From 626538f0b9114a68d39a3a677e32ccfb3290ecca Mon Sep 17 00:00:00 2001
From: Tom Claes <claes_tom@outlook.com>
Date: Sat, 4 Apr 2026 16:27:46 +0200
Subject: [PATCH 1/7] Replace git clone with curl downloads in README

Remove the full-repo git clone instruction and replace it with
targeted curl commands that download only the three required files
(policy/azurepolicy.json, scripts/deployment.ps1, scripts/start-remediation.ps1).

This avoids cloning the entire sql-server-samples repository, reducing
setup time and bandwidth for users who only need the Arc SQL license
type policy.

Changes:
- Add optional mkdir/cd step for a clean local working directory
- Add curl commands to fetch individual files into the expected
  policy/ and scripts/ folder structure
- Add note about curl alias on Windows PowerShell 5.1
- Remove git clone and deep cd instructions

No script changes required: deployment.ps1 resolves the policy JSON
via Join-Path relative to PSScriptRoot, which is preserved by the
new folder layout.
---
 .../arc-sql-license-type-compliance/README.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
index cb6ce7b66..1a7c99080 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
@@ -29,13 +29,26 @@ Parameter reference:
 
 Definition and assignment creation:
 
-1. Clone the repo.
+1. Download the required files.
 
 ```powershell
-git clone https://github.com/microsoft/sql-server-samples.git
-cd sql-server-samples/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance
+# Optional: create and enter a local working directory
+mkdir sql-arc-lt-compliance
+cd sql-arc-lt-compliance
 ```
 
+```powershell
+$baseUrl = "https://raw.githubusercontent.com/microsoft/sql-server-samples/master/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance"
+
+New-Item -ItemType Directory -Path policy, scripts -Force | Out-Null
+
+curl -sLo policy/azurepolicy.json "$baseUrl/policy/azurepolicy.json"
+curl -sLo scripts/deployment.ps1 "$baseUrl/scripts/deployment.ps1"
+curl -sLo scripts/start-remediation.ps1 "$baseUrl/scripts/start-remediation.ps1"
+```
+
+> **Note:** On Windows PowerShell 5.1, `curl` is an alias for `Invoke-WebRequest`. Use `curl.exe` instead, or run the commands in PowerShell 7+.
+
 2. Login to Azure.
 
 ```powershell

From 74df34e61b22c7f249b372e46fc1bbfc115a298c Mon Sep 17 00:00:00 2001
From: Tom Claes <claes_tom@outlook.com>
Date: Sat, 4 Apr 2026 16:32:08 +0200
Subject: [PATCH 2/7] Make ManagementGroupId optional, default to tenant root
 management group

Change ManagementGroupId from required to optional in both
deployment.ps1 and start-remediation.ps1. When not specified,
the scripts resolve the tenant root management group ID
automatically via (Get-AzContext).Tenant.Id.

Changes:
- deployment.ps1: ManagementGroupId parameter now Mandatory=false;
  auto-resolves to tenant root group with informational output
- start-remediation.ps1: same parameter change and auto-resolve
- README.md: updated both parameter tables (Required=No, default
  shown as 'Tenant root group'); simplified examples to omit
  ManagementGroupId where the default suffices; added explicit
  management group examples for users who need a custom scope
---
 .../arc-sql-license-type-compliance/README.md | 24 ++++++++++++-------
 .../scripts/deployment.ps1                    |  7 +++++-
 .../scripts/start-remediation.ps1             |  7 +++++-
 3 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
index 1a7c99080..67868feba 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
@@ -21,7 +21,7 @@ Parameter reference:
 
 | Parameter | Required | Default | Allowed values | Description |
 |---|---|---|---|---|
-| `ManagementGroupId` | Yes | N/A | Any valid management group ID | Scope where the policy definition is created. |
+| `ManagementGroupId` | No | Tenant root group | Any valid management group ID | Scope where the policy definition is created. Defaults to the tenant root management group when not specified. |
 | `ExtensionType` | No | `Both` | `Windows`, `Linux`, `Both` | Targets the Arc SQL extension platform. When `Both` (default), a single policy definition and assignment covers both platforms. When a specific type is selected, the naming and scope are tailored to that platform. |
 | `SubscriptionId` | No | Not set | Any valid subscription ID | If provided, policy assignment scope is the subscription. |
 | `TargetLicenseType` | Yes | N/A | `Paid`, `PAYG` | Target `LicenseType` value to enforce. |
@@ -56,11 +56,14 @@ Connect-AzAccount
 ```
 
 ```powershell
-# Example: target both platforms (default)
+# Example: target both platforms (default), using tenant root management group
+.\scripts\deployment.ps1 -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
+
+# Example: target both platforms with explicit management group
 .\scripts\deployment.ps1 -ManagementGroupId "<management-group-id>" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
 
 # Example: target only Linux
-.\scripts\deployment.ps1 -ManagementGroupId "<management-group-id>" -ExtensionType "Linux" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
+.\scripts\deployment.ps1 -ExtensionType "Linux" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
 ```
 The first example (without `-ExtensionType`) will:
 * Create/update a single policy definition and assignment covering **both** Windows and Linux.
@@ -74,13 +77,13 @@ Scenario examples:
 
 ```powershell
 # Target Paid, both Linux and Windows, but only for resources with missing LicenseType or LicenseOnly (do not target PAYG)
-.\scripts\deployment.ps1 -ManagementGroupId "<management-group-id>" -TargetLicenseType "Paid" -LicenseTypesToOverwrite @("Unspecified","LicenseOnly")
+.\scripts\deployment.ps1 -TargetLicenseType "Paid" -LicenseTypesToOverwrite @("Unspecified","LicenseOnly")
 
 # Target PAYG, but only where current LicenseType is Paid (do not target missing or LicenseOnly)
-.\scripts\deployment.ps1 -ManagementGroupId "<management-group-id>" -ExtensionType "Linux" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
+.\scripts\deployment.ps1 -ExtensionType "Linux" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
 
 # Overwrite all known existing LicenseType values (Paid, PAYG, LicenseOnly), but not missing
-.\scripts\deployment.ps1 -ManagementGroupId "<management-group-id>" -ExtensionType "Linux" -TargetLicenseType "Paid" -LicenseTypesToOverwrite @("Paid","PAYG","LicenseOnly")
+.\scripts\deployment.ps1 -ExtensionType "Linux" -TargetLicenseType "Paid" -LicenseTypesToOverwrite @("Paid","PAYG","LicenseOnly")
 ```
 
