feat: Adding AI Landing Zone and Fabric workspace automation to provisioning (#101)

* feat: streamlined azd deployment using AI Landing Zone submodule

- Remove all local Bicep modules (infra/modules/*) to eliminate duplication
- Create minimal main.bicep (160 lines) that directly calls AI Landing Zone submodule
- Add comprehensive main.parameters.json with deployment toggles and service configuration
- Add QUICKSTART.md for 5-minute deployment instructions
- Add detailed docs/AZD_DEPLOYMENT.md with full parameter reference
- Configure for azd CLI deployment workflow
- Enable AI Foundry with GPT-4o and text-embedding-3-small models
- All services deployed with private endpoints for security
- Type-safe parameters using AI Landing Zone type definitions

* docs: add comprehensive deployment summary

* docs: add comprehensive parameter customization guide

* feat: add modern .bicepparam file with type safety and IntelliSense

- Add infra/main.bicepparam with full type safety and validation
- Remove 'role' properties from vNet subnets (use standard AVM schema)
- Add delegation for Container Apps subnet
- Add comprehensive inline documentation and comments
- Add docs/BICEP_PARAMETERS.md explaining both formats
- Keep main.parameters.json for backward compatibility
- Benefits: type safety, IntelliSense, compile-time validation, better DX

* docs: update QUICKSTART to recommend bicepparam file

* fix: align deployToggles with AI Landing Zone defaults and add clarifying comments

- Keep current practical defaults (core services enabled, optional disabled)
- Add note that AI LZ example has everything set to true
- Add helpful inline comments explaining when to enable each toggle
- Clarify NSG toggles should match their corresponding service toggles
- Improve developer guidance for customization

* fix: enable Bastion and Jump VM by default for accessing private endpoints

BREAKING: Resources now use private endpoints without public access
REQUIRED: Bastion + Jump VM needed to manage and access services

- Enable bastionHost: true (required for accessing private resources)
- Enable jumpVm: true (Windows jump box accessed via Bastion)
- Enable bastionNsg: true and jumpboxNsg: true (required NSGs)
- Add AzureBastionSubnet (10.0.5.0/26) to vNet
- Add snet-jumpbox (10.0.6.0/28) to vNet

This is the correct default for a secure, production deployment with
private endpoints - you MUST have a way to access the resources!

* docs: add comprehensive guide for accessing private resources

- Add docs/ACCESSING_PRIVATE_RESOURCES.md with detailed access instructions
- Explain Bastion + Jump VM requirement for private endpoints
- Document cost implications (~75/month for secure access)
- Provide cost optimization strategies (stop VM when not in use)
- Add alternative access methods (VPN, Build VM, public endpoints)
- Include security best practices and troubleshooting
- Update QUICKSTART.md to list Bastion in deployment output

* docs: add prominent warnings about ARM 4MB template size limit

- Add warning at top of AZD_DEPLOYMENT.md about RequestContentTooLarge error
- Add 'If Deployment Fails' section to QUICKSTART.md with immediate fix
- Document that default config with Bastion enabled will likely fail
- Provide clear fix: disable Bastion initially, add later via idempotent redeployment
- Add comprehensive troubleshooting section in AZD_DEPLOYMENT.md
- Explain trade-offs: public vs private endpoints, cost implications
- Keep all parameters flexible - users choose their configuration

This addresses the immediate issue users will face with default configuration
while maintaining flexibility and documenting the upgrade path.

