From 7a07a56ce778d7825594c98466ec5dda62855f10 Mon Sep 17 00:00:00 2001
From: Mai Ve Bugge <maive.bugge@microsoft.com>
Date: Tue, 8 Mar 2022 12:01:19 +0100
Subject: [PATCH 01/10] add Azure Active Directory as admin authentication

---
 arm/Microsoft.Sql/servers/deploy.bicep | 23 +++++++++++++++++------
 arm/Microsoft.Sql/servers/readme.md    | 17 +++++++++++++++++
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep
index 06787626f7..518d2fb76f 100644
--- a/arm/Microsoft.Sql/servers/deploy.bicep
+++ b/arm/Microsoft.Sql/servers/deploy.bicep
@@ -1,9 +1,9 @@
-@description('Required. Administrator username for the server.')
-param administratorLogin string
+@description('Optional if AAD Admin is assigned. Administrator username for the server.')
+param administratorLogin string = ''
 
-@description('Required. The administrator login password.')
+@description('Optional if AAD Admin is assigned. The administrator login password.')
 @secure()
-param administratorLoginPassword string
+param administratorLoginPassword string = ''
 
 @description('Optional. Location for all resources.')
 param location string = resourceGroup().location
@@ -43,6 +43,9 @@ param firewallRules array = []
 @description('Optional. The security alert policies to create in the server')
 param securityAlertPolicies array = []
 
+@description('Optional. The Azure Active Directory (AAD) administrator authentiaction.')
+param administrators object = {}
+
 var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')
 
 var identity = identityType != 'None' ? {
@@ -61,8 +64,16 @@ resource server 'Microsoft.Sql/servers@2021-05-01-preview' = {
   tags: tags
   identity: identity
   properties: {
-    administratorLogin: administratorLogin
-    administratorLoginPassword: administratorLoginPassword
+    administratorLogin: !empty(administratorLogin) ? administratorLogin : null
+    administratorLoginPassword: !empty(administratorLoginPassword) ? administratorLoginPassword : null
+    administrators: !empty(administrators) ? {
+      administratorType: 'ActiveDirectory'
+      azureADOnlyAuthentication: administrators.azureADOnlyAuthentication
+      login: administrators.login
+      principalType: administrators.principalType
+      sid: administrators.sid 
+      tenantId: administrators.tenantId
+    } : null
     version: '12.0'
   }
 }
diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md
index 5d05277843..62ac50d355 100644
--- a/arm/Microsoft.Sql/servers/readme.md
+++ b/arm/Microsoft.Sql/servers/readme.md
@@ -84,6 +84,23 @@ You can specify multiple user assigned identities to a resource by providing add
 },
 ```
 
+### Parameter Usage: `administrators`
+
+Configure Azure Active Directory Authentication method for server administrator.
+https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/administrators?tabs=bicep
+
+```json
+"administrators": {
+    "value": {
+        "azureADOnlyAuthentication": false
+        "login": "John Doe"
+        "sid": "<<objectId>>"
+        "principalType" : "User" // options: "User", "Group", "Application"
+        "tenantId": "<<tenantId>>"
+    }
+},
+```
+
 ## Outputs
 
 | Output Name | Type | Description |

From c99ec71451337b116c32a8f1659c0cfa97427b84 Mon Sep 17 00:00:00 2001
From: Mai Ve Bugge <maive.bugge@microsoft.com>
Date: Tue, 8 Mar 2022 12:38:07 +0100
Subject: [PATCH 02/10] update documentation and format code

---
 arm/Microsoft.Sql/servers/.parameters/parameters.json | 11 ++++++++++-
 arm/Microsoft.Sql/servers/deploy.bicep                |  8 ++++----
 arm/Microsoft.Sql/servers/readme.md                   |  5 +++--
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/arm/Microsoft.Sql/servers/.parameters/parameters.json b/arm/Microsoft.Sql/servers/.parameters/parameters.json
index 47bf627cb5..b1c269cbd8 100644
--- a/arm/Microsoft.Sql/servers/.parameters/parameters.json
+++ b/arm/Microsoft.Sql/servers/.parameters/parameters.json
@@ -18,6 +18,15 @@
                 "secretName": "administratorLoginPassword"
             }
         },
+        "administrators": {
+            "value": {
+                "azureADOnlyAuthentication": false,
+                "login": "John Doe",
+                "sid": "<<objectId>>",
+                "principalType": "User",
+                "tenantId": "<<tenantId>>"
+            }
+        },
         "location": {
             "value": "westeurope"
         },
@@ -78,4 +87,4 @@
             }
         }
     }
-}
+}
\ No newline at end of file
diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep
index 518d2fb76f..2597310bed 100644
--- a/arm/Microsoft.Sql/servers/deploy.bicep
+++ b/arm/Microsoft.Sql/servers/deploy.bicep
@@ -1,7 +1,7 @@
-@description('Optional if AAD Admin is assigned. Administrator username for the server.')
