microsoft
diff --git a/‎LICENSE‎
Lines changed: 1 addition & 1 deletion b/‎LICENSE‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 81 additions & 30 deletions b/‎README.md‎
Lines changed: 81 additions & 30 deletions
diff --git a/‎scripts/template.json‎
Lines changed: 11 additions & 11 deletions b/‎scripts/template.json‎
Lines changed: 11 additions & 11 deletions
@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE
+SOFTWARE
@@ -1,11 +1,12 @@
 # Microsoft Assent
 ## Assent <sub>**A***pproval* **S***olution* **S***implified for* **ENT***erprise*<sub>
-Microsoft Assent (*a.k.a Approvals*) as a platform provides the “one stop shop” solution for approvers via a model that brings together disparate different approval requests in a consistent and ultra-modern model. Approvals delivers a unified approvals experience for any approval on multiple form factors - Website, Outlook Actionable email, Teams. It consolidates approvals across organization's line of business applications, building on modern technology and powered by Microsoft Azure. It serves as a showcase for solving modern IT scenarios using the latest technologies.
-- Payload API - Accepts payload from tenant system.
-- Audit Agent Processor - Logs the payload data into Cosmos db.
-- Primary Processor - Processes the payload pushed by payload API to service bus.
-- Notification Processor - Sends email notifications to Approvers/ Submitters.
-- Core API - Set of Web APIs to support the Approvals UI.
+Microsoft Assent (*a.k.a Approvals*) as a platform provides the "one stop shop" solution for approvers via a model that brings together disparate different approval requests in a consistent and ultra-modern model. Approvals delivers a unified approvals experience for any approval on multiple form factors - Website, Outlook Actionable email, Teams. It consolidates approvals across organization's line of business applications, building on modern technology and powered by Microsoft Azure. It serves as a showcase for solving modern IT scenarios using the latest technologies.
+- Payload Receiver Service API - Accepts payload from tenant system.
+- Audit Processor - Azure Function that logs the payload data into Azure Cosmos DB.
+- Primary Processor - Azure Function that processes the payload pushed by payload receiver service API to service bus.
+- Notification Processor - Azure Function that sends email notifications to Approvers/ Submitters as per configurations.
+- WatchdogProcessor - as per configurations from tenant sends reminder email notifications to Approvers for pending approvals as per configurations from tenant.
+- Core Services API - Set of Web APIs to support the Approvals UI.
 
 ## Getting Started
 
@@ -47,13 +48,13 @@ Step 3: Select 'Build your own template in the editor' and paste the content of
 
 ```
 Step 4: Save and go the next step. Select the subscription, resource group & location.
-Update the settings to update any of the parameter values if required and click on purchase 
+Update the settings to update any of the parameter values if required and click on purchase
 
 Note : If there is any failure, try re-deploying again before proceeding for any troubleshooting.
 ```
 
 ## Clean-up
-It might have happened that some of the resources which got created may be already present in your subscription. 
+It might have happened that some of the resources which got created may be already present in your subscription.
 In that case, you can continue to use the same and delete the newly created resources. (e.g. Storage Account, Application Insights, ServiceBus - In case of ServiceBus make sure to create the Topics in your exisiting ServiceBus namespace before deleting).
 
 The following table will help in deciding which components can be cleaned-up.
@@ -90,7 +91,6 @@ Step 1: Download the configuration file (AppCofiguration.json) from the samples
 ```
 Step 2: Add/update the values for the following keys in the JSON
 ```
-
 | Key Name | Source | In KeyVault ? |
 |--------|------|--------|
 | AADTenantId | Azure Active Directory (AAD) Tenant ID | No |
@@ -127,21 +127,21 @@ Step 2: Add/update the values for the following keys in the JSON
 | UrlPlaceholderTenants | [Optional] Int32 identifiers for simulating LoB apps in self-server portal | No |
 
 ```
-Step 3: Go to the App Configuration service on Azure Portal and select the resource 
+Step 3: Go to the App Configuration service on Azure Portal and select the resource
 where the configuration needs to be imported.