 Note: `scripts/deployment.ps1` automatically grants required roles to the policy assignment managed identity at assignment scope, preventing common `PolicyAuthorizationFailed` errors during DeployIfNotExists deployments.
@@ -91,18 +94,21 @@ Parameter reference:
 
 | Parameter | Required | Default | Allowed values | Description |
 |---|---|---|---|---|
-| `ManagementGroupId` | Yes | N/A | Any valid management group ID | Used to resolve the policy definition/assignment naming context. |
+| `ManagementGroupId` | No | Tenant root group | Any valid management group ID | Used to resolve the policy definition/assignment naming context. Defaults to the tenant root management group when not specified. |
 | `ExtensionType` | No | `Both` | `Windows`, `Linux`, `Both` | Must match the platform used for the assignment. When `Both` (default), remediates the combined assignment. |
 | `SubscriptionId` | No | Not set | Any valid subscription ID | If provided, remediation runs at subscription scope. |
 | `TargetLicenseType` | Yes | N/A | `Paid`, `PAYG` | Must match the assignment target license type. |
 | `GrantMissingPermissions` | No | `false` | Switch (`present`/`not present`) | If set, checks and assigns missing required roles before remediation. |
 
 ```powershell
-# Example: remediate both platforms (default)
+# Example: remediate both platforms (default), using tenant root management group
+.\scripts\start-remediation.ps1 -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -GrantMissingPermissions
+
+# Example: remediate with explicit management group
 .\scripts\start-remediation.ps1 -ManagementGroupId "<management-group-id>" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -GrantMissingPermissions
 
 # Example: remediate only Linux
-.\scripts\start-remediation.ps1 -ManagementGroupId "<management-group-id>" -ExtensionType "Linux" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -GrantMissingPermissions
+.\scripts\start-remediation.ps1 -ExtensionType "Linux" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -GrantMissingPermissions
 ```
 
 ## Managed Identity And Roles
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1 b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
index 98aab3392..cf9148382 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
@@ -1,5 +1,5 @@
 param(
-  [Parameter(Mandatory = $true)]
+  [Parameter(Mandatory = $false)]
   [ValidateNotNullOrEmpty()]
   [string]$ManagementGroupId,
 