+@description('Conditional. Administrator username for the server.')
 param administratorLogin string = ''
 
-@description('Optional if AAD Admin is assigned. The administrator login password.')
+@description('Conditional. The administrator login password.')
 @secure()
 param administratorLoginPassword string = ''
 
@@ -43,7 +43,7 @@ param firewallRules array = []
 @description('Optional. The security alert policies to create in the server')
 param securityAlertPolicies array = []
 
-@description('Optional. The Azure Active Directory (AAD) administrator authentiaction.')
+@description('Conditional. The Azure Active Directory (AAD) administrator authentiaction.')
 param administrators object = {}
 
 var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')
@@ -71,7 +71,7 @@ resource server 'Microsoft.Sql/servers@2021-05-01-preview' = {
       azureADOnlyAuthentication: administrators.azureADOnlyAuthentication
       login: administrators.login
       principalType: administrators.principalType
-      sid: administrators.sid 
+      sid: administrators.sid
       tenantId: administrators.tenantId
     } : null
     version: '12.0'
diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md
index 62ac50d355..60bd073a77 100644
--- a/arm/Microsoft.Sql/servers/readme.md
+++ b/arm/Microsoft.Sql/servers/readme.md
@@ -18,8 +18,9 @@ This module deploys a SQL server.
 
 | Parameter Name | Type | Default Value | Possible Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
-| `administratorLogin` | string |  |  | Required. Administrator username for the server. |
-| `administratorLoginPassword` | secureString |  |  | Required. The administrator login password. |
+| `administrators` | object |  |  | Conditional. Azure Active Directory admin of the server. |
+| `administratorLogin` | string |  |  | Conditional. Administrator username for the server. |
+| `administratorLoginPassword` | secureString |  |  | Conditional. The administrator login password. |
 | `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
 | `databases` | _[databases](databases/readme.md)_ array | `[]` |  | Optional. The databases to create in the server |
 | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` |  | Optional. The firewall rules to create in the server |

From f726ab81c8fec086069ff841c26f6196790024c5 Mon Sep 17 00:00:00 2001
From: mvbugge <32770168+mvbugge@users.noreply.github.com>
Date: Tue, 8 Mar 2022 13:05:46 +0100
Subject: [PATCH 03/10] Update arm/Microsoft.Sql/servers/deploy.bicep

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Sql/servers/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep
index 2597310bed..3a2572e9b4 100644
--- a/arm/Microsoft.Sql/servers/deploy.bicep
+++ b/arm/Microsoft.Sql/servers/deploy.bicep
@@ -43,7 +43,7 @@ param firewallRules array = []
 @description('Optional. The security alert policies to create in the server')
 param securityAlertPolicies array = []
 
-@description('Conditional. The Azure Active Directory (AAD) administrator authentiaction.')
+@description('Optional. The Azure Active Directory (AAD) administrator authentiaction. Required if no `administratorLogin` & `administratorLoginPassword` is provided.')
 param administrators object = {}
 
 var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')

From 9943648aef605074fcd52417ce737a9d4e60b91a Mon Sep 17 00:00:00 2001
From: mvbugge <32770168+mvbugge@users.noreply.github.com>
Date: Tue, 8 Mar 2022 13:07:21 +0100
Subject: [PATCH 04/10] Update arm/Microsoft.Sql/servers/deploy.bicep

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Sql/servers/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep
index 3a2572e9b4..938793a4bc 100644
--- a/arm/Microsoft.Sql/servers/deploy.bicep
+++ b/arm/Microsoft.Sql/servers/deploy.bicep
@@ -1,4 +1,4 @@
-@description('Conditional. Administrator username for the server.')