* feat: integrate AI Landing Zone submodule with Template Spec support

- Add AI Landing Zone as git submodule for clean architecture
- Create minimal wrapper (160 lines) that calls AI Landing Zone main.bicep
- Implement preprovision scripts (PowerShell + Bash) for Template Spec creation
- Configure AI Landing Zone defaults (192.168.0.0/22 network, proper subnet names)
- Template Specs bypass ARM 4MB deployment limit
- Clean azure.yaml with only preprovision hook (no legacy sample app scripts)
- Successful deployment of full stack: VNet, AI Services, GPT-4o, Cosmos DB, AI Search, Container Apps, Bastion

* chore: update AI Landing Zone submodule pointer

* feat: Complete 5-stage modular deployment with conditional toggles

- Created main-orchestrator.bicep with 5-stage deployment pattern
- Implemented centralized deployToggles parameter in main-orchestrator.bicepparam
- Built Stage 1 (Networking): VNet + 5 NSGs with conditional deployment
- Built Stage 2 (Monitoring): Log Analytics + App Insights with conditionals
- Built Stage 3 (Security): KeyVault + Bastion + Jump VM with conditionals
- Built Stage 4 (Data): Storage, Cosmos, Search, ACR + private endpoints with conditionals
- Built Stage 5 (Compute/AI): Container Apps Environment + AI Foundry with conditionals
- All stages use AI Landing Zone wrappers and follow exact naming patterns
- All 11 deployment toggles functional and set to true for complete deployment
- Updated azure.yaml to use main-orchestrator as deployment entry point
- Successfully tested full deployment with all resources deployed

* chore: Remove unused deployment files

- Deleted infra/main.bicep (old monolithic deployment)
- Deleted infra/main.bicepparam (old parameter file)
- Deleted infra/main.parameters.json (old JSON parameters)
- Deleted infra/orchestrators/main-modular.bicep (earlier iteration)
- Deleted infra/params/ directory (no longer needed)

All deployments now use main-orchestrator.bicep with 5-stage modular architecture

* chore: Remove unused scripts and Python requirements

Deleted Template Spec scripts (modular deployment doesn't need them):
- scripts/preprovision-integrated.ps1
- scripts/preprovision-integrated.sh

Deleted Python/sample data scripts (not using Python):
- scripts/install_python.ps1
- scripts/process_sample_data.ps1
- scripts/process_sample_data.sh
- scripts/index_scripts/ (entire directory)
- scripts/auth_init.py
- scripts/auth_update.py
- requirements.txt
- requirements-dev.txt

Deleted connection/testing scripts (infrastructure only):
- scripts/set_conns_env_vars.ps1
- scripts/set_conns_env_vars.sh
- scripts/test_azure_resource_conns.ps1

Kept scripts (still useful):
- scripts/auth_init.ps1 / auth_init.sh (basic auth)
- scripts/loadenv.ps1 / loadenv.sh (environment variables)
- scripts/postprovision.ps1 / postprovision.sh (post-deployment)
- scripts/quota_check.sh (quota checking)

* chore: Remove outdated documentation files

- Deleted DEPLOYMENT_SUMMARY.md (refers to old feature/azd-submodule-deployment branch)
- Deleted QUICKSTART.md (outdated, refers to non-existent main.bicepparam)

Current documentation:
- QUICKSTART_MODULAR.md - Quick start for modular deployment
- docs/MODULAR_DEPLOYMENT.md - Full modular deployment documentation
- README.md - Updated with deployment options

* Fix subnet layout and Application Gateway private IP to match AI Landing Zone. Resolves Azure Firewall deployment failures due to subnet overlap.

* Apply AI Landing Zone variable pattern to all 5 stages. Resolves Bicep conditional output errors.

* Mark as internal development branch

* Add Stage 6 (Fabric Capacity) and import automation scripts from fabric-purview-domain-integration

- Added Stage 6: Microsoft Fabric Capacity deployment with AVM module v0.1.2
- Added all parameters for future phases: Fabric, Purview, AI Services, Lakehouses
- Imported 37 automation scripts from fabric-purview-domain-integration repo:
  * Fabric_Purview_Automation/ - Fabric workspace, domain, lakehouse automation
  * OneLakeIndex/ - OneLake document indexing with AI Search
  * SecurityModule.ps1 - Centralized token security
  * cleanup/ - Workspace cleanup utilities
  * monitoring/ - Workflow telemetry
- Fixed stage3-security.bicep bastion module path (deploy/wrappers)
- Updated main-orchestrator.bicep with organized parameter sections
- Updated main-orchestrator.bicepparam with all new parameters
- Ready for next phase: Fabric workspace and Purview integration automation