@@ -23,6 +23,11 @@ param(
   [switch]$SkipManagedIdentityRoleAssignment
 )
 
+if (-not $PSBoundParameters.ContainsKey('ManagementGroupId')) {
+  $ManagementGroupId = (Get-AzContext).Tenant.Id
+  Write-Output "ManagementGroupId not specified. Using tenant root management group: $ManagementGroupId"
+}
+
 $AssignmentScope = "/providers/Microsoft.Management/managementGroups/$ManagementGroupId"
 
 if ($PSBoundParameters.ContainsKey('SubscriptionId')) {
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/start-remediation.ps1 b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/start-remediation.ps1
index b2f895c0b..1ea317104 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/start-remediation.ps1
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/start-remediation.ps1
@@ -1,5 +1,5 @@
 param(
-  [Parameter(Mandatory = $true)]
+  [Parameter(Mandatory = $false)]
   [ValidateNotNullOrEmpty()]
   [string]$ManagementGroupId,
 
@@ -31,6 +31,11 @@ param(
   [switch]$GrantMissingPermissions
 )
 
+if (-not $PSBoundParameters.ContainsKey('ManagementGroupId')) {
+  $ManagementGroupId = (Get-AzContext).Tenant.Id
+  Write-Output "ManagementGroupId not specified. Using tenant root management group: $ManagementGroupId"
+}
+
 $AssignmentScope = "/providers/Microsoft.Management/managementGroups/$ManagementGroupId"
 
 if ($PSBoundParameters.ContainsKey('SubscriptionId')) {

From 546847b3d9351dd58733b5c7eeeec9f96e7e6f68 Mon Sep 17 00:00:00 2001
From: Tom Claes <claes_tom@outlook.com>
Date: Sat, 4 Apr 2026 16:44:09 +0200
Subject: [PATCH 3/7] Make policy definition and assignment display names
 generic

Remove hardcoded license type references from policy displayName
and description. The actual target license type is controlled by
parameters at assignment time, so the definition metadata should
not imply a specific value.

Changes:
- azurepolicy.json: displayName and description now use generic
  'Configure Arc-enabled SQL Server license type' wording
- deployment.ps1: collapsed the PAYG/SA conditional display name
  logic into a single generic label per platform
---
 .../policy/azurepolicy.json                            |  4 ++--
 .../scripts/deployment.ps1                             | 10 ++--------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json
index 5450371d0..9f5634b53 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json
@@ -1,8 +1,8 @@
 {
-  "displayName": "Set Arc-enabled SQL Server license type to 'License With Software Assurance'",
+  "displayName": "Configure Arc-enabled SQL Server license type",
   "policyType": "Custom",
   "mode": "Indexed",
-  "description": "This policy sets the license type for Arc-enabled SQL Server to 'License With Software Assurance'.  ",
+  "description": "This policy configures the license type for Arc-enabled SQL Server extensions to a specified target value.",
   "metadata": {
     "category": ""
   },
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1 b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
index cf9148382..964b91871 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
@@ -60,14 +60,8 @@ else {
 $PolicyDefinitionName = "activate-sql-arc-$LicenseToken-$PlatformToken"
 $PolicyAssignmentName = "sql-arc-$LicenseToken-$PlatformToken"
 
-if ($TargetLicenseType -eq 'PAYG') {
-  $PolicyDefinitionDisplayName = "Arc-enabled SQL Server ($PlatformLabel) license type to 'Pay-as-you-go'"
-  $PolicyAssignmentDisplayName = "Arc-enabled SQL Server ($PlatformLabel) license type to 'Pay-as-you-go'"
-}
-else {
-  $PolicyDefinitionDisplayName = "Set Arc-enabled SQL Server ($PlatformLabel) license type to 'License With Software Assurance'"
-  $PolicyAssignmentDisplayName = "Set Arc-enabled SQL Server ($PlatformLabel) license type to 'License With Software Assurance'"
-}
+$PolicyDefinitionDisplayName = "Configure Arc-enabled SQL Server ($PlatformLabel) license type"
+$PolicyAssignmentDisplayName = "Configure Arc-enabled SQL Server ($PlatformLabel) license type"
 
 #Create policy definition
 New-AzPolicyDefinition `

From 868cc2759735071d5a4c929387f0d5aa6a92b91d Mon Sep 17 00:00:00 2001
From: Tom Claes <claes_tom@outlook.com>
Date: Sat, 4 Apr 2026 16:53:11 +0200
Subject: [PATCH 4/7] Add dynamic license type label to policy display names

Include the selected target license type in the policy definition
and assignment display names for clarity in the Azure Portal.

