microsoft
diff --git a/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎azure.yaml‎
Lines changed: 3 additions & 8 deletions b/‎azure.yaml‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎docs/DeploymentGuide.md‎
Lines changed: 20 additions & 18 deletions b/‎docs/DeploymentGuide.md‎
Lines changed: 20 additions & 18 deletions
diff --git a/‎docs/PARAMETER_GUIDE.md‎
Lines changed: 11 additions & 1 deletion b/‎docs/PARAMETER_GUIDE.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎docs/automation-outputs-mapping.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/automation-outputs-mapping.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/post_deployment_steps.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/post_deployment_steps.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/quota_check.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/quota_check.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎infra/main.bicep‎
Lines changed: 3 additions & 3 deletions b/‎infra/main.bicep‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎infra/main.bicepparam‎
Lines changed: 30 additions & 10 deletions b/‎infra/main.bicepparam‎
Lines changed: 30 additions & 10 deletions
@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file.
 
+## [Unreleased] - 2026-03-06
+### Added
+- Parameter to override Log Analytics workspace resource ID and output mapping for automation scripts
+- Optional `SKIP_PURVIEW_INTEGRATION` guard for Purview automation scripts (used by hooks when Purview is disabled)
+- Retry/timeout handling for AI Search public network access toggles in OneLake indexing scripts
+
+### Changed
+- Preprovision error output simplified with concise failure reason and optional verbose diagnostics
+- Main parameter file reordered into required/optional/defaulted sections with clearer comments
+- OneLake indexing scripts prefer outputs, include AAD-only auth, and handle transient 409 run conflicts
+
+### Fixed
+- Power BI headers initialization in Log Analytics linkage script to resolve workspace ID lookups
+
 ## [1.3] - 2025-12-09
 ### Added
 - Microsoft Fabric integration with automatic capacity creation and management
 
@@ -39,7 +39,7 @@ This accelerator extends the [AI Landing Zone](https://github.com/Azure/ai-landi
 
 ### Additional Resources
 
-- [AI Landing Zone Documentation](https://github.com/Azure/ai-landing-zone)
+- [AI Landing Zone Documentation](https://github.com/Azure/bicep-ptn-aiml-landing-zone)
 - [Azure AI Foundry Documentation](https://learn.microsoft.com/en-us/azure/ai-foundry/)
 - [Microsoft Fabric Documentation](https://learn.microsoft.com/en-us/fabric/)
 
@@ -104,7 +104,7 @@ Follow the deployment guide to deploy this solution to your own Azure subscripti
 > **GitHub Codespaces and Dev Containers handle this automatically.**
 
 >  **Windows shell note**
-> <br/>Preprovision uses `shell: sh`. Run `azd` from Git Bash/WSL so `bash` is available, or switch the `preprovision` hook in `azure.yaml` to the provided PowerShell script if you want to stay in PowerShell.
+> <br/>Preprovision runs with PowerShell (`pwsh`) by default. Run `azd` from PowerShell 7+ (or any terminal that can invoke `pwsh`).
 
 <br/>
 
 
@@ -55,13 +55,13 @@ hooks:
       continueOnError: false
 
     # Stage 5: Purview Collection Creation
-    - run: ./scripts/automationScripts/FabricPurviewAutomation/create_purview_collection.ps1
+    - run: "$env:SKIP_PURVIEW_INTEGRATION='true'; ./scripts/automationScripts/FabricPurviewAutomation/create_purview_collection.ps1"
       interactive: false
       shell: pwsh
       continueOnError: false
 
     # Stage 6: Register Fabric as Purview Data Source
-    - run: ./scripts/automationScripts/FabricWorkspace/CreateWorkspace/register_fabric_datasource.ps1
+    - run: "$env:SKIP_PURVIEW_INTEGRATION='true'; ./scripts/automationScripts/FabricWorkspace/CreateWorkspace/register_fabric_datasource.ps1"
       interactive: false
       shell: pwsh
       continueOnError: false
@@ -127,14 +127,9 @@ hooks:
       continueOnError: false
 
