microsoft
diff --git a/‎README.md‎
Lines changed: 6 additions & 6 deletions b/‎README.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎azure.yaml‎
Lines changed: 7 additions & 0 deletions b/‎azure.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docs/DeploymentGuide.md‎
Lines changed: 12 additions & 4 deletions b/‎docs/DeploymentGuide.md‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎docs/PARAMETER_GUIDE.md‎
Lines changed: 11 additions & 1 deletion b/‎docs/PARAMETER_GUIDE.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎docs/automation-outputs-mapping.md‎
Lines changed: 16 additions & 5 deletions b/‎docs/automation-outputs-mapping.md‎
Lines changed: 16 additions & 5 deletions
diff --git a/‎infra/main.bicep‎
Lines changed: 54 additions & 5 deletions b/‎infra/main.bicep‎
Lines changed: 54 additions & 5 deletions
diff --git a/‎scripts/automationScripts/FabricPurviewAutomation/connect_log_analytics.ps1‎
Lines changed: 16 additions & 0 deletions b/‎scripts/automationScripts/FabricPurviewAutomation/connect_log_analytics.ps1‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎scripts/automationScripts/FabricPurviewAutomation/create_purview_collection.ps1‎
Lines changed: 11 additions & 0 deletions b/‎scripts/automationScripts/FabricPurviewAutomation/create_purview_collection.ps1‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1‎
Lines changed: 10 additions & 0 deletions b/‎scripts/automationScripts/FabricPurviewAutomation/trigger_purview_scan_for_fabric_workspace.ps1‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎scripts/automationScripts/FabricWorkspace/CreateWorkspace/assign_workspace_to_domain.ps1‎
Lines changed: 11 additions & 0 deletions b/‎scripts/automationScripts/FabricWorkspace/CreateWorkspace/assign_workspace_to_domain.ps1‎
Lines changed: 11 additions & 0 deletions
@@ -121,15 +121,17 @@ Follow the deployment guide to deploy this solution to your own Azure subscripti
   | Requirement | Details |
   |-------------|---------|
   | **Azure Subscription** | Owner or Contributor + User Access Administrator permissions |
-  | **Microsoft Fabric** | Access to create capacity, workspace (or existing Fabric capacity ID) |
+  | **Microsoft Fabric** | Optional. Either access to create capacity/workspace, or provide existing Fabric capacity/workspace IDs, or disable Fabric automation |
   | **Microsoft Purview** | Existing tenant-level Purview account (or ability to create one) |
   | **Azure CLI** | Version 2.61.0 or later |
   | **Azure Developer CLI** | Version 1.15.0 or later |
   | **Quota** | Sufficient Azure OpenAI quota ([check here](./docs/quota_check.md)) |
 
-  > **Note:** If you enable Fabric capacity deployment, you must supply at least one valid Fabric capacity admin principal (Entra user UPN email or object ID) via `fabricCapacityAdmins`.
+  > **Note:** Fabric automation is optional. To disable all Fabric automation, set `fabricCapacityPreset = 'none'` and `fabricWorkspacePreset = 'none'` in `infra/main.bicepparam`.
 
-  > **Note:** If you enable Fabric provisioning, the user running `azd` must have the **Fabric Administrator** role (or equivalent Fabric/Power BI tenant admin permissions) to call the required admin APIs.
+  > **Note:** If you enable Fabric capacity deployment (`fabricCapacityPreset='create'`), you must supply at least one valid Fabric capacity admin principal (Entra user UPN email or object ID) via `fabricCapacityAdmins`.
+
+  > **Note:** If you enable Fabric provisioning (`fabricWorkspacePreset='create'`), the user running `azd` must have the **Fabric Administrator** role (or equivalent Fabric/Power BI tenant admin permissions) to call the required admin APIs.
 