 ```
 ```
 Step 4: Go to 'Operations' -> 'Import/Export'
 ```
 ```
-Step 5: Select 'Import' in the toggle button and 
+Step 5: Select 'Import' in the toggle button and
 choose 'Configuration file' from the dropdown 'Source service'.
 ```
-``` 
+```
 Step 6: In the 'For language' drop down select 'Other'
 ```
 ```
-Step 7: Choose 'Json' as the value from the 'File type' dropdown and 
+Step 7: Choose 'Json' as the value from the 'File type' dropdown and
 select the 'AppConfiguration.json' updated in the previous step file from the File Explorer.
 ```
 ```
@@ -154,19 +154,19 @@ Select the 'Label' under which the configurations needs to be added (e.g., DEV)
 * For the Function Apps add/update the below AppSetting keys:
   > APPINSIGHTS_INSTRUMENTATIONKEY
   > > This is an instrumentation key of Application Insights which was created from ARM Template.
-  > 
-  > AzureAppConfiguration
-  > > This would be Key vault Reference to Azure App Configuration's connection string.
+  >
+  > AzureAppConfigurationUrl
+  > > This would be Azure App Configuration's endpoint URL.
   >
   > AppConfigurationLabel
   > > This would be Azure App Configuration's label value corresponding to the environment the App service is running for.
   >
   > AzureWebJobsStorage
   > > This would be Key vault Reference to storage account's connection string.
-  > 
+  >
   > AzureWebJobsDashboard
   > > This would be Key vault Reference to storage account's connection string.
-  > 
+  >
   > ComponentName
   > > Name of the component which could be name of the component like *ApprovalsPrimaryProcessor or ApprovalsNotificationProcessor*.
   >
@@ -181,36 +181,87 @@ Select the 'Label' under which the configurations needs to be added (e.g., DEV)
   > APPINSIGHTS_INSTRUMENTATIONKEY
   > > This is an instrumentation key of Application Insights which was created from ARM Template.
   >
-  > AzureAppConfiguration
-  > > This would be Key vault Reference to Azure App Configuration's connection string.
+  > AzureAppConfigurationUrl
+  > > This would be Azure App Configuration's endpoint URL.
   >
   > AppConfigurationLabel
   > > This would be Azure App Configuration's label value corresponding to the environment the App service is running for.
-  >  
+  >
   > ComponentName
   > > Name of the component which could be name of the component like *ApprovalsCoreServicesAPI or ApprovalsPayloadServiceAPI*.
   >
   > ValidAppIds
   > > This is AzureAD App's ClientIds which are authorized to access this component (; separated).
-  >  
+  >
 	```
     Note: The connection string should be the KeyVault url
     i.e. Enter the value in this format: @Microsoft.KeyVault(SecretUri=<keyvault Secret Identifier url for AzureAppConfigurationConnectionString>)
     ```
 #### Setup Authentication/Access Permission
-* For all the System assinged Managed Identity created earlier assign the following roles to the Azure Storage Account
-  > Storage Blob Data Contributor
-  
+
 * Setup Authentication for APIs and Function Apps
-  * Update the Reply Urls section of the AzureAD App created earlier with the URLs of the App Services and FunctionApps (HttpTriggered) URLs suffixed with '/auth/login/aad/callback' 
+  * Update the Reply Urls section of the AzureAD App created earlier with the URLs of the App Services and FunctionApps (HttpTriggered) URLs suffixed with '/auth/login/aad/callback'
   * In the 'Authentication' section of the AppServices / FunctionApps (HttpTriggered),
     * Add or update the Authentication values (ClientId/Secret/Issuer/Audience)
     * Select 'Login with Azure Active Directory' for the option 'Action to take when the request is not authenticated'
 
+* Permissions needed needed for System assigned Managed Identity of below Azure Components
+    * Payload Receiver Service API:
+        * App Configuration Data Reader
+        * Azure Service Bus Data Sender
+        * Cosmos DB Built-in Data Contributor
+        * Key Vault Secrets User
+        * Storage Blob Data Contributor
+        * Storage Table Data Contributor
+
+    * Audit Processor:
+        * App Configuration Data Reader
+        * Azure Service Bus Data Owner
+        * Cosmos DB Built-in Data Contributor