* feat: Add Fabric private networking with automated public access control

Major enhancements:
- Added Stage 7: Fabric Private Networking infrastructure (DNS zones, VNet links)
- Created setup_fabric_private_link.ps1 with auto-approved shared private link creation
- Automated workspace communication policy to deny public access via Fabric REST API
- Added 11 deployment outputs to main-orchestrator.bicep for script automation
- Enhanced azure.yaml with 17 postprovision automation stages
- Created comprehensive documentation (fabric-onelake-private-networking.md, automation-outputs-mapping.md)

* feat: Add cross-subscription Purview support and fix deployment issues

CROSS-SUBSCRIPTION PURVIEW INTEGRATION:
- Added purviewSubscriptionId and purviewResourceGroup parameters to main-orchestrator.bicep
- Added corresponding outputs for script consumption
- Updated create_purview_collection.ps1 to handle cross-subscription Purview accounts
- Updated trigger_purview_scan_for_fabric_workspace.ps1 with subscription/RG resolution
- Tested successfully with Purview account in different subscription (48ab3756-f962-40a8-b0cf-b33ddae744bb)

DEPLOYMENT FIXES:
- Fixed VM disk type mismatches (Premium_LRS → Standard_LRS) in stage3-security.bicep and stage5-compute-ai.bicep
  * Azure doesn't allow changing disk SKU on existing VMs through ARM deployment
  * Changed to Standard_LRS to match already-deployed infrastructure
- Added environment variable fallbacks to create_fabric_workspace.ps1 for azd output variables
  * Added fallback for $env:desiredFabricWorkspaceName
  * Added fallback for $env:fabricCapacityId
  * Scripts now work correctly with azd hooks

FABRIC WORKSPACE AUTOMATION:
- Successfully created workspace 'workspace002' and assigned to capacity FE509DCC-0864-4EBD-B69E-576E4E286AC5
- Successfully created domain 'datadomain002' and assigned workspace
- Workspace admin configured: admin@MngEnv282784.onmicrosoft.com

TESTING STATUS:
✅ Infrastructure deploys without errors
✅ Fabric workspace automation working
✅ Purview collection creation working (cross-subscription)
⚠️ setup_fabric_private_link.ps1 requires manual workspace private link enablement (one-time step)

This commit resolves all identified deployment blockers and successfully enables cross-subscription Purview integration for governance workflows.

* feat: Add environment-based naming for Fabric workspace, domain, and Purview collection

- Added environmentName parameter to main-orchestrator.bicep
- Reads AZURE_ENV_NAME environment variable via readEnvironmentVariable()
- Auto-generates workspace and domain names with environment suffix
- Fabric workspace: workspace-{env} (e.g., workspace-dev102425g)
- Fabric domain: datadomain-{env} (e.g., datadomain-dev102425g)
- Purview collection inherits domain name (e.g., datadomain-dev102425g)
- Updated outputs to use computed effectiveFabricWorkspaceName and effectiveDomainName
- Cross-subscription Purview support maintained with subscription/RG parameters
- Allows manual override by setting fabricWorkspaceName and domainName in bicepparam

* feat: Add firewall rules for Power BI, Fabric, and Azure Portal access

- Added rule collection group 'PowerBI-Fabric-Access' to firewall policy
- Allow-PowerBI: *.powerbi.com, powerbi.microsoft.com (HTTP/HTTPS)
- Allow-Fabric: *.fabric.microsoft.com, app.fabric.microsoft.com (HTTPS)
- Allow-Analysis-Services: *.analysis.windows.net (HTTPS)
- Allow-Azure-Portal: *.portal.azure.com, portal.azure.com, *.azure.com, *.management.azure.com (HTTPS)
- Allow-Microsoft-Auth: *.login.microsoftonline.com, login.windows.net, login.microsoft.com, *.microsoftonline.com (HTTPS)

