SharePoint Subscription / 2019 / 2016 / 2013 all configured


Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

This template deploys SharePoint Subscription, 2019, 2016 or 2013 with the following configuration:

  • 1 web application created with 2 zones: Windows NTLM on Default zone and ADFS on Intranet zone.
  • ADFS is installed on the DC.
  • If SharePoint Subscription is selected, an Open ID Connect trust is configured between SharePoint and ADFS. Otherwise, a SAML trust is configured.
  • A certificate authority (ADCS) is provisioned on the DC and issues all certificates needed for ADFS and SharePoint.
  • A couple of site collections are created, including host-named site collections that are configured for both zones.
  • User Profiles Application service is provisioned and personal sites are configured as host-named site collections.
  • Add-ins service application is provisioned and an app catalog is created.
  • 2 add-in domains / DNS zones are created (1 for for each zone of the web application).
  • Latest version of claims provider LDAPCP is installed and configured.
  • Multiple SharePoint Web Front End servers can optionally be created and joined to the farm.

Remote access and security

The template creates 1 virtual network with 3 subnets. All subnets are protected by a Network Security Group with no custom rule by default.

The following parameters impact the remote access of the virtual machines, and the network security:

  • Parameter 'addPublicIPAddressToEachVM':
    • if true (default value): Each virtual machine gets a public IP, a DNS name, and may be reachable from Internet.
    • if false: No public IP resource is created.
  • Parameter 'RDPTrafficAllowed':
    • If 'No' (default value): Firewall denies all incoming RDP traffic from Internet.
    • If '*' or 'Internet': Firewall accepts all incoming RDP traffic from Internet.
    • If 'ServiceTagName': Firewall accepts all incoming RDP traffic from the specified 'ServiceTagName'.
    • If 'xx.xx.xx.xx': Firewall accepts incoming RDP traffic only from the IP 'xx.xx.xx.xx'.
  • Parameter 'addAzureBastion':
    • if true: Configure service Azure Bastion to allow a secure remote access.
    • if false (default value): Service Azure Bastion is not created.


By default, virtual machines use B-series burstable, ideal for such template and much cheaper than other comparable series. Here is the default size and storage type per virtual machine role:

You can visit to view the monthly cost of the template when it is deployed using the default settings, in the region/currency of your choice.

More information

Additional notes:

  • With the default settings, the deployment takes about 1h to complete.
  • Once it is completed, the template will return valuable information in the 'Outputs' of the deployment.
  • For various (very good) reasons, the template sets the local (not domain) administrator name with a string that is unique to your subscription (e.g. 'local-q1w2e3r4t5'). You can find the name of the local admin in the 'Outputs' of the deployment once it is completed.

Tags: Microsoft.Network/networkSecurityGroups, Microsoft.Network/virtualNetworks, Microsoft.Network/publicIPAddresses, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines, extensions, DSC, Microsoft.Compute/virtualMachines/extensions, Microsoft.DevTestLab/schedules, Microsoft.Network/virtualNetworks/subnets, Microsoft.Network/bastionHosts