 </details>
 
@@ -141,7 +143,7 @@ Follow the deployment guide to deploy this solution to your own Azure subscripti
   | Azure AI Foundry | Standard | [Pricing](https://azure.microsoft.com/pricing/details/machine-learning/) |
   | Azure OpenAI | Pay-per-token | [Pricing](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) |
   | Azure AI Search | Standard | [Pricing](https://azure.microsoft.com/pricing/details/search/) |
-  | Microsoft Fabric | F8 Capacity | [Pricing](https://azure.microsoft.com/pricing/details/microsoft-fabric/) |
+  | Microsoft Fabric | F8 Capacity (if enabled) | [Pricing](https://azure.microsoft.com/pricing/details/microsoft-fabric/) |
   | Virtual Network + Bastion | Standard | [Pricing](https://azure.microsoft.com/pricing/details/azure-bastion/) |
 
   >  **Cost Optimization:** Fabric capacity can be paused when not in use. Use `az fabric capacity suspend` to stop billing.
@@ -171,8 +173,6 @@ After deployment, you'll have a complete, enterprise-ready platform that unifies
 | **Governance** | Microsoft Purview with cataloging, scans, and DSPM | Track data lineage, enforce policies, and maintain compliance visibility |
 | **Security** | Private endpoints, managed identities, RBAC, network isolation | Zero public internet exposure—all traffic stays on the Microsoft backbone |
 
-> 💡 **Note:** When Microsoft Fabric automation supports private link provisioning, the entire solution will operate with full network isolation end-to-end.
-
 <br/>
 
 ### Key Features
 
@@ -15,9 +15,16 @@ metadata:
 # Pre/Post-provision automation hooks
 hooks:
   preprovision:
+    # AI Landing Zone preprovision: generates submodule deploy/ files and (optionally) Template Specs.
+    # On Windows, `shell: sh` may not be available; fall back to the PowerShell script.
     - shell: sh
       run: ./submodules/ai-landing-zone/bicep/scripts/preprovision.sh
       interactive: true
+      continueOnError: true
+
+    - shell: pwsh
+      run: ./submodules/ai-landing-zone/bicep/scripts/preprovision.ps1
+      interactive: true
       continueOnError: false
 
   postprovision:
 
@@ -152,14 +152,22 @@ Edit `infra/main.bicepparam` or set environment variables:
 | Parameter | Description | Example |
 |-----------|-------------|---------|
 | `purviewAccountResourceId` | Resource ID of existing Purview account | `/subscriptions/.../Microsoft.Purview/accounts/...` |
-| `aiSearchAdditionalAccessObjectId` | Array of ObjectId's to apply RBAC role for Search Access | `["user@contoso.com"]`  |
-| `fabricCapacitySku` | Fabric capacity SKU | `F8` (default) |
-| `fabricCapacityAdmins` | Fabric capacity admin principals (UPN emails or Entra object IDs) | `["user@contoso.com"]` |
-| `desiredFabricWorkspaceName` | Name for Fabric workspace | `workspace-myenv` |
+| `aiSearchAdditionalAccessObjectIds` | Array of Entra object IDs to grant Search roles | `["00000000-0000-0000-0000-000000000000"]` |
+| `fabricCapacityMode` | Fabric capacity mode: `create`, `byo`, or `none` | `create` |
+| `fabricWorkspaceMode` | Fabric workspace mode: `create`, `byo`, or `none` | `create` |
+| `fabricCapacitySku` | Fabric capacity SKU (only used when `fabricCapacityMode=create`) | `F8` (default) |
+| `fabricCapacityAdmins` | Fabric capacity admin principals (UPN emails or Entra object IDs) (required when `fabricCapacityMode=create`) | `["user@contoso.com"]` |
+| `fabricCapacityResourceId` | Existing Fabric capacity ARM resource ID (required when `fabricCapacityMode=byo`) | `/subscriptions/.../providers/Microsoft.Fabric/capacities/...` |
+| `fabricWorkspaceId` | Existing Fabric workspace ID (GUID) (required when `fabricWorkspaceMode=byo`) | `00000000-0000-0000-0000-000000000000` |
+| `fabricWorkspaceName` | Existing Fabric workspace name (used when `fabricWorkspaceMode=byo`) | `my-existing-workspace` |
 
 ```bash
 # Example: Set Purview account
 azd env set purviewAccountResourceId "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Purview/accounts/<account-name>"
+
+# Example: Disable all Fabric automation
+azd env set fabricCapacityMode none
+azd env set fabricWorkspaceMode none
 ```
 