+        * Key Vault Secrets User
+        * Storage Blob Data Contributor
+        * Storage Table Data Contributor
+
+    * Primary Processor:
+        * App Configuration Data Reader
+        * Azure Service Bus Data Owner
+        * Cosmos DB Built-in Data Contributor
+        * Key Vault Secrets User
+        * Storage Blob Data Contributor
+        * Storage Table Data Contributor
+
+    * Notification Processor:
+        * App Configuration Data Reader
+        * Azure Service Bus Data Owner
+        * Cosmos DB Built-in Data Contributor
+        * Key Vault Secrets User
+        * Storage Blob Data Contributor
+        * Storage Table Data Contributor
+
+    * Watchdog Processor:
+        * App Configuration Data Reader
+        * Cosmos DB Built-in Data Contributor
+        * Key Vault Secrets User
+        * Storage Blob Data Contributor
+        * Storage Table Data Contributor
+
+    * Core Services API:
+        * App Configuration Data Reader
+        * Cosmos DB Built-in Data Contributor
+        * Key Vault Secrets User
+        * Storage Blob Data Contributor
+        * Storage Table Data Contributor
+        
+    *Note: As of today only way to assign Cosmos DB Built-in Data Contributor is via the PowerShell or az cli below is the command fot the same:*
+    ```
+        az cosmosdb sql role assignment create --account-name "Cosmosdb account name" --resource-group "Name of resource group where cosmosdb exists" --scope "/" --principal-id "System assigned identity to to which this Role Assignment is being granted" --role-definition-id "00000000-0000-0000-0000-000000000002"
+    ```
+    For more information please read: [Configure role-based access control for your Azure Cosmos DB account with Azure AD | Microsoft Learn](https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac)
+
 ## Deploy
 Deploy the code in these new components using Azure DevOps (Build and Release pipelines)
 
-The deployment might fail sometimes due to locked files. Try restarting the service, before redeploying. 
+The deployment might fail sometimes due to locked files. Try restarting the service, before redeploying.
 If the issue persists, add the following AppSettings in the service configuration
 ```
     "MSDEPLOY_RENAME_LOCKED_FILES": "1"
@@ -240,8 +291,8 @@ contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additio
 
 ## Trademarks
 
-This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 
-trademarks or logos is subject to and must follow 
+This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
+trademarks or logos is subject to and must follow
 [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
 Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
-Any use of third-party trademarks or logos are subject to those third-party's policies.
+Any use of third-party trademarks or logos are subject to those third-party's policies.
@@ -905,7 +905,7 @@
                   "index.php",
                   "hostingstart.html"
                 ],
-                "netFrameworkVersion": "v4.0",
+                "netFrameworkVersion": "v6.0",
                 "requestTracingEnabled": false,
                 "remoteDebuggingEnabled": false,
                 "httpLoggingEnabled": false,
@@ -1060,7 +1060,7 @@
                   "index.php",
                   "hostingstart.html"
                 ],
-                "netFrameworkVersion": "v4.0",
+                "netFrameworkVersion": "v6.0",
                 "requestTracingEnabled": false,
                 "remoteDebuggingEnabled": false,
                 "httpLoggingEnabled": false,
@@ -1155,7 +1155,7 @@
                 "AppConfigurationLabel": "",
                 "AppConfigurationPrefix": "",
                 "APPINSIGHTS_INSTRUMENTATIONKEY": "",
-                "AzureAppConfiguration": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/AzureAppConfigurationConnectionString)')]",
+                "AzureAppConfigurationUrl": "[concat('https://',parameters('appConfigurationName'), '.azconfig.io')]",
                 "ComponentName": "ApprovalsCoreServicesAPI",
                 "ValidAppIds": "",
                 "ValidAudienceUrl": "",
@@ -1233,7 +1233,7 @@