     # Stage 17: Trigger Purview Scan (if Purview enabled)
-    - run: ./scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1
+    - run: "$env:SKIP_PURVIEW_INTEGRATION='true'; ./scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1"
       interactive: false
       shell: pwsh
       continueOnError: false
 
-    # Stage 18: Connect Log Analytics (placeholder)
-    - run: ./scripts/automationScripts/FabricPurviewAutomation/connect_log_analytics.ps1
-      interactive: false
-      shell: pwsh
-      continueOnError: false
 
@@ -28,7 +28,7 @@ To deploy this solution accelerator, ensure you have access to an [Azure subscri
 | Git | Latest | [Install Git](https://git-scm.com/downloads) |
 | PowerShell | 7.0+ | [Install PowerShell](https://learn.microsoft.com/powershell/scripting/install/installing-powershell) |
 
-> **Windows-specific shell requirement:** Preprovision hooks run with `shell: sh`. Install Git for Windows (includes Git Bash) **or** run `azd` from WSL/Ubuntu so `bash/sh` is on PATH. If you prefer pure PowerShell, update `azure.yaml` to point `preprovision` to the provided `preprovision.ps1`.
+> **Windows shell requirement:** Preprovision runs with PowerShell (`pwsh`). Use PowerShell 7+ so `pwsh` is on PATH.
 
 ### External Resources
 
@@ -106,7 +106,7 @@ If you're not using Codespaces or Dev Containers:
 
 4. Continue with [Deployment Steps](#deployment-steps) below
 
-> **Note (Windows):** Run `azd up` from Git Bash or WSL so the `preprovision` hook can execute. If you want to stay in PowerShell, edit `azure.yaml` to use `preprovision.ps1` instead of the `.sh` script.
+> **Note (Windows):** Run `azd up` from PowerShell 7+ so the `pwsh` preprovision hook can execute.
 
 </details>
 
@@ -152,22 +152,23 @@ Edit `infra/main.bicepparam` or set environment variables:
 | Parameter | Description | Example |
 |-----------|-------------|---------|
 | `purviewAccountResourceId` | Resource ID of existing Purview account | `/subscriptions/.../Microsoft.Purview/accounts/...` |
-| `aiSearchAdditionalAccessObjectIds` | Array of Entra object IDs to grant Search roles | `["00000000-0000-0000-0000-000000000000"]` |
-| `fabricCapacityMode` | Fabric capacity mode: `create`, `byo`, or `none` | `create` |
-| `fabricWorkspaceMode` | Fabric workspace mode: `create`, `byo`, or `none` | `create` |
-| `fabricCapacitySku` | Fabric capacity SKU (only used when `fabricCapacityMode=create`) | `F8` (default) |
-| `fabricCapacityAdmins` | Fabric capacity admin principals (UPN emails or Entra object IDs) (required when `fabricCapacityMode=create`) | `["user@contoso.com"]` |
-| `fabricCapacityResourceId` | Existing Fabric capacity ARM resource ID (required when `fabricCapacityMode=byo`) | `/subscriptions/.../providers/Microsoft.Fabric/capacities/...` |
-| `fabricWorkspaceId` | Existing Fabric workspace ID (GUID) (required when `fabricWorkspaceMode=byo`) | `00000000-0000-0000-0000-000000000000` |
-| `fabricWorkspaceName` | Existing Fabric workspace name (used when `fabricWorkspaceMode=byo`) | `my-existing-workspace` |
+| `fabricCapacityPreset` | Fabric capacity preset: `create`, `byo`, or `none` | `create` |
+| `fabricWorkspacePreset` | Fabric workspace preset: `create`, `byo`, or `none` | `create` |
+| `fabricCapacitySku` | Fabric capacity SKU (only used when `fabricCapacityPreset=create`) | `F8` (default) |
+| `fabricCapacityAdmins` | Fabric capacity admin principals (UPN emails or Entra object IDs) (required when `fabricCapacityPreset=create`) | `["user@contoso.com"]` |
+| `fabricCapacityResourceId` | Existing Fabric capacity ARM resource ID (required when `fabricCapacityPreset=byo`) | `/subscriptions/.../providers/Microsoft.Fabric/capacities/...` |
+| `fabricWorkspaceId` | Existing Fabric workspace ID (GUID) (required when `fabricWorkspacePreset=byo`) | `00000000-0000-0000-0000-000000000000` |
+| `fabricWorkspaceName` | Existing Fabric workspace name (used when `fabricWorkspacePreset=byo`) | `my-existing-workspace` |
 
 ```bash
 # Example: Set Purview account
-azd env set purviewAccountResourceId "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Purview/accounts/<account-name>"
+# (Edit infra/main.bicepparam)
+# param purviewAccountResourceId = "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Purview/accounts/<account-name>"
 
 # Example: Disable all Fabric automation
-azd env set fabricCapacityMode none
-azd env set fabricWorkspaceMode none
+# (Edit infra/main.bicepparam)
+# var fabricCapacityPreset = 'none'
+# var fabricWorkspacePreset = 'none'
 ```
 