 </details>
 
@@ -1,6 +1,16 @@
 # Parameter Guide for AI Landing Zone Deployment
 
-This guide explains every parameter in `infra/main.parameters.json` and how to customize your deployment.
+This guide focuses on configuration concepts for the **AI Landing Zone**.
+
+> **Important**: This repository deploys using Bicep parameter files, not `infra/main.parameters.json`.
+>
+> - Primary parameters file: `infra/main.bicepparam`
+> - AI Landing Zone submodule parameters file (if you deploy it directly): `submodules/ai-landing-zone/bicep/infra/main.bicepparam`
+>
+> **Fabric options in this repo** are configured in `infra/main.bicepparam` via:
+> - `fabricCapacityPreset` (`create` | `byo` | `none`)
+> - `fabricWorkspacePreset` (`create` | `byo` | `none`)
+> - BYO inputs: `fabricCapacityResourceId`, `fabricWorkspaceId`, `fabricWorkspaceName`
 
 ## Table of Contents
 1. [Basic Parameters](#basic-parameters)
 
@@ -20,9 +20,13 @@ The postprovision automation scripts consume deployment outputs via the `AZURE_O
 
 | Bicep Output | Script Variable | Used By | Purpose |
 |-------------|-----------------|---------|---------|
+| `fabricCapacityMode` | `fabricCapacityMode` | Multiple Fabric scripts | Whether capacity is `create`, `byo`, or `none` |
+| `fabricWorkspaceMode` | `fabricWorkspaceMode` | Multiple Fabric scripts | Whether workspace is `create`, `byo`, or `none` |
 | `fabricCapacityId` | `FABRIC_CAPACITY_ID` | `ensure_active_capacity.ps1` | ARM resource ID of Fabric capacity |
 | `fabricCapacityResourceId` | `fabricCapacityId` | `create_fabric_workspace.ps1` | Resource ID for capacity assignment |
-| `desiredFabricWorkspaceName` | `FABRIC_WORKSPACE_NAME` | Multiple Fabric scripts | Target workspace name |
+| `fabricWorkspaceId` | `FABRIC_WORKSPACE_ID` | Multiple Fabric scripts | Existing or created Fabric workspace ID |
+| `fabricWorkspaceName` | `FABRIC_WORKSPACE_NAME` | Multiple Fabric scripts | Target workspace name |
+| `desiredFabricWorkspaceName` | `FABRIC_WORKSPACE_NAME` | Multiple Fabric scripts | Back-compat alias for `fabricWorkspaceName` |
 | `desiredFabricDomainName` | `domainName` | `create_fabric_domain.ps1` | Target domain name |
 | `fabricCapacityName` | - | - | Display name (optional) |
 
@@ -79,7 +83,11 @@ When `azd up` completes, it sets:
 ```bash
 export AZURE_OUTPUTS_JSON='{
   "fabricCapacityId": {"type":"String","value":"/subscriptions/.../fabricCapacities/fabric-xyz"},
-  "desiredFabricWorkspaceName": {"type":"String","value":"ai-workspace"},
+  "fabricCapacityMode": {"type":"String","value":"create"},
+  "fabricWorkspaceMode": {"type":"String","value":"create"},
+  "fabricWorkspaceName": {"type":"String","value":"workspace-myenv"},
+  "fabricWorkspaceId": {"type":"String","value":""},
+  "desiredFabricWorkspaceName": {"type":"String","value":"workspace-myenv"},
   "aiSearchName": {"type":"String","value":"search-xyz"},
   "aiSearchResourceGroup": {"type":"String","value":"rg-ai-landing-zone"},
   ...
@@ -93,7 +101,10 @@ Scripts parse this JSON:
 if (-not $WorkspaceName -and $env:AZURE_OUTPUTS_JSON) {
   try { 
     $out = $env:AZURE_OUTPUTS_JSON | ConvertFrom-Json
-    $WorkspaceName = $out.desiredFabricWorkspaceName.value 
+    $WorkspaceName = $out.fabricWorkspaceName.value
+    if (-not $WorkspaceName) {
+      $WorkspaceName = $out.desiredFabricWorkspaceName.value
+    }
   } catch {}
 }
 ```
@@ -121,8 +132,8 @@ azd env get-value aiSearchName
 
