Azure-Samples · Copilot · Jul 4, 2025 · Jul 4, 2025 · Jul 4, 2025 · Feb 25, 2026
diff --git a/infra/app/api.bicep b/infra/app/api.bicep
@@ -62,7 +62,7 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing
 }
 
 // Create a Flex Consumption Function App to host the API
-module api 'br/public:avm/res/web/site:0.15.1' = {
+module api 'br/public:avm/res/web/site:0.9.0' = {
   name: '${serviceName}-flex-consumption'
   params: {
     kind: kind

diff --git a/infra/app/storage-PrivateEndpoint.bicep b/infra/app/storage-PrivateEndpoint.bicep
@@ -22,7 +22,7 @@ var queuePrivateDNSZoneName = 'privatelink.queue.${environment().suffixes.storag
 var tablePrivateDNSZoneName = 'privatelink.table.${environment().suffixes.storage}'
 
 // AVM module for Blob Private Endpoint with private DNS zone
-module blobPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0' = if (enableBlob) {
+module blobPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.9.1' = if (enableBlob) {
   name: 'blob-private-endpoint-deployment'
   params: {
     name: 'blob-private-endpoint'
@@ -55,7 +55,7 @@ module blobPrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0' =
 }
 
 // AVM module for Queue Private Endpoint with private DNS zone
-module queuePrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0' = if (enableQueue) {
+module queuePrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.9.1' = if (enableQueue) {
   name: 'queue-private-endpoint-deployment'
   params: {
     name: 'queue-private-endpoint'
@@ -88,7 +88,7 @@ module queuePrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0'
 }
 
 // AVM module for Table Private Endpoint with private DNS zone
-module tablePrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.11.0' = if (enableTable) {
+module tablePrivateEndpoint 'br/public:avm/res/network/private-endpoint:0.9.1' = if (enableTable) {
   name: 'table-private-endpoint-deployment'
   params: {
     name: 'table-private-endpoint'

diff --git a/infra/app/vnet.bicep b/infra/app/vnet.bicep
@@ -13,7 +13,7 @@ param appSubnetName string = 'app'
 param tags object = {}
 
 // Migrated to use AVM module instead of direct resource declaration
-module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
+module virtualNetwork 'br/public:avm/res/network/virtual-network:0.7.0' = {
   name: 'vnet-deployment'
   params: {
     // Required parameters
@@ -36,7 +36,7 @@ module virtualNetwork 'br/public:avm/res/network/virtual-network:0.6.1' = {
         addressPrefix: '10.0.2.0/24'
         privateEndpointNetworkPolicies: 'Disabled'
         privateLinkServiceNetworkPolicies: 'Enabled'
-        delegation: 'Microsoft.App/environments'
+        delegation: 'Microsoft.Web/serverFarms'
       }
     ]
   }

diff --git a/infra/main.bicep b/infra/main.bicep
@@ -85,7 +85,7 @@ module apiUserAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned
 }
 
 // Create an App Service Plan to group applications under the same payment plan and SKU
-module appServicePlan 'br/public:avm/res/web/serverfarm:0.1.1' = {
+module appServicePlan 'br/public:avm/res/web/serverfarm:0.4.1' = {
   name: 'appserviceplan'
   scope: rg
   params: {
@@ -125,18 +125,18 @@ module api './app/api.bicep' = {
 }
 
 // Backing storage for Azure functions backend API
-module storage 'br/public:avm/res/storage/storage-account:0.8.3' = {
+module storage 'br/public:avm/res/storage/storage-account:0.9.1' = {
   name: 'storage'
   scope: rg
   params: {
     name: !empty(storageAccountName) ? storageAccountName : '${abbrs.storageStorageAccounts}${resourceToken}'
     allowBlobPublicAccess: false
-    allowSharedKeyAccess: false // Disable local authentication methods as per policy
+    allowSharedKeyAccess: true // Enable for Function Apps deployment and runtime operations
     dnsEndpointType: 'Standard'
     publicNetworkAccess: vnetEnabled ? 'Disabled' : 'Enabled'
     networkAcls: vnetEnabled ? {
       defaultAction: 'Deny'
-      bypass: 'None'
+      bypass: 'AzureServices'
     } : {
       defaultAction: 'Allow'
       bypass: 'AzureServices'
@@ -202,7 +202,7 @@ module storagePrivateEndpoint 'app/storage-PrivateEndpoint.bicep' = if (vnetEnab
 }
 
 // Monitor application with Azure Monitor - Log Analytics and Application Insights
-module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.11.1' = {
+module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.9.1' = {
   name: '${uniqueString(deployment().name, location)}-loganalytics'
   scope: rg
   params: {