gitleaks-report.sarif
 
 
       - name: Upload Checkov SARIF Report to GitHub
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         with:
           sarif_file: ./checkov-results.sarif/results_sarif.sarif
 
-
       - name: Azd down
-        if: ${{ github.event.inputs.run_azd_down == true }}
+        if: ${{ github.event.inputs.run_azd_down == 'true' }}
         env:
-          POWER_PLATFORM_USE_CLI: false
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
-          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
-          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
-          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+          POWER_PLATFORM_USE_OIDC: "true"
+
           ARM_USE_AZUREAD: "true"
           ARM_STORAGE_USE_AZUREAD: "true"
           ARM_USE_OIDC: "true"
           ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
           ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
           ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
-          POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          POWER_PLATFORM_USE_OIDC: "true"
-        shell: pwsh
-        run: |
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
-          azd env set RS_STORAGE_ACCOUNT $env:RS_STORAGE_ACCOUNT
-          azd env set RS_CONTAINER_NAME $env:RS_CONTAINER_NAME
-          azd env set RS_RESOURCE_GROUP $env:RS_RESOURCE_GROUP
-          azd env set RESOURCE_SHARE_USER "$env:RESOURCE_SHARE_USER"
+          RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
+          RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
+          RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
+          RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
+          
+        shell: bash
+        run: |
+          azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT"
+          azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME"
+          azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP"
+          azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER"
 
-          azd env select $env:AZURE_ENV_NAME
+          azd env select "$AZURE_ENV_NAME"
           azd down --no-prompt --force --purge
@@ -52,7 +52,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: "1.12.2"  # Pinning specific version is recommended
+          terraform_version: "1.9.0"  # Pinning specific version
 
       - name: Terraform Init
         id: tf-init
@@ -89,7 +89,7 @@ jobs:
         working-directory: ./infra
 
       - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v4
+        uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
         with:
           tflint_version: v0.49.0  # Specify a version (recommended)
           github_token: ${{ secrets.GITHUB_TOKEN }}  # Used to avoid rate limiting
@@ -121,7 +121,7 @@ jobs:
 
       - name: GitLeaks Scan
         id: gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -132,7 +132,7 @@ jobs:
 
       - name: Upload GitLeaks SARIF report
         if: success() || failure()  # Upload even if GitLeaks finds issues
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         with:
           directory: ./  # Ensure the report path is correct
           sarif_file: results.sarif
@@ -151,7 +151,7 @@ jobs:
 
       - name: Upload Checkov SARIF report
         if: success() || failure()  # Upload even if Checkov finds issues
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
 
@@ -39,7 +39,7 @@ jobs:
 
     steps:
       - name: Checkout the branch ${{ github.ref_name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.ref_name }}
 
@@ -110,7 +110,7 @@ jobs:
         continue-on-error: true # Continue even if tests fail to ensure artifacts are uploaded
 
       - name: Upload test results as workflow artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: (!cancelled()) # Upload artifacts even if tests fail
         with:
           name: pytest-test-results
@@ -120,7 +120,7 @@ jobs:
           retention-days: 30
 
       - name: Publish pytest test results
-        uses: dorny/test-reporter@v2
+        uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
         if: (!cancelled()) # Run even if tests fail
         with:
           name: Azure AI Search E2E Tests
 
@@ -75,9 +75,17 @@ This architecture ensures that sensitive enterprise data never traverses public
   - [**Copilot in Power Apps**](https://learn.microsoft.com/en-us/power-apps/maker/canvas-apps/ai-overview?WT.mc_id=ppac_inproduct_settings): Enable this setting to allow AI-powered assistance within Power Apps development
   - [**Publish Copilots with AI features**](https://learn.microsoft.com/en-us/microsoft-copilot-studio/security-and-governance): Allow Copilot authors to publish from Copilot Studio when AI features are enabled  
 - **Power Platform licenses**. The designated user must have the following Power Platform licenses assigned:
-  - Microsoft Power Apps
-  - Power Automate  
-  - Copilot Studio
+    - **Microsoft Power Apps**
+    - **Power Automate**
+    - **Copilot Studio**
+
+    To simplify license management, you can use an Azure subscription with a Billing Policy instead of assigning licenses directly. Configure this by using the following flag:
+
+    ```shell
+    azd env set USE_BILLING_POLICY "true"
+    ```
+
+    **Note:** After creating the Billing Policy, navigate to the [Power Platform Admin Center](https://aka.ms/ppac) and ensure that the *Copilot Studio* product is selected. This is a known issue that will be addressed in future updates.
 
 ### User Configuration
 
@@ -125,6 +133,7 @@ A related option is VS Code Dev Containers, which will open the project in your
 
 1. Install the required tools:
 
+    - [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest&pivots=winget) - Required for managing Azure resources and authentication
     - [Azure Developer CLI](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd) - Platform-specific installers available via package managers or direct download
     - [PowerShell 7](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-7.5) - Required for non-Windows systems; Windows users may use built-in PowerShell
     - [.NET 8.0 SDK](https://dotnet.microsoft.com/en-us/download/dotnet/8.0) - Includes .NET CLI, runtime, and development tools
@@ -149,7 +158,7 @@ A related option is VS Code Dev Containers, which will open the project in your
 
 The steps below will provision Azure and Power Platform resources and will deploy Copilot Studio bot.
 
-1. Login to you Azure and config azd to use Az CLI authentication:
+1. Login to your Azure account and config azd to use Az CLI authentication:
 
     ```shell
     az login --service-principal --username <SP_CLIENT_ID> --password <SP_SECRET> --tenant <TENANT_ID>
@@ -160,7 +169,6 @@ The steps below will provision Azure and Power Platform resources and will deplo
 
     ```shell
     pac auth create --name az-cli-auth --applicationId <SP_CLIENT_ID> --clientSecret <SP_SECRET> --tenant <TENANT_ID> --accept-cleartext-caching
-    export POWER_PLATFORM_USE_CLI="true"
     ```
 
     *Note: the `pac auth create` command may return a warning about being unable to connect to a Dataverse organization. This is expected, and will not impact the deployment.*
 
@@ -26,7 +26,7 @@
     ID of the Power Platform environment to deploy to
 
 .PARAMETER RunSolutionChecker
-    Whether to run solution checker after deployment (default: true)
+    Whether to run solution checker after deployment (default: false)
 
 .PARAMETER AISearchConnectionId
     Direct connection ID for the Azure AI Search connector (highest priority)