This enables Jump VM users to access:
- Power BI portal (app.powerbi.com)
- Microsoft Fabric portal (app.fabric.microsoft.com)
- Azure Portal (portal.azure.com)
- Microsoft authentication services

Rules are applied at firewall policy level in stage1-networking.bicep

* feat: Complete firewall routing configuration for jumpbox subnet

- Created route table (rt-firewall-{baseName}) with default route to firewall
- Associated route table with jumpbox-subnet to force traffic through firewall
- All outbound traffic from Jump VM now routes through Azure Firewall (192.168.0.132)
- Added configure_firewall_routing.sh script for automated setup in future deployments

This completes the secure network architecture:
- Firewall rules allow Power BI, Fabric, Azure Portal, and auth domains
- Route table forces all jumpbox traffic through firewall for inspection
- Jump VM can now access portal.azure.com, app.powerbi.com, app.fabric.microsoft.com

* fix: Enable DNS proxy on firewall policy for FQDN resolution

- Added enableProxy: true to firewall policy configuration
- DNS proxy is required for application rules with FQDN targets to work
- Without DNS proxy, firewall cannot resolve domain names and defaults to deny
- Applied fix retroactively via CLI: az network firewall policy update --enable-dns-proxy true

This fixes the 'No rule matched' error when accessing:
- portal.azure.com
- app.powerbi.com
- app.fabric.microsoft.com

DNS proxy enables the firewall to resolve FQDNs in application rules and properly match traffic against the configured allow rules

* WIP: Modular orchestrator approach - hitting 4MB ARM template limit

* Use AI Landing Zone directly + Fabric capacity extension

* Remove modular orchestrator files - using AI Landing Zone directly

* Remove unnecessary preprovision scripts - using AI Landing Zone's scripts

* Fix azure.yaml preprovision hooks format for azd 1.20+

* Fix infra path to point to deploy directory with Template Spec references

* Make deploy_fabric_capacity.sh executable

* Fix Fabric capacity name format - remove hyphens

* Fix Fabric capacity SKU format - add tier field

* Replace shell script with Bicep module for Fabric capacity deployment

* Implement Fabric capacity deployment in main.bicep wrapper

- Wrapper calls AI Landing Zone then deploys Fabric capacity in single template
- All parameters exposed in main.bicepparam for full autonomy
- Azure.yaml deploys from infra/ (wrapper) instead of AI Landing Zone directly

* Fix OneLake SAMI auth and AI Foundry RBAC

* Sync fabric deployment automation and docs

* Document template spec deployment flow

* refresh submodule

* refactor: reorganize fabric automation scripts by workspace scope

* Updates to several sections of automation code. Add FAQ to address common issues during development. These will go into the readme. Fabric private network.md added for guidance.

* removal of old docs and direction

* Updates and improvements to readme and fabric networking to ai search

* updates to main and parameter naming

* updates to scripts to resume paused fabric capacity when running post provisioning scripts

* docs: overhaul README and consolidate documentation for v1.3

README Changes:
- Adopt GSA (Global Solution Accelerator) format with header images
- Update navigation to use pipe separators matching example repos
- Use AI Landing Zone architecture diagram from submodule
- Add git submodule clone instructions for smooth provisioning
- Expand 'What You Get' section to showcase full platform scope
- Update Supporting Documentation table with current links

Documentation Consolidation:
- Create DeploymentGuide.md consolidating all deployment options
- Create deploy_app_from_foundry.md aligned with AI Foundry workflow
- Create TRANSPARENCY_FAQ.md for responsible AI transparency

Removed Outdated Docs (9 files):
- github_actions_steps.md (stub placeholder)
- github_code_spaces_steps.md (consolidated into DeploymentGuide)
- local_environment_steps.md (consolidated into DeploymentGuide)
- Dev_ContainerSteps.md (consolidated into DeploymentGuide)
- transfer_project_connections.md (deprecated feature)
- sample_app_setup.md (replaced with deploy_app_from_foundry.md)
- Verify_Services_On_Network.md (referenced non-existent script)
- add_additional_services.md (redundant with PARAMETER_GUIDE.md)
- modify_deployed_models.md (redundant with PARAMETER_GUIDE.md)

Fixed broken references across all remaining documentation files.