+@description('Optional. Administrator username for the server. Required if no `administrators` object for AAD authentication is provided.')
 param administratorLogin string = ''
 
 @description('Conditional. The administrator login password.')

From 1e26f2387739faaea562b55ed1725534ea47efcb Mon Sep 17 00:00:00 2001
From: mvbugge <32770168+mvbugge@users.noreply.github.com>
Date: Tue, 8 Mar 2022 13:07:33 +0100
Subject: [PATCH 05/10] Update arm/Microsoft.Sql/servers/deploy.bicep

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Sql/servers/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep
index 938793a4bc..3773997468 100644
--- a/arm/Microsoft.Sql/servers/deploy.bicep
+++ b/arm/Microsoft.Sql/servers/deploy.bicep
@@ -1,7 +1,7 @@
 @description('Optional. Administrator username for the server. Required if no `administrators` object for AAD authentication is provided.')
 param administratorLogin string = ''
 
-@description('Conditional. The administrator login password.')
+@description('Optional. The administrator login password. Required if no `administrators` object for AAD authentication is provided.')
 @secure()
 param administratorLoginPassword string = ''
 

From c3eaf3d36346a7c238e54c5feb340ab73f0c23cd Mon Sep 17 00:00:00 2001
From: mvbugge <32770168+mvbugge@users.noreply.github.com>
Date: Tue, 8 Mar 2022 13:09:33 +0100
Subject: [PATCH 06/10] Update suggested administrators principalType

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Sql/servers/.parameters/parameters.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Sql/servers/.parameters/parameters.json b/arm/Microsoft.Sql/servers/.parameters/parameters.json
index b1c269cbd8..1f5b761ec3 100644
--- a/arm/Microsoft.Sql/servers/.parameters/parameters.json
+++ b/arm/Microsoft.Sql/servers/.parameters/parameters.json
@@ -23,7 +23,7 @@
                 "azureADOnlyAuthentication": false,
                 "login": "John Doe",
                 "sid": "<<objectId>>",
-                "principalType": "User",
+                "principalType": "Application",
                 "tenantId": "<<tenantId>>"
             }
         },

From 8f05bfc93a990e6dccfee127266af9dadadc2b37 Mon Sep 17 00:00:00 2001
From: mvbugge <32770168+mvbugge@users.noreply.github.com>
Date: Tue, 8 Mar 2022 13:18:52 +0100
Subject: [PATCH 07/10] change suggested admin sid parameter to deploymentSpId

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Sql/servers/.parameters/parameters.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Sql/servers/.parameters/parameters.json b/arm/Microsoft.Sql/servers/.parameters/parameters.json
index 1f5b761ec3..e992fdbc54 100644
--- a/arm/Microsoft.Sql/servers/.parameters/parameters.json
+++ b/arm/Microsoft.Sql/servers/.parameters/parameters.json
@@ -22,7 +22,7 @@
             "value": {
                 "azureADOnlyAuthentication": false,
                 "login": "John Doe",
-                "sid": "<<objectId>>",
+                "sid": "<<deploymentSpId>>",
                 "principalType": "Application",
                 "tenantId": "<<tenantId>>"
             }

From cc9ba5d7e863d812afd327c47c2a3c6016adb0e7 Mon Sep 17 00:00:00 2001
From: Mai Ve Bugge <maive.bugge@microsoft.com>
Date: Tue, 8 Mar 2022 16:06:40 +0100
Subject: [PATCH 08/10] format readme.md

---
 arm/Microsoft.Sql/servers/readme.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md
index 60bd073a77..f6b4937db8 100644
--- a/arm/Microsoft.Sql/servers/readme.md
+++ b/arm/Microsoft.Sql/servers/readme.md
@@ -18,9 +18,9 @@ This module deploys a SQL server.