Format: Configure Arc-enabled SQL Server (<platform>) license type to '<label>'
Examples:
- Configure Arc-enabled SQL Server (All platforms) license type to 'Pay-as-you-go'
- Configure Arc-enabled SQL Server (Linux) license type to 'License With Software Assurance'

The azurepolicy.json description remains generic since the display
name is overridden by the script at definition creation time.
---
 .../arc-sql-license-type-compliance/scripts/deployment.ps1   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1 b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
index 964b91871..459459922 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
@@ -60,8 +60,9 @@ else {
 $PolicyDefinitionName = "activate-sql-arc-$LicenseToken-$PlatformToken"
 $PolicyAssignmentName = "sql-arc-$LicenseToken-$PlatformToken"
 
-$PolicyDefinitionDisplayName = "Configure Arc-enabled SQL Server ($PlatformLabel) license type"
-$PolicyAssignmentDisplayName = "Configure Arc-enabled SQL Server ($PlatformLabel) license type"
+$LicenseTypeLabel = if ($TargetLicenseType -eq 'PAYG') { 'Pay-as-you-go' } else { 'License With Software Assurance' }
+$PolicyDefinitionDisplayName = "Configure Arc-enabled SQL Server ($PlatformLabel) license type to '$LicenseTypeLabel'"
+$PolicyAssignmentDisplayName = "Configure Arc-enabled SQL Server ($PlatformLabel) license type to '$LicenseTypeLabel'"
 
 #Create policy definition
 New-AzPolicyDefinition `

From bdc1ebf22869cbd1af811cc5d02a18e0b6f2d252 Mon Sep 17 00:00:00 2001
From: Tom Claes <claes_tom@outlook.com>
Date: Sat, 4 Apr 2026 17:47:50 +0200
Subject: [PATCH 5/7] Improve deployment and remediation README sections with
 variable setup

Restructure both Deploy Policy and Start Remediation usage
instructions to guide users through setting variables before
running scripts. Clearly separates required vs optional parameters
with inline comments, shows progressively detailed invocations
(minimal, with subscription, with all options), and streamlines
scenario examples with descriptive comments.
---
 .../arc-sql-license-type-compliance/README.md | 92 +++++++++++++------
 1 file changed, 66 insertions(+), 26 deletions(-)

diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
index 67868feba..667453a89 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
@@ -55,38 +55,57 @@ curl -sLo scripts/start-remediation.ps1 "$baseUrl/scripts/start-remediation.ps1"
 Connect-AzAccount
 ```
 
+3. Set your variables. Only `TargetLicenseType` is required — all others are optional.
+
 ```powershell
-# Example: target both platforms (default), using tenant root management group
-.\scripts\deployment.ps1 -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
+# ── Required ──
+$TargetLicenseType    = "PAYG"                                      # "Paid" or "PAYG"
+
+# ── Optional (uncomment to override defaults) ──
+# $ManagementGroupId      = "<management-group-id>"                 # Default: tenant root management group
+# $SubscriptionId         = "<subscription-id>"                     # Default: policy assigned at management group scope
+# $ExtensionType          = "Both"                                  # "Windows", "Linux", or "Both" (default)
+# $LicenseTypesToOverwrite = @("Unspecified","Paid","PAYG","LicenseOnly")  # Default: all
+```
 
-# Example: target both platforms with explicit management group
-.\scripts\deployment.ps1 -ManagementGroupId "<management-group-id>" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
+4. Run the deployment.
 