* remove document about Fabric External environment

* update Foundry name in readme

* Clarify Purview is configured not provisioned

* Correct documentation links

* corrected bad link

* Update to architecture drawing

* sanitized parameter file

* sanitize parameters and add virtualization script

* sanitize the parameters

* Updated all PowerShell automation scripts to use the OS temp directory for shared env/config files instead of hardcoded /tmp, so they work on Windows and Codespaces

* README: Added a Windows shell note under the submodule section to call out that preprovision uses sh (use Git Bash/WSL or swap to the PowerShell hook).
DeploymentGuide:
Added a Windows-specific shell requirement in prerequisites (bash available, or switch to preprovision.ps1).
Reinforced submodule init in Local Environment and added a Windows note about running azd from Bash/WSL or changing the hook.
Noted that postprovision temp .env files are written to the OS temp directory—no need to create C:\tmp.

* Removed the “Important: Keep environment-specific values local” block from the README.

* Adds a single sentence under “Prerequisites” clarifying that if Fabric capacity deployment is enabled, you must supply at least one valid Fabric admin principal (UPN email or Entra object ID) via fabricCapacityAdmins

* Emphasise needing Fabric Admin if provisioning Fabric Workspace = true

* New note clarifying that if Fabric provisioning is enabled, the user running azd must have the Fabric Administrator role (or equivalent Fabric/Power BI tenant admin permissions).

---------

Co-authored-by: Mike Swantek <mike.swantek@microsoft.com>

Author: mswantek68

.github/workflows/azd-template-validation.yml

@@ -0,0 +1,34 @@
+name: AZD Template Validation
+on: 
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: write
+
+jobs:
+  template_validation:
+    runs-on: ubuntu-latest
+    name: azd template validation
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: microsoft/template-validation-action@Latest
+        with:
+          validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }}
+          useDevContainer: ${{ vars.TEMPLATE_USE_DEV_CONTAINER }}
+        id: validation
+        env:
+          AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+          AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: print result
+        run: cat ${{ steps.validation.outputs.resultFile }}

.github/workflows/azure-dev.yml

@@ -1,74 +1,44 @@
-name: AZD Template Validation
-on: 
+name: AZD Deployment
+on:
   workflow_dispatch:
   push:
     branches:
       - main
 
 permissions:
-  contents: read
   id-token: write
-  pull-requests: write
+  contents: read
 