 ## Related Files
 
-- **Infrastructure**: `/infra/main-orchestrator.bicep` (lines 313-349)
-- **Parameters**: `/infra/main-orchestrator.bicepparam`
+- **Infrastructure**: `/infra/main.bicep`
+- **Parameters**: `/infra/main.bicepparam`
 - **Automation Workflow**: `/azure.yaml` (postprovision hooks)
 - **Scripts**: `/scripts/automationScripts/`
 
 
@@ -80,6 +80,31 @@ param apimDefinition types.apimDefinitionType?
 @description('Deploy Fabric capacity')
 param deployFabricCapacity bool = true
 
+@description('Fabric capacity mode. Use create to provision a capacity, byo to reuse an existing capacity, or none to disable Fabric capacity.')
+@allowed([
+  'create'
+  'byo'
+  'none'
+])
+param fabricCapacityMode string = (deployFabricCapacity ? 'create' : 'none')
+
+@description('Optional. Existing Fabric capacity resource ID (required when fabricCapacityMode=byo).')
+param fabricCapacityResourceId string = ''
+
+@description('Fabric workspace mode. Use create to create a workspace in postprovision, byo to reuse an existing workspace, or none to disable Fabric workspace automation.')
+@allowed([
+  'create'
+  'byo'
+  'none'
+])
+param fabricWorkspaceMode string = (fabricCapacityMode == 'none' ? 'none' : 'create')
+
+@description('Optional. Existing Fabric workspace ID (GUID) (required when fabricWorkspaceMode=byo).')
+param fabricWorkspaceId string = ''
+
+@description('Optional. Existing Fabric workspace name (used when fabricWorkspaceMode=byo).')
+param fabricWorkspaceName string = ''
+
 @description('Fabric capacity SKU')
 @allowed(['F2', 'F4', 'F8', 'F16', 'F32', 'F64', 'F128', 'F256', 'F512', 'F1024', 'F2048'])
 param fabricCapacitySku string = 'F8'
@@ -123,13 +148,16 @@ module aiLandingZone '../submodules/ai-landing-zone/bicep/deploy/main.bicep' = {
 // FABRIC CAPACITY DEPLOYMENT
 // ========================================
 
+var effectiveFabricCapacityMode = fabricCapacityMode
+var effectiveFabricWorkspaceMode = fabricWorkspaceMode
+
 var envSlugSanitized = replace(replace(replace(replace(replace(replace(replace(replace(toLower(environmentName), ' ', ''), '-', ''), '_', ''), '.', ''), '/', ''), '\\', ''), ':', ''), ',', '')
 
 var envSlugTrimmed = substring(envSlugSanitized, 0, min(40, length(envSlugSanitized)))
 var capacityNameBase = !empty(envSlugTrimmed) ? 'fabric${envSlugTrimmed}' : 'fabric${baseName}'
 var capacityName = substring(capacityNameBase, 0, min(50, length(capacityNameBase)))
 
-module fabricCapacity 'modules/fabric-capacity.bicep' = if (deployFabricCapacity) {
+module fabricCapacity 'modules/fabric-capacity.bicep' = if (effectiveFabricCapacityMode == 'create') {
   name: 'fabric-capacity'
   params: {
     capacityName: capacityName
@@ -162,11 +190,32 @@ output jumpboxSubnetResourceId string = '${aiLandingZone.outputs.virtualNetworkR
 output agentSubnetResourceId string = '${aiLandingZone.outputs.virtualNetworkResourceId}/subnets/agent-subnet'
 
