{
	"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
	"contentVersion": "1.0.0.0",
	"parameters": {
		"mspOfferName": {
			"type": "string",
			"metadata": {
				"description": "Specify a unique name for your offer"
			},
			"defaultValue": "MSS_CUSTOMERNAME_Sentinel"
		},
		"mspOfferDescription": {
			"type": "string",
			"metadata": {
				"description": "Name of the Managed Service Provider offering"
			},
			"defaultValue": "CUSTOMERNAME MSS Sentinel"
		},
		"managedByTenantId": {
			"type": "string",
			"metadata": {
				"description": "Specify the tenant id of the Managed Service Provider"
			},
			"defaultValue": "ENTERTENANTID FOR MSP"
		},
		"authorizations": {
			"type": "array",
			"metadata": {
				"description": "Specify an array of objects, containing tuples of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers."
			},
			"defaultValue": [
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46",
					"principalIdDisplayName": "MSPOperator"
				},
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "ab8e14d6-4a74-4a29-9ba8-549422addade",
					"principalIdDisplayName": "MSPSentinelContributor"
				},
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
					"principalIdDisplayName": "MSPAzureSentinelResponder"
				},
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
					"principalIdDisplayName": "MSPAzureReader"
				},
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
					"principalIdDisplayName": "MSPAzureAutomationContributor"
				},
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
					"principalIdDisplayName": "MSPLogicAppContributor"
				},
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
					"principalIdDisplayName": "MSPUserAccessAdministrator",
					"delegatedRoleDefinitionIds": [
						"73c42c96-874c-492b-b04d-ab87d138a893",
						"ab8e14d6-4a74-4a29-9ba8-549422addade",
						"3e150937-b8fe-4cfb-8069-0eaf05ecd056",
						"8d289c81-5878-46d4-8554-54e1e3d8b5cb",
						"515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
						"51d6186e-6489-4900-b93f-92e23144cca5"
					]
				},
				{
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "51d6186e-6489-4900-b93f-92e23144cca5",
					"principalIdDisplayName": "MSPSentinelPlaybookOperator"
				}
			]
		},
		"eligibleAuthorizations": {
			"type": "array",
			"metadata": {
				"description": "Provide the auhtorizations that will have just-in-time role assignments on customer environments with support for approvals from the managing tenant"
			},
			"defaultValue": [
				{
					"justInTimeAccessPolicy": {
						"multiFactorAuthProvider": "Azure",
						"maximumActivationDuration": "PT1H"
					},
					"principalId": "ADGROUPNAMEID",
					"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
					"principalIdDisplayName": "MSPAzureContributor"
				}
			]
		},
		"resourceGroups": {
			"type": "array",
			"metadata": {
				"description": "Note: resource groups must already exist in tenant"
			},
			"defaultValue": [
				{
					"rgName": "ENTERRESOURCEGROUP"
				}
			]
		}
	},
	"variables": {
		"mspRegistrationName": "[guid(parameters('mspOfferName'))]"
	},
	"resources": [
		{
			"type": "Microsoft.ManagedServices/registrationDefinitions",
			"apiVersion": "2022-10-01",
			"name": "[variables('mspRegistrationName')]",
			"properties": {
				"registrationDefinitionName": "[parameters('mspOfferName')]",
				"description": "[parameters('mspOfferDescription')]",
				"managedByTenantId": "[parameters('managedByTenantId')]",
				"authorizations": "[parameters('authorizations')]",
				"eligibleAuthorizations": "[parameters('eligibleAuthorizations')]"
			}
		},
		{
			"type": "Microsoft.Resources/deployments",
			"apiVersion": "2022-09-01",
			"name": "[concat('rgAssignment', copyIndex())]",
			"resourceGroup": "[parameters('resourceGroups')[copyIndex()].rgName]",
			"copy": {
				"name": "deploymentCopy",
				"count": "[length(parameters('resourceGroups'))]"
			},
			"dependsOn": [
				"[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
			],
			"properties": {
				"mode": "Incremental",
				"template": {
					"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
					"contentVersion": "1.0.0.0",
					"parameters": {},
					"resources": [
						{
							"type": "Microsoft.ManagedServices/registrationAssignments",
							"apiVersion": "2020-02-01-preview",
							"name": "[guid(parameters('resourceGroups')[copyIndex()].rgName, variables('mspRegistrationName'))]",
							"properties": {
								"registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
							}
						}
					]
				}
			}
		}
	],
	"outputs": {
		"mspOfferName": {
			"type": "string",
			"value": "[concat('Managed by', ' ', parameters('mspOfferName'))]"
		},
		"authorizations": {
			"type": "array",
			"value": "[parameters('authorizations')]"
		},
		"eligibleAuthorizations": {
			"type": "array",
			"value": "[parameters('eligibleAuthorizations')]"
		}
	}
}