This repo is a collection of automation snippets for Azure, Azure DevOps, and supporting tooling. The repo includes Bicep controllers and modules, PowerShell deployment scripts and functions, and Azure DevOps pipeline decorator examples.

• iac/az-controllers/bastionJumpBox.bicep - Bastion host, jump box VM, NICs, vNet/subnets, NSGs, PIP, and Key Vault with secrets. - QuickStart guide in iac/az-controllers/bastionJumpBox.md.
• iac/az-controllers/serverVM.bicep - Adds a server VM with NIC and subnet into an existing vNet.
• iac/az-controllers/managementGroupHierarchy.bicep - Deploys a CAF-inspired management group hierarchy (up to six tiers) plus optional default MG and creation policy.
• iac/az-controllers/serviceGroupsHierarchy.bicep - Deploys Azure Service Groups (preview) in up to ten tiers. Details in iac/az-controllers/serviceGroupsHierarchy.md.

Sample parameter files live in params (for example params/serviceGroupsHierarchy.json).

Located under iac/az-modules, covering:

• Microsoft.Management: managementGroup.bicep, serviceGroup.bicep
• Microsoft.Network: virtualNetwork.bicep, subnet.bicep, networkSecurityGroup.bicep, publicIPAddress.bicep, networkInterface.bicep, bastionHost.bicep
• Microsoft.Compute: virtualMachine.bicep
• Microsoft.KeyVault: vault.bicep, secret.bicep
• Microsoft.ContainerRegistry: registry.bicep
• Utilities: resourceId.bicep, timestamp.bicep

Deployment helpers for standing up the labs, managing configuration, and reusable functions for Azure/Entra, Azure DevOps, and Graph automation.

Deployment scripts:

• powershell/deployBastionJumpBox.ps1,
• powershell/deployServerVm.ps1,
• powershell/deployBasicRegistry.ps1,
• powershell/replaceConfigurationFilesTokens.ps1,
• powershell/getAllAzRoleAssignments.ps1.

Function library in powershell/functions:

• Add-EnIdApplicationOwnerInBulk.ps1
• Confirm-AdoGroupMembership.ps1
• Connect-AzInAppRegistrationContext.ps1
• Connect-MgGraphWithCurrentAzContext.ps1
• Convert-TokensToValues.ps1
• ConvertFrom-SecureStringToPlainText.ps1
• Export-AzRoleAssignmentsWithPrincipalNames.ps1
• Get-FileHashDownload.ps1
• Get-MgGraphToken.ps1
• Get-SubscriptionsFromManagementGroupAncestorsChain.ps1
• New-AdoArmServiceConnection.ps1
• New-AdoAuthenticationToken.ps1
• New-AdoProject.ps1
• New-TenantRootAssignment.ps1
• Read-AdoOrganizationAdvancedSecurityStatus.ps1
• Read-AdoOrganizationDefaultLicenseType.ps1
• Read-AdoOrganizationGeneralBillingSettings.ps1
• Read-AdoOrganizationGeneralOverview.ps1
• Read-AdoOrganizationPipelinesSettings.ps1
• Read-AdoOrganizationSecurityPolicies.ps1
• Read-AdoRepoAdvancedSecurityStatus.ps1
• Read-AdoTenantOrganizationConnections.ps1
• Remove-SoftDeletedApiManagementInstance.ps1
• Set-AdoAuditStream.ps1
• Set-AzRoleAssignments.ps1
• Set-EnIdApps.ps1
• Set-EnIdGroups.ps1
• Test-AdoServiceConnection.ps1

Decorator examples under pipelines/decorators demonstrate injecting tasks (Hello World, Gitleaks, Microsoft Security DevOps) via vss-extension.json plus YAML snippets. Token replacement pipeline sample in pipelines/replaceConfigurationFilesTokens.