 // Fabric outputs
-output fabricCapacityResourceId string = deployFabricCapacity ? fabricCapacity!.outputs.resourceId : ''
-output fabricCapacityName string = deployFabricCapacity ? fabricCapacity!.outputs.name : ''
-output fabricCapacityId string = deployFabricCapacity ? fabricCapacity!.outputs.capacityId : ''
+output fabricCapacityMode string = effectiveFabricCapacityMode
+output fabricWorkspaceMode string = effectiveFabricWorkspaceMode
+
+var effectiveFabricCapacityResourceId = effectiveFabricCapacityMode == 'create'
+  ? fabricCapacity!.outputs.resourceId
+  : (effectiveFabricCapacityMode == 'byo' ? fabricCapacityResourceId : '')
+
+var effectiveFabricCapacityName = effectiveFabricCapacityMode == 'create'
+  ? fabricCapacity!.outputs.name
+  : (!empty(effectiveFabricCapacityResourceId) ? last(split(effectiveFabricCapacityResourceId, '/')) : '')
+
+output fabricCapacityResourceId string = effectiveFabricCapacityResourceId
+output fabricCapacityName string = effectiveFabricCapacityName
+output fabricCapacityId string = effectiveFabricCapacityResourceId
+
+var effectiveFabricWorkspaceName = effectiveFabricWorkspaceMode == 'byo'
+  ? (!empty(fabricWorkspaceName) ? fabricWorkspaceName : (!empty(environmentName) ? 'workspace-${environmentName}' : 'workspace-${baseName}'))
+  : (!empty(environmentName) ? 'workspace-${environmentName}' : 'workspace-${baseName}')
+
+var effectiveFabricWorkspaceId = effectiveFabricWorkspaceMode == 'byo' ? fabricWorkspaceId : ''
+
+output fabricWorkspaceName string = effectiveFabricWorkspaceName
+output fabricWorkspaceId string = effectiveFabricWorkspaceId
+
 output desiredFabricDomainName string = !empty(environmentName) ? 'domain-${environmentName}' : 'domain-${baseName}'
-output desiredFabricWorkspaceName string = !empty(environmentName) ? 'workspace-${environmentName}' : 'workspace-${baseName}'
+output desiredFabricWorkspaceName string = effectiveFabricWorkspaceName
 
 // Purview outputs (for post-provision scripts)
 output purviewAccountResourceId string = purviewAccountResourceId
 
@@ -21,6 +21,22 @@ $ErrorActionPreference = 'Stop'
 function Log([string]$m){ Write-Host "[fabric-loganalytics] $m" }
 function Warn([string]$m){ Write-Warning "[fabric-loganalytics] $m" }
 
+# Skip when Fabric workspace automation is disabled
+$fabricWorkspaceMode = $env:fabricWorkspaceMode
+if (-not $fabricWorkspaceMode -and $env:AZURE_OUTPUTS_JSON) {
+  try { $fabricWorkspaceMode = ($env:AZURE_OUTPUTS_JSON | ConvertFrom-Json -ErrorAction Stop).fabricWorkspaceMode.value } catch { }
+}
+if (-not $fabricWorkspaceMode) {
+  try {
+    $azdMode = & azd env get-value fabricWorkspaceMode 2>$null
+    if ($LASTEXITCODE -eq 0 -and $azdMode) { $fabricWorkspaceMode = $azdMode.Trim() }
+  } catch { }
+}
+if ($fabricWorkspaceMode -and $fabricWorkspaceMode.ToString().Trim().ToLowerInvariant() -eq 'none') {
+  Warn "Fabric workspace mode is 'none'; skipping Log Analytics linkage."
+  exit 0
+}
+
 if (-not $FabricWorkspaceName) {
   # try .azure env
   $envDir = $env:AZURE_ENV_NAME
 