                   "index.php",
                   "hostingstart.html"
                 ],
-                "netFrameworkVersion": "v4.0",
+                "netFrameworkVersion": "v6.0",
                 "requestTracingEnabled": false,
                 "remoteDebuggingEnabled": false,
                 "httpLoggingEnabled": false,
@@ -1328,7 +1328,7 @@
                 "AppConfigurationLabel": "",
                 "AppConfigurationPrefix": "",
                 "APPINSIGHTS_INSTRUMENTATIONKEY": "",
-                "AzureAppConfiguration": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/AzureAppConfigurationConnectionString)')]",
+                "AzureAppConfigurationUrl": "[concat('https://',parameters('appConfigurationName'), '.azconfig.io')]",
                 "ComponentName": "ApprovalsPayloadServiceAPI",
                 "ValidAppIds": "",
                 "ValidAudienceUrl": "",
@@ -1405,7 +1405,7 @@
                   "default.aspx",
                   "index.php"
                 ],
-                "netFrameworkVersion": "v4.0",
+                "netFrameworkVersion": "v6.0",
                 "phpVersion": "5.6",
                 "requestTracingEnabled": false,
                 "remoteDebuggingEnabled": false,
@@ -1461,7 +1461,7 @@
                 "AppConfigurationLabel": "",
                 "AppConfigurationPrefix": "",
                 "APPINSIGHTS_INSTRUMENTATIONKEY": "",
-                "AzureAppConfiguration": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/AzureAppConfigurationConnectionString)')]",
+                "AzureAppConfigurationUrl": "[concat('https://',parameters('appConfigurationName'), '.azconfig.io')]",
                 "AzureWebJobsDashboard": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/StorageConnectionString)')]",
                 "AzureWebJobsStorage": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/StorageConnectionString)')]",
                 "ComponentName": "ApprovalsNotificationProcessor",
@@ -1539,7 +1539,7 @@
                   "default.aspx",
                   "index.php"
                 ],
-                "netFrameworkVersion": "v4.0",
+                "netFrameworkVersion": "v6.0",
                 "phpVersion": "5.6",
                 "requestTracingEnabled": false,
                 "remoteDebuggingEnabled": false,
@@ -1595,7 +1595,7 @@
                 "AppConfigurationLabel": "",
                 "AppConfigurationPrefix": "",
                 "APPINSIGHTS_INSTRUMENTATIONKEY": "",
-                "AzureAppConfiguration": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/AzureAppConfigurationConnectionString)')]",
+                "AzureAppConfigurationUrl": "[concat('https://',parameters('appConfigurationName'), '.azconfig.io')]",
                 "AzureWebJobsDashboard": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/StorageConnectionString)')]",
                 "AzureWebJobsStorage": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/StorageConnectionString)')]",
                 "ComponentName": "ApprovalsWatchdogProcessor",
@@ -1675,7 +1675,7 @@
                   "default.aspx",
                   "index.php"
                 ],
-                "netFrameworkVersion": "v4.0",
+                "netFrameworkVersion": "v6.0",
                 "phpVersion": "5.6",
                 "requestTracingEnabled": false,
                 "remoteDebuggingEnabled": false,
@@ -1731,7 +1731,7 @@
                 "AppConfigurationLabel": "",
                 "AppConfigurationPrefix": "",
                 "APPINSIGHTS_INSTRUMENTATIONKEY": "",
-                "AzureAppConfiguration": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/AzureAppConfigurationConnectionString)')]",
+                "AzureAppConfigurationUrl": "[concat('https://',parameters('appConfigurationName'), '.azconfig.io')]",
                 "AzureWebJobsDashboard": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/StorageConnectionString)')]",
                 "AzureWebJobsStorage": "[concat('@Microsoft.KeyVault(SecretUri=https://',parameters('keyVaultName'), '.vault.azure.net/secrets/StorageConnectionString)')]",
                 "ComponentName": "ApprovalsPrimaryProcessor",