SharePoint Subscription / 2019 / 2016 / 2013 all configured
Deploy the template
This templates creates a SharePoint Subscription / 2019 / 2016 / 2013 farm with an extensive configuration that would take ages to perform manually, including a federated authentication with ADFS, an OAuth trust, the User Profiles service and a web application with 2 zones and multiple path based and host-named site collections.
On the SharePoint virtual machines, Chocolatey is used to install the latest version of Notepad++, Visual Studio Code, Azure Data Studio, Fiddler, ULS Viewer and 7-Zip. There are some differences in the configuration, depending on the SharePoint version:
Common to all SharePoint versions
- An Active Directory forest with AD CS and AD FS configured. LDAPS (LDAP over SSL) is also configured.
- SharePoint service applications configured: User Profiles, add-ins, session state.
- SharePoint User Profiles service is configured with a directory synchronization connection, and the MySite host is a host-named site collection.
- SharePoint has 1 web application with path based and host-named site collections, and contains 2 zones:
- Default zone: HTTP using Windows authentication.
- Intranet zone: HTTPS using federated (ADFS) authentication.
- An OAuth trust is created, as well as a custom IIS site to host your high-trust add-ins.
- Custom claims provider LDAPCP is installed and configured.
Specific to SharePoint Subscription
- SharePoint virtual machines are created using the latest disk image of Windows Server 2022 Azure Edition available, and SharePoint binaries (install + cumulative updates) are downloaded and installed from scratch.
- The HTTPS site certificate is managed by SharePoint, which has the private key and sets the binding itself in the IIS site.
- Federated authentication with ADFS is configured using OpenID Connect.
Specific to SharePoint 2019 / 2016 / 2013
- SharePoint virtual machines are created using a disk image built and maintained by SharePoint Engineering.
- The HTTPS site certificate is positioned by the DSC script.
- Federated authentication with ADFS is configured using SAML 1.1.
sharePointVersionlets you choose which version of SharePoint to install:
Subscription-Latest(default): Same as
Subscription-RTM, then install the latest cumulative update available at the time of publishing: January 2023 (KB 5002331 and KB 5002326) for current version.
Subscription-22H2: Same as
Subscription-RTM, then install the Feature Update 22H2 (September 2022 CU).
Subscription-RTM: Uses a fresh Windows Server 2022 image, on which SharePoint Subscription RTM is downloaded and installed.
2019: Uses an image built and maintained by SharePoint Engineering, with SharePoint 2019 bits already installed.
2016: Uses an image built and maintained by SharePoint Engineering, with SharePoint 2016 bits already installed.
2013: Uses an image built and maintained by SharePoint Engineering, with SharePoint 2013 bits already installed.
RDPTrafficAllowed: See this section for detailed information.
numberOfAdditionalFrontEndlets you add up to 4 additional SharePoint servers to the farm with the MinRole Front-end (except on SharePoint 2013, which does not support MinRole).
enableHybridBenefitServerLicensesallows you to enable Azure Hybrid Benefit to use your on-premises Windows Server licenses and reduce cost, if you are eligible. See this page for more information..
The template returns multiple variables to record the logins, passwords and the public IP address of virtual machines.
Remote access and security
The template creates 1 virtual network with 3 subnets (+1 if Azure Bastion is enabled), and each subnet is protected by a Network Security Group which denies all incoming traffic by default.
The following parameters configure how to connect to the virtual machines, and the level of network security:
serviceAccountsPasswordrequire a strong password.
"SharePointVMsOnly"(default): Only SharePoint virtual machines get a public IP address with a DNS name and can be reached from Internet.
"Yes": All virtual machines get a public IP address with a DNS name, and can be reached from Internet.
"No": No public IP resource is created.
- The DNS name format of virtual machines is
"[resourceGroupName]-[vm_name].[region].cloudapp.azure.com"and is recorded as output in the state file.
RDPTrafficAllowedspecifies if RDP traffic is allowed:
"No"(default): Firewall denies all incoming RDP traffic.
"Internet": Firewall accepts all incoming RDP traffic from Internet.
- If CIDR notation (e.g.
"2001:1234::/64") or IP address (e.g.
"2001:1234::"): Firewall accepts incoming RDP traffic from the IP addresses specified.
true: Configure service Azure Bastion to allow a secure remote access to virtual machines.
false(default): Service Azure Bastion is not created.
Cost of the resources deployed
By default, virtual machines use B-series burstable, ideal for such template and much cheaper than other comparable series.
Here is the default size and storage type per virtual machine role:
- DC: Size Standard_B2s (2 vCPU / 4 GiB RAM) and OS disk is a 32 GiB standard SSD E4.
- SQL Server: Size Standard_B2ms (2 vCPU / 8 GiB RAM) and OS disk is a 128 GiB standard SSD E10.
- SharePoint: Size Standard_B4ms (4 vCPU / 16 GiB RAM) and OS disk is either a 32 GiB standard SSD E4 (for SharePoint Subscription and 2019), or a 128 GiB standard SSD E10 (for SharePoint 2016 and 2013).
You can visit https://azure.com/e/c494029b0b034b8ca356c926dfd2688a to estimate the monthly cost of the template in the region/currency of your choice, assuming it is created using the default settings and runs 24*7.
- Using the default options, the complete deployment takes about 1h (but it is worth it).
- Deploying any post-RTM SharePoint Subscription build adds only an extra 5-10 minutes to the total deployment time (compared to RTM), partly because the updates are installed before the farm is created.
- Once it is completed, the template will return valuable information in the 'Outputs' of the deployment.
- For various (very good) reasons, in SQL and SharePoint VMs, the name of the local (not domain) administrator is set with a string that is unique to your subscription (e.g.
"local-[q1w2e3r4t5]"). It is recorded in the 'Outputs' of the deployment once it is completed.
Tags: Microsoft.Network/networkSecurityGroups, Microsoft.Network/virtualNetworks, Microsoft.Network/publicIPAddresses, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines, extensions, DSC, Microsoft.Compute/virtualMachines/extensions, Microsoft.DevTestLab/schedules, Microsoft.Network/virtualNetworks/subnets, Microsoft.Network/bastionHosts