 
 | Parameter Name | Type | Default Value | Possible Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
-| `administrators` | object |  |  | Conditional. Azure Active Directory admin of the server. |
-| `administratorLogin` | string |  |  | Conditional. Administrator username for the server. |
-| `administratorLoginPassword` | secureString |  |  | Conditional. The administrator login password. |
+| `administratorLogin` | string |  |  | Optional. Administrator username for the server. Required if no `administrators` object for AAD authentication is provided. |
+| `administratorLoginPassword` | secureString |  |  | Optional. The administrator login password. Required if no `administrators` object for AAD authentication is provided. |
+| `administrators` | object | `{object}` |  | Optional. The Azure Active Directory (AAD) administrator authentiaction. Required if no `administratorLogin` & `administratorLoginPassword` is provided. |
 | `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
 | `databases` | _[databases](databases/readme.md)_ array | `[]` |  | Optional. The databases to create in the server |
 | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` |  | Optional. The firewall rules to create in the server |
@@ -29,7 +29,7 @@ This module deploys a SQL server.
 | `name` | string |  |  | Required. The name of the server. |
 | `roleAssignments` | array | `[]` |  | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' |
 | `securityAlertPolicies` | _[securityAlertPolicies](securityAlertPolicies/readme.md)_ array | `[]` |  | Optional. The security alert policies to create in the server |
-| `systemAssignedIdentity` | bool |  |  | Optional. Enables system assigned managed identity on the resource. |
+| `systemAssignedIdentity` | bool | `False` |  | Optional. Enables system assigned managed identity on the resource. |
 | `tags` | object | `{object}` |  | Optional. Tags of the resource. |
 | `userAssignedIdentities` | object | `{object}` |  | Optional. The ID(s) to assign to the resource. |
 

From d959c30ea4b0b69475f3ca07d8a379f2690224f2 Mon Sep 17 00:00:00 2001
From: mvbugge <32770168+mvbugge@users.noreply.github.com>
Date: Thu, 10 Mar 2022 13:10:54 +0100
Subject: [PATCH 09/10] Update arm/Microsoft.Sql/servers/readme.md

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Sql/servers/readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md
index f6b4937db8..ff928a6e30 100644
--- a/arm/Microsoft.Sql/servers/readme.md
+++ b/arm/Microsoft.Sql/servers/readme.md
@@ -20,7 +20,7 @@ This module deploys a SQL server.
 | :-- | :-- | :-- | :-- | :-- |
 | `administratorLogin` | string |  |  | Optional. Administrator username for the server. Required if no `administrators` object for AAD authentication is provided. |
 | `administratorLoginPassword` | secureString |  |  | Optional. The administrator login password. Required if no `administrators` object for AAD authentication is provided. |
-| `administrators` | object | `{object}` |  | Optional. The Azure Active Directory (AAD) administrator authentiaction. Required if no `administratorLogin` & `administratorLoginPassword` is provided. |
+| `administrators` | object | `{object}` |  | Optional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided. |
 | `cuaId` | string |  |  | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |
 | `databases` | _[databases](databases/readme.md)_ array | `[]` |  | Optional. The databases to create in the server |
 | `firewallRules` | _[firewallRules](firewallRules/readme.md)_ array | `[]` |  | Optional. The firewall rules to create in the server |

From 284826661a5714c7b957bd46719dd37edc3e5af8 Mon Sep 17 00:00:00 2001
From: mvbugge <32770168+mvbugge@users.noreply.github.com>
Date: Thu, 10 Mar 2022 13:11:04 +0100
Subject: [PATCH 10/10] Update arm/Microsoft.Sql/servers/deploy.bicep

Co-authored-by: Alexander Sehr <ASehr@hotmail.de>
---
 arm/Microsoft.Sql/servers/deploy.bicep | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep
index 3773997468..001d30464c 100644
--- a/arm/Microsoft.Sql/servers/deploy.bicep
+++ b/arm/Microsoft.Sql/servers/deploy.bicep
@@ -43,7 +43,7 @@ param firewallRules array = []
 @description('Optional. The security alert policies to create in the server')
 param securityAlertPolicies array = []
 
-@description('Optional. The Azure Active Directory (AAD) administrator authentiaction. Required if no `administratorLogin` & `administratorLoginPassword` is provided.')
+@description('Optional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.')
 param administrators object = {}
 
 var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')