@@ -17,6 +17,17 @@ function Log([string]$m){ Write-Host "[purview-collection] $m" }
 function Warn([string]$m){ Write-Warning "[purview-collection] $m" }
 function Fail([string]$m){ Write-Error "[script] $m"; Clear-SensitiveVariables -VariableNames @("accessToken", "fabricToken", "purviewToken", "powerBIToken", "storageToken"); exit 1 }
 
+# Skip when Fabric workspace automation is disabled
+$fabricWorkspaceMode = $env:fabricWorkspaceMode
+if (-not $fabricWorkspaceMode -and $env:AZURE_OUTPUTS_JSON) {
+  try { $fabricWorkspaceMode = ($env:AZURE_OUTPUTS_JSON | ConvertFrom-Json -ErrorAction Stop).fabricWorkspaceMode.value } catch { }
+}
+if ($fabricWorkspaceMode -and $fabricWorkspaceMode.ToString().Trim().ToLowerInvariant() -eq 'none') {
+  Warn "Fabric workspace mode is 'none'; skipping Purview collection setup."
+  Clear-SensitiveVariables -VariableNames @('accessToken', 'fabricToken', 'purviewToken', 'powerBIToken', 'storageToken')
+  exit 0
+}
+
 function Get-AzdEnvValue([string]$key){
   $value = $null
   try { $value = & azd env get-value $key 2>$null } catch { $value = $null }
 
@@ -26,6 +26,16 @@ function Log([string]$m){ Write-Host "[purview-scan] $m" }
 function Warn([string]$m){ Write-Warning "[purview-scan] $m" }
 function Fail([string]$m){ Write-Error "[script] $m"; Clear-SensitiveVariables -VariableNames @("accessToken", "fabricToken", "purviewToken", "powerBIToken", "storageToken"); exit 1 }
 
+# Skip when Fabric workspace automation is disabled
+$fabricWorkspaceMode = $env:fabricWorkspaceMode
+if (-not $fabricWorkspaceMode -and $env:AZURE_OUTPUTS_JSON) {
+  try { $fabricWorkspaceMode = ($env:AZURE_OUTPUTS_JSON | ConvertFrom-Json -ErrorAction Stop).fabricWorkspaceMode.value } catch { }
+}
+if ($fabricWorkspaceMode -and $fabricWorkspaceMode.ToString().Trim().ToLowerInvariant() -eq 'none') {
+  Warn "Fabric workspace mode is 'none'; skipping Purview scan trigger."
+  exit 0
+}
+
 function Resolve-PurviewFromResourceId([string]$resourceId) {
   if ([string]::IsNullOrWhiteSpace($resourceId)) { return $null }
   $parts = $resourceId.Split('/', [System.StringSplitOptions]::RemoveEmptyEntries)
 
@@ -19,6 +19,17 @@ function Log([string]$m){ Write-Host "[assign-domain] $m" }
 function Warn([string]$m){ Write-Warning "[assign-domain] $m" }
 function Fail([string]$m){ Write-Error "[assign-domain] $m"; Clear-SensitiveVariables -VariableNames @('accessToken', 'fabricToken'); exit 1 }
 
+# Skip when Fabric workspace automation is disabled or BYO
+$fabricWorkspaceMode = $env:fabricWorkspaceMode
+if (-not $fabricWorkspaceMode -and $env:AZURE_OUTPUTS_JSON) {
+  try { $fabricWorkspaceMode = ($env:AZURE_OUTPUTS_JSON | ConvertFrom-Json -ErrorAction Stop).fabricWorkspaceMode.value } catch {}
+}
+if ($fabricWorkspaceMode -and $fabricWorkspaceMode.ToString().Trim().ToLowerInvariant() -ne 'create') {
+  Warn "Fabric workspace mode is '$fabricWorkspaceMode'; skipping assign-to-domain step."
+  Clear-SensitiveVariables -VariableNames @('accessToken', 'fabricToken')
+  exit 0
+}
+
 # Load from azd environment
 try {
     $azdEnvValues = azd env get-values 2>$null