 </details>
@@ -177,9 +178,10 @@ azd env set fabricWorkspaceMode none
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `aiSearchAdditionalAccessObjectIds` | Entra ID object IDs for additional Search access | `[]` |
-| `networkIsolationMode` | Network isolation level | `AllowInternetOutbound` |
-| `vmAdminUsername` | Jump box VM admin username | `azureuser` |
+| `networkIsolation` | Enable network isolation | `false` |
+| `useExistingVNet` | Reuse an existing VNet | `false` |
+| `existingVnetResourceId` | Existing VNet resource ID (when `useExistingVNet=true`) | `` |
+| `vmUserName` | Jump box VM admin username | `` |
 | `vmAdminPassword` | Jump box VM admin password | (prompted) |
 
 </details>
@@ -214,8 +216,8 @@ azd up
 ```
 
 This command will:
-1. Run pre-provision hooks (validate environment)
-2. Deploy all Azure infrastructure (~30-40 minutes)
+1. Run pre-provision hooks (deploy AI Landing Zone submodule)
+2. Deploy Fabric capacity and supporting infrastructure (~30-40 minutes)
 3. Run post-provision hooks (configure Fabric, Purview, Search RBAC)
 
 > **Note:** The entire deployment typically takes 45-60 minutes.
 
@@ -5,13 +5,15 @@ This guide focuses on configuration concepts for the **AI Landing Zone**.
 > **Important**: This repository deploys using Bicep parameter files, not `infra/main.parameters.json`.
 >
 > - Primary parameters file: `infra/main.bicepparam`
-> - AI Landing Zone submodule parameters file (if you deploy it directly): `submodules/ai-landing-zone/bicep/infra/main.bicepparam`
+> - AI Landing Zone submodule parameters file (if you deploy it directly): `submodules/ai-landing-zone/main.parameters.json`
 >
 > **Fabric options in this repo** are configured in `infra/main.bicepparam` via:
 > - `fabricCapacityPreset` (`create` | `byo` | `none`)
 > - `fabricWorkspacePreset` (`create` | `byo` | `none`)
 > - BYO inputs: `fabricCapacityResourceId`, `fabricWorkspaceId`, `fabricWorkspaceName`
 
+> **Deployment flow**: This repo deploys the AI Landing Zone submodule from `submodules/ai-landing-zone/main.bicep` during the preprovision hook. The single source of truth for parameters is `infra/main.bicepparam`.
+
 ## Table of Contents
 1. [Basic Parameters](#basic-parameters)
 2. [Deployment Toggles](#deployment-toggles)
@@ -151,6 +153,14 @@ Each toggle controls whether a service is created. Set to `true` to deploy, `fal
 - `buildVm: true` - For CI/CD build agents
 - `jumpVm: true` - For Windows-based management
 
+### Log Analytics (Optional)
+
+If you are using an existing Log Analytics workspace, set the resource ID in `infra/main.bicepparam`:
+
+```bicep-params
+param logAnalyticsWorkspaceResourceId = '/subscriptions/<subId>/resourceGroups/<rg>/providers/Microsoft.OperationalInsights/workspaces/<name>'
+```
+
 ### Network Security Groups
 
