Add CloudHealth health model quickstart samples

quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/README.md

@@ -0,0 +1,73 @@
+---
+description: This template creates an Azure Health Model that automatically discovers virtual machines using Azure Resource Graph queries filtered by tag.
+page_type: sample
+products:
+- azure
+- azure-resource-manager
+urlFragment: healthmodel-basic-discovery
+languages:
+- bicep
+- json
+---
+# Create a basic health model with discovery
+
+![Azure Public Test Date](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/PublicLastTestDate.svg)
+![Azure Public Test Result](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/PublicDeployment.svg)
+
+![Azure US Gov Last Test Date](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/FairfaxLastTestDate.svg)
+![Azure US Gov Last Test Result](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/FairfaxDeployment.svg)
+
+![Best Practice Check](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/BestPracticeResult.svg)
+![Cred Scan Check](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/CredScanResult.svg)
+
+![Bicep Version](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/BicepVersion.svg)
+
+[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cloudhealth%2Fhealthmodel-basic-discovery%2Fazuredeploy.json)
+[![Deploy To Azure US Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cloudhealth%2Fhealthmodel-basic-discovery%2Fazuredeploy.json)
+[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cloudhealth%2Fhealthmodel-basic-discovery%2Fazuredeploy.json)
+
+## Overview
+
+This template deploys an [Azure Health Model](https://learn.microsoft.com/azure/cloud-health/) that automatically discovers virtual machines using an Azure Resource Graph query filtered by tag. Recommended monitoring signals (CPU, memory, disk) are added to each discovered VM automatically.
+
+For more information, see the [Azure Health Models documentation](https://learn.microsoft.com/azure/cloud-health/).
+
+## Prerequisites
+
+This template discovers **existing** virtual machines using an Azure Resource Graph query filtered by tag. You must have VMs already deployed — without them, the discovery rule will find nothing and the model will be empty.
+
+Before deploying, tag the virtual machines you want to monitor with `workload=my-web-app` (or your chosen tag name/value).
+
+## Deployed Resources
+
+```
+Root: <healthModelName>
+└── Compute                    (entity + discovery rule)
+    ├── [VM 1 with tag]        (discovered, recommended signals on)
+    ├── [VM 2 with tag]        (discovered, recommended signals on)
+    └── ...
+```
+
+| Resource | Type | Description |
+|----------|------|-------------|
+| Health Model | `Microsoft.CloudHealth/healthmodels` | The health model with system-assigned managed identity. |
+| Authentication Setting | `authenticationsettings` | Configures the system-assigned identity for data source queries. |
+| Compute Entity | `entities` | Grouping entity for discovered VMs. |
+| Relationship | `relationships` | Connects the Compute entity to the root. |
+| Discovery Rule | `discoveryrules` | Discovers VMs matching the specified tag. Recommended signals are added automatically. |
+
+After deployment, the discovery rule will find all VMs with the matching tag and create entities with monitoring signals under the Compute entity.
+
+## Next Steps
+
+1. **Grant the managed identity Reader access** at the subscription or resource group level. This is required before any resources will be discovered — without it, the discovery rule cannot query Azure Resource Graph and the model will remain empty.
+2. To monitor additional resource types, add more discovery rules via the portal or a follow-up template.
+3. To organise discovered resources into groupings, create entities and relationships manually.
+
+## See Also
+
+- [healthmodel-web-app](../healthmodel-web-app) — a health model with manually-created entities and relationships, no discovery.
+- [healthmodel-web-app-discovery](../healthmodel-web-app-discovery) — a web app health model that combines discovery rules with additional manually-created entities.
+- [healthmodel-servicegroup-discovery](../healthmodel-servicegroup-discovery) — a health model that discovers resources from an Azure Service Group.
+
+`Tags: Microsoft.CloudHealth/healthmodels, health model, monitoring, observability, discovery, virtual machines`

quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/azuredeploy.parameters.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "healthModelName": {
+      "value": "GEN-UNIQUE"
+    }
+  }
+}

quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/main.bicep

@@ -0,0 +1,72 @@
+@description('Name of the health model. This also becomes the root entity name.')
+param healthModelName string
+
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Tag name used to identify resources for discovery. Defaults to workload.')
+param tagName string = 'workload'
+
+@description('Tag value to match. Defaults to my-web-app.')
+param tagValue string = 'my-web-app'
+
+// Health Model
+resource healthModel 'Microsoft.CloudHealth/healthmodels@2026-05-01-preview' = {
+  name: healthModelName
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {}
+}
+
+// Authentication Setting — uses the health model's system-assigned managed identity
+resource authSetting 'Microsoft.CloudHealth/healthmodels/authenticationsettings@2026-05-01-preview' = {
+  parent: healthModel
+  name: 'default-auth'
+  properties: {
+    displayName: 'Default Authentication'
+    authenticationKind: 'ManagedIdentity'
+    managedIdentityName: 'SystemAssigned'
+  }
+}
+
+// Entity — a grouping entity for discovered VMs
+resource computeEntity 'Microsoft.CloudHealth/healthmodels/entities@2026-05-01-preview' = {
+  parent: healthModel
+  name: 'compute'
+  properties: {
+    displayName: 'Compute'
+  }
+}
+
+// Relationship — connect the compute entity to the root
+resource rootToCompute 'Microsoft.CloudHealth/healthmodels/relationships@2026-05-01-preview' = {
+  parent: healthModel
+  name: '${healthModelName}-compute'
+  properties: {
+    parentEntityName: healthModelName
+    childEntityName: computeEntity.name
+  }
+}
+
+// Discovery Rule — discovers VMs by tag, adds recommended signals automatically.
+// Named after the compute entity so discovered resources parent under it.
+resource discoveryRule 'Microsoft.CloudHealth/healthmodels/discoveryrules@2026-05-01-preview' = {
+  parent: healthModel
+  name: computeEntity.name
+  properties: {
+    displayName: 'Discover VMs'
+    authenticationSetting: authSetting.name
+    discoverRelationships: 'Enabled'
+    addRecommendedSignals: 'Enabled'
+    specification: {
+      kind: 'ResourceGraphQuery'
+      resourceGraphQuery: 'resources | where type =~ \'microsoft.compute/virtualmachines\' and tags[\'${tagName}\'] =~ \'${tagValue}\''
+    }
+  }
+}
+
+output healthModelName string = healthModel.name
+output healthModelId string = healthModel.id
+output location string = healthModel.location

quickstarts/microsoft.cloudhealth/healthmodel-basic-discovery/metadata.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#",
+  "itemDisplayName": "Create a basic health model with discovery",
+  "description": "This template creates an Azure Health Model that automatically discovers virtual machines using Azure Resource Graph queries filtered by tag. Recommended signals (CPU, memory, disk) are added to discovered VMs automatically.",
+  "summary": "Create a basic health model that discovers VMs by tag and adds recommended monitoring signals.",
+  "githubUsername": "amrichardson",
+  "dateUpdated": "2026-05-07",
+  "type": "QuickStart",
+  "testResult": {
+    "deployments": {
+      "templateFileName": "main.bicep",
+      "correlationId": "d7cacc2e-8a82-4ad2-90cd-d4b05caa554b",
+      "deploymentName": "deploy-basic-discovery"
+    }
+  }
+}

quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/README.md

@@ -0,0 +1,66 @@
+---
+description: This template creates an Azure Health Model that discovers all resources belonging to an Azure Service Group.
+page_type: sample
+products:
+- azure
+- azure-resource-manager
+urlFragment: healthmodel-servicegroup-discovery
+languages:
+- bicep
+- json
+---
+# Create a health model with Service Group discovery
+
+![Azure Public Test Date](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/PublicLastTestDate.svg)
+![Azure Public Test Result](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/PublicDeployment.svg)
+
+![Azure US Gov Last Test Date](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/FairfaxLastTestDate.svg)
+![Azure US Gov Last Test Result](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/FairfaxDeployment.svg)
+
+![Best Practice Check](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/BestPracticeResult.svg)
+![Cred Scan Check](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/CredScanResult.svg)
+
+![Bicep Version](https://azurequickstartsservice.blob.core.windows.net/badges/quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/BicepVersion.svg)
+
+[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cloudhealth%2Fhealthmodel-servicegroup-discovery%2Fazuredeploy.json)
+[![Deploy To Azure US Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cloudhealth%2Fhealthmodel-servicegroup-discovery%2Fazuredeploy.json)
+[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.cloudhealth%2Fhealthmodel-servicegroup-discovery%2Fazuredeploy.json)
+
+## Overview
+
+This template deploys an [Azure Health Model](https://learn.microsoft.com/azure/cloud-health/) that discovers all resources belonging to an Azure Service Group. Nested Service Groups are discovered recursively (up to 10 levels deep), with each nested group represented as its own entity in the health model hierarchy.
+
+For more information, see the [Azure Health Models documentation](https://learn.microsoft.com/azure/cloud-health/).
+
+## Prerequisites
+
+- An existing Azure Service Group with member resources.
+- After deployment, grant the health model's managed identity **Reader** access at a scope that covers the Service Group's member resources.
+
+## Deployed Resources
+
+| Resource | Type | Description |
+|----------|------|-------------|
+| Health Model | `Microsoft.CloudHealth/healthmodels` | The health model with system-assigned managed identity. |
+| Authentication Setting | `authenticationsettings` | Configures the system-assigned identity for data source queries. |
+| Discovery Rule | `discoveryrules` | Discovers resources from the Service Group via Azure Resource Graph. |
+
+After deployment, the discovery rule will:
+
+- Query the `relationshipresources` table in Azure Resource Graph to find all member resources of the Service Group.
+- Discover **nested Service Groups** recursively and represent each as an entity.
+- Create **relationships** between discovered resources.
+- Add **recommended signals** to discovered resources automatically.
+
+## Next Steps
+
+1. **Grant the managed identity Reader access** at the subscription or resource group level. This is required before any resources will be discovered — without it, the discovery rule cannot query Azure Resource Graph and the model will remain empty.
+2. **Configure alerts** on entities to get notified when health degrades.
+
+## See Also
+
+- [healthmodel-web-app](../healthmodel-web-app) — a health model with manually-created entities and relationships, no discovery.
+- [healthmodel-basic-discovery](../healthmodel-basic-discovery) — a basic health model that discovers VMs by tag.
+- [healthmodel-web-app-discovery](../healthmodel-web-app-discovery) — a web app health model that combines ARG discovery with additional manually-created entities.
+
+`Tags: Microsoft.CloudHealth/healthmodels, health model, monitoring, observability, discovery, service group`

quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/azuredeploy.parameters.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "healthModelName": {
+      "value": "GEN-UNIQUE"
+    },
+    "serviceGroupId": {
+      "value": "GEN-UNIQUE"
+    }
+  }
+}

quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/main.bicep

@@ -0,0 +1,53 @@
+@description('Name of the health model. This also becomes the root entity name.')
+param healthModelName string
+
+@description('Location for all resources.')
+param location string = resourceGroup().location
+
+@description('Resource ID of the Service Group to discover resources from. Must be a full path, for example: /providers/Microsoft.Management/serviceGroups/myServiceGroup')
+param serviceGroupId string
+
+// Health Model
+resource healthModel 'Microsoft.CloudHealth/healthmodels@2026-05-01-preview' = {
+  name: healthModelName
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {}
+}
+
+// Authentication Setting
+resource authSetting 'Microsoft.CloudHealth/healthmodels/authenticationsettings@2026-05-01-preview' = {
+  parent: healthModel
+  name: 'default-auth'
+  properties: {
+    displayName: 'Default Authentication'
+    authenticationKind: 'ManagedIdentity'
+    managedIdentityName: 'SystemAssigned'
+  }
+}
+
+// Discovery Rule — discovers all resources in the specified Service Group.
+// The backend detects this query pattern and performs recursive Service Group
+// discovery server-side (up to 10 levels deep).
+// Named the same as the health model because the backend automatically creates
+// the Service Group as a grouping entity under root — no manual entity needed.
+resource serviceGroupDiscovery 'Microsoft.CloudHealth/healthmodels/discoveryrules@2026-05-01-preview' = {
+  parent: healthModel
+  name: healthModelName
+  properties: {
+    displayName: 'Discover Service Group Resources'
+    authenticationSetting: authSetting.name
+    discoverRelationships: 'Enabled'
+    addRecommendedSignals: 'Enabled'
+    specification: {
+      kind: 'ResourceGraphQuery'
+      resourceGraphQuery: 'relationshipresources | where type =~ \'microsoft.relationships/servicegroupmember\' | where tostring(properties.TargetId) =~ \'${serviceGroupId}\' | project id=tostring(properties.SourceId)'
+    }
+  }
+}
+
+output healthModelName string = healthModel.name
+output healthModelId string = healthModel.id
+output location string = healthModel.location

quickstarts/microsoft.cloudhealth/healthmodel-servicegroup-discovery/metadata.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#",
+  "itemDisplayName": "Create a health model with Service Group discovery",
+  "description": "This template creates an Azure Health Model that discovers all resources belonging to an Azure Service Group. Nested Service Groups are discovered recursively. Recommended signals are added to all discovered resources automatically.",
+  "summary": "Create a health model that discovers resources from an Azure Service Group.",
+  "githubUsername": "amrichardson",
+  "dateUpdated": "2026-05-07",
+  "type": "QuickStart",
+  "testResult": {
+    "deployments": {
+      "templateFileName": "main.bicep",
+      "correlationId": "2ccb7403-a4f6-47f0-a16e-7cad35391182",
+      "deploymentName": "deploy-sg-discovery"
+    }
+  }
+}