 jobs:
-  template_validation:
+  build:
     runs-on: ubuntu-latest
-    name: azd template validation
+    env:
+      AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
+      AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+      AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+      AZURE_USER_OBJECT_ID: ''
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Azure Login
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install azd
+        uses: Azure/setup-azd@v2
+      - name: Azure Developer CLI Login
+        run: |
+          azd auth login `
+            --client-id "$Env:AZURE_CLIENT_ID" `
+            --federated-credential-provider "github" `
+            --tenant-id "$Env:AZURE_TENANT_ID" 
+        shell: pwsh
+      - name: Azure CLI Login
         uses: azure/login@v2
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-
-      - name: Create Resource Group for Validation
-        run: |
-          ENV_NAME="${{ vars.AZURE_ENV_NAME }}"
-          RG_NAME="rg-${ENV_NAME}"
-          echo "Creating resource group for template validation: ${RG_NAME}"
-          az group create \
-            --name "${RG_NAME}" \
-            --location "${{ vars.AZURE_LOCATION }}" \
-            --tags "CreatedBy=GitHubActions"
-          echo "Resource group ${RG_NAME} created successfully"
-
-      - uses: microsoft/template-validation-action@Latest
-        with:
-          validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }}
-          useDevContainer: ${{ vars.TEMPLATE_USE_DEV_CONTAINER }}
-          validateTests: ${{ vars.AZD_VALIDATE_TESTS }}
-        id: validation
+      - name: Provision Infrastructure
+        run: azd provision --no-prompt
         env:
-          AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
-          AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
-          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-          AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
-          AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
-          AZURE_RESOURCE_GROUP: rg-${{ vars.AZURE_ENV_NAME  }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Set correct principal type for GitHub Actions ServicePrincipal
-          AZURE_DEPLOYER_PRINCIPAL_TYPE: ServicePrincipal
-          # Infrastructure parameter defaults for pipeline
-          AZURE_ACR_ENABLED: 'false'
-          AZURE_API_MANAGEMENT_ENABLED: 'false'
-          AZURE_AI_CONTENT_SAFETY_ENABLED: 'false'
-          AZURE_AI_DOC_INTELLIGENCE_ENABLED: 'false'
-          AZURE_AI_LANGUAGE_ENABLED: 'false'
-          AZURE_AI_SEARCH_ENABLED: 'true'
-          AZURE_AI_SPEECH_ENABLED: 'false'
-          AZURE_AI_TRANSLATOR_ENABLED: 'false'
-          
-          AZURE_AI_VISION_ENABLED: 'false'
-          AZURE_APP_SAMPLE_ENABLED: 'false'
-          AZURE_COSMOS_DB_ENABLED: 'true'
-          AZURE_NETWORK_ISOLATION: 'false'
-          AZURE_SQL_SERVER_ENABLED: 'false'
-          AZURE_AI_DEPLOYMENTS_LOCATION: ${{ vars.AZURE_LOCATION }}
-          AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
-
-
-      - name: print result
-        run: cat ${{ steps.validation.outputs.resultFile }}
+           AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}

.gitignore

@@ -2,3 +2,15 @@
 .vs
 .venv
 __pycache__
+
+# Azure Developer CLI (azd)
+.azure/
+
+# Local environment files
+.env
+.env.*
+!.env.example
+
+# Local-only Bicep parameter overrides
+infra/*.local.bicepparam
+infra/*.local.bicepparam.json

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "submodules/ai-landing-zone"]
+	path = submodules/ai-landing-zone
+	url = https://github.com/Azure/AI-Landing-Zones.git

CHANGELOG.md

@@ -2,6 +2,36 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.3] - 2025-12-09
+### Added
+- Microsoft Fabric integration with automatic capacity creation and management
+- Microsoft Purview integration for governance and data cataloging
+- OneLake indexing pipeline connecting Fabric lakehouses to AI Search
+- Comprehensive post-provision automation (22 hooks for Fabric/Purview/Search setup)
+- New documentation: `deploy_app_from_foundry.md` for publishing apps from AI Foundry
+- New documentation: `TRANSPARENCY_FAQ.md` for responsible AI transparency
+- New documentation: `NewUserGuide.md` for first-time users
+- Header icons matching GSA standard format
+- Fabric private networking documentation
+
+### Changed
+- README.md restructured to match Microsoft GSA (Global Solution Accelerator) format
+- DeploymentGuide.md consolidated with all deployment options in one place
+- Updated Azure Fabric CLI commands (`az fabric capacity` replaces deprecated `az powerbi embedded-capacity`)
+- Post-provision scripts now validate Fabric capacity state before execution
+- Navigation links use pipe separators matching other GSA repos
+
+### Removed
+- `github_actions_steps.md` (stub placeholder)
+- `github_code_spaces_steps.md` (consolidated into DeploymentGuide.md)
+- `local_environment_steps.md` (consolidated into DeploymentGuide.md)
+- `Dev_ContainerSteps.md` (consolidated into DeploymentGuide.md)
+- `transfer_project_connections.md` (feature deprecated)
+- `sample_app_setup.md` (replaced with `deploy_app_from_foundry.md`)
+- `Verify_Services_On_Network.md` (referenced non-existent script)
+- `add_additional_services.md` (outdated, redundant with PARAMETER_GUIDE.md)
+- `modify_deployed_models.md` (outdated, redundant with PARAMETER_GUIDE.md)
+
 ## [1.2] - 2025-05-13
 ### Added
 - Add new project module leveraging the new cognitive services/projects type