 ```json
 
@@ -20,8 +20,8 @@ The postprovision automation scripts consume deployment outputs via the `AZURE_O
 
 | Bicep Output | Script Variable | Used By | Purpose |
 |-------------|-----------------|---------|---------|
-| `fabricCapacityModeOut` | `fabricCapacityMode` | Multiple Fabric scripts | Whether capacity is `create`, `byo`, or `none` |
-| `fabricWorkspaceModeOut` | `fabricWorkspaceMode` | Multiple Fabric scripts | Whether workspace is `create`, `byo`, or `none` |
+| `fabricCapacityModeOut` | `fabricCapacityMode` | Multiple Fabric scripts | Resolved mode from `fabricCapacityPreset` (`create`, `byo`, `none`) |
+| `fabricWorkspaceModeOut` | `fabricWorkspaceMode` | Multiple Fabric scripts | Resolved mode from `fabricWorkspacePreset` (`create`, `byo`, `none`) |
 | `fabricCapacityId` | `FABRIC_CAPACITY_ID` | `ensure_active_capacity.ps1` | ARM resource ID of Fabric capacity |
 | `fabricCapacityResourceIdOut` | `fabricCapacityId` | `create_fabric_workspace.ps1` | Resource ID for capacity assignment |
 | `fabricWorkspaceIdOut` | `FABRIC_WORKSPACE_ID` | Multiple Fabric scripts | Existing or created Fabric workspace ID |
 
@@ -106,7 +106,7 @@ If no documents appear, check:
 
 ## 6. Verify Network Isolation (if enabled)
 
-When `networkIsolationMode` is set to isolate resources:
+When `networkIsolation` is set to `true`:
 
 ### Check AI Foundry Network Settings
 
 
@@ -78,8 +78,8 @@ The final table lists regions with available quota. You can select any of these
 
 ## **If using VS Code or Codespaces**
 1. Open the terminal in VS Code or Codespaces.
-2. If you're using VS Code, click the dropdown on the right side of the terminal window, and select `Git Bash`.
-   ![git_bash](../img/provisioning/git_bash.png)
+2. Use a terminal that can run bash. This is only for the quota check script; deployment uses PowerShell.
+  ![git_bash](../img/provisioning/git_bash.png)
 3. Navigate to the `scripts` folder where the script files are located and make the script as executable:
    ```sh
     cd scripts
 
@@ -105,6 +105,8 @@ param enableAgenticRetrieval bool = false
 
 @description('Existing resource IDs to reuse.')
 param aiSearchResourceId string = ''
+@description('Optional additional Entra object IDs to grant Search roles.')
+param aiSearchAdditionalAccessObjectIds array = []
 param aiFoundryStorageAccountResourceId string = ''
 param aiFoundryCosmosDBAccountResourceId string = ''
 param keyVaultResourceId string = ''
@@ -244,16 +246,14 @@ var effectiveAiSearchResourceId = !empty(aiSearchResourceId)
   : resourceId('Microsoft.Search/searchServices', searchServiceName)
 
 var effectiveStorageAccountResourceId = resourceId('Microsoft.Storage/storageAccounts', storageAccountName)
-var effectiveLogAnalyticsWorkspaceResourceId = resourceId('Microsoft.OperationalInsights/workspaces', logAnalyticsWorkspaceName)
 
 output virtualNetworkResourceId string = effectiveVnetResourceId
 output keyVaultResourceId string = effectiveKeyVaultResourceId
 output storageAccountResourceId string = effectiveStorageAccountResourceId
 output aiFoundryProjectName string = aiFoundryProjectName
-output logAnalyticsWorkspaceResourceId string = effectiveLogAnalyticsWorkspaceResourceId
 output aiSearchResourceId string = effectiveAiSearchResourceId
 output aiSearchName string = searchServiceName
-output aiSearchAdditionalAccessObjectIds array = []
+output aiSearchAdditionalAccessObjectIds array = aiSearchAdditionalAccessObjectIds
 
 // Subnet IDs (constructed from VNet ID and subnet names)
 output peSubnetResourceId string = '${effectiveVnetResourceId}/subnets/${peSubnetName}'
 
@@ -1,22 +1,43 @@
 using './main.bicep'
 
 // ========================================
-// AI LANDING ZONE PARAMETERS
+// REQUIRED INPUTS
 // ========================================
 
 param environmentName = readEnvironmentVariable('AZURE_ENV_NAME', '')
 param location = readEnvironmentVariable('AZURE_LOCATION', '')
 param cosmosLocation = readEnvironmentVariable('AZURE_COSMOS_LOCATION', '')
-// Set this to your Entra object ID if Graph lookup is blocked.
+// Entra object ID of the identity to grant RBAC (user, group, service principal, or UAI). Set this if Graph lookup is blocked.
 param principalId = '0d60355b-dcae-4331-b55f-283d80aabde5'
 param principalType = 'User'
-param deploymentTags = {}
-param appConfigLabel = 'ai-lz'
 
-param networkIsolation = true
+// ========================================
+// OPTIONAL INPUTS (Existing Resources)
+// ========================================
+// Use these to reuse existing resources instead of creating new ones.
+
+param aiSearchResourceId = ''
+param aiFoundryStorageAccountResourceId = ''
+param aiFoundryCosmosDBAccountResourceId = ''
+param keyVaultResourceId = ''
 param useExistingVNet = false
 param existingVnetResourceId = readEnvironmentVariable('EXISTING_VNET_RESOURCE_ID', '')
 
+// Optional additional Entra object IDs to grant Search roles.
+param aiSearchAdditionalAccessObjectIds = ['0d60355b-dcae-4331-b55f-283d80aabde5']
+
+// ========================================
+// OPTIONAL INPUTS (Configuration)
+// ========================================
+
+param deploymentTags = {}
+param appConfigLabel = 'ai-lz'
+param networkIsolation = true
+
+// ========================================
+// FEATURE TOGGLES
+// ========================================
+
 param deployGroundingWithBing = false
 param deployAiFoundry = true
 param deployAiFoundrySubnet = true
@@ -35,16 +56,15 @@ param deployVM = true
 param deploySubnets = readEnvironmentVariable('DEPLOY_SUBNETS', 'true') == 'true'
 param deployNsgs = true
 param sideBySideDeploy = readEnvironmentVariable('SIDE_BY_SIDE', 'true') == 'true'
-param deploySoftware = true
+param deploySoftware = false
 param deployApim = false
 param deployAfProject = true
 param deployAAfAgentSvc = true
 param enableAgenticRetrieval = readEnvironmentVariable('ENABLE_AGENTIC_RETRIEVAL', 'false') == 'true'
 
-param aiSearchResourceId = ''
-param aiFoundryStorageAccountResourceId = ''
-param aiFoundryCosmosDBAccountResourceId = ''
-param keyVaultResourceId = ''
+// ========================================
+// ADVANCED SETTINGS (Defaults)
+// ========================================
 
 param useUAI = readEnvironmentVariable('USE_UAI', 'false') == 'true'
 param useCAppAPIKey = readEnvironmentVariable('USE_CAPP_API_KEY', 'false') == 'true'