-# Example: target only Linux
-.\scripts\deployment.ps1 -ExtensionType "Linux" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
+```powershell
+# Minimal — uses defaults for management group, platform, and overwrite targets
+.\scripts\deployment.ps1 -TargetLicenseType $TargetLicenseType
+
+# With subscription scope
+.\scripts\deployment.ps1 -TargetLicenseType $TargetLicenseType -SubscriptionId $SubscriptionId
+
+# With all options
+.\scripts\deployment.ps1 `
+  -ManagementGroupId $ManagementGroupId `
+  -SubscriptionId $SubscriptionId `
+  -ExtensionType $ExtensionType `
+  -TargetLicenseType $TargetLicenseType `
+  -LicenseTypesToOverwrite $LicenseTypesToOverwrite
 ```
-The first example (without `-ExtensionType`) will:
-* Create/update a single policy definition and assignment covering **both** Windows and Linux.
-* Assign that policy at the specified subscription scope.
-* Enforce LicenseType = PAYG.
-* Update only resources where current `LicenseType` is `Paid`.
 
-The second example creates a Linux-specific definition and assignment, with platform-tailored naming.
+This will:
+* Create/update the policy definition at the management group scope.
+* Create/assign the policy (at subscription scope when `-SubscriptionId` is provided, otherwise at management group scope).
+* Target the selected `ExtensionType` platform(s) — `Both` by default covers Windows and Linux.
+* Enforce the selected `TargetLicenseType` on resources matching the `LicenseTypesToOverwrite` filter.
 
-Scenario examples:
+**Scenario examples:**
 
 ```powershell
-# Target Paid, both Linux and Windows, but only for resources with missing LicenseType or LicenseOnly (do not target PAYG)
-.\scripts\deployment.ps1 -TargetLicenseType "Paid" -LicenseTypesToOverwrite @("Unspecified","LicenseOnly")
+# Move all Paid licenses to PAYG, both platforms
+.\scripts\deployment.ps1 -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
 
-# Target PAYG, but only where current LicenseType is Paid (do not target missing or LicenseOnly)
-.\scripts\deployment.ps1 -ExtensionType "Linux" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
+# Set missing and LicenseOnly to Paid, skip resources already on PAYG
+.\scripts\deployment.ps1 -TargetLicenseType "Paid" -LicenseTypesToOverwrite @("Unspecified","LicenseOnly")
 
-# Overwrite all known existing LicenseType values (Paid, PAYG, LicenseOnly), but not missing
-.\scripts\deployment.ps1 -ExtensionType "Linux" -TargetLicenseType "Paid" -LicenseTypesToOverwrite @("Paid","PAYG","LicenseOnly")
+# Linux only — move Paid to PAYG at a specific subscription
+.\scripts\deployment.ps1 -ExtensionType "Linux" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -LicenseTypesToOverwrite @("Paid")
 ```
 
-Note: `scripts/deployment.ps1` automatically grants required roles to the policy assignment managed identity at assignment scope, preventing common `PolicyAuthorizationFailed` errors during DeployIfNotExists deployments.
+> **Note:** `deployment.ps1` automatically grants required roles to the policy assignment managed identity at assignment scope, preventing common `PolicyAuthorizationFailed` errors during DeployIfNotExists deployments.
 
 ## Start Remediation
 
@@ -100,17 +119,38 @@ Parameter reference:
 | `TargetLicenseType` | Yes | N/A | `Paid`, `PAYG` | Must match the assignment target license type. |
 | `GrantMissingPermissions` | No | `false` | Switch (`present`/`not present`) | If set, checks and assigns missing required roles before remediation. |
 
+1. Set your variables. `TargetLicenseType` is required and must match the value used during deployment — all others are optional.
+
 ```powershell
-# Example: remediate both platforms (default), using tenant root management group
-.\scripts\start-remediation.ps1 -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -GrantMissingPermissions
+# ── Required ──
+$TargetLicenseType    = "PAYG"                                      # Must match the deployment target
+
+# ── Optional (uncomment to override defaults) ──
+# $ManagementGroupId      = "<management-group-id>"                 # Default: tenant root management group
+# $SubscriptionId         = "<subscription-id>"                     # Default: remediation runs at management group scope
+# $ExtensionType          = "Both"                                  # Must match the platform used for deployment
+```
 
-# Example: remediate with explicit management group
-.\scripts\start-remediation.ps1 -ManagementGroupId "<management-group-id>" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -GrantMissingPermissions
+2. Run the remediation.
 
-# Example: remediate only Linux
-.\scripts\start-remediation.ps1 -ExtensionType "Linux" -SubscriptionId "<subscription-id>" -TargetLicenseType "PAYG" -GrantMissingPermissions
+```powershell
+# Minimal — uses defaults for management group and platform
+.\scripts\start-remediation.ps1 -TargetLicenseType $TargetLicenseType -GrantMissingPermissions
+
+# With subscription scope
+.\scripts\start-remediation.ps1 -TargetLicenseType $TargetLicenseType -SubscriptionId $SubscriptionId -GrantMissingPermissions
+
+# With all options
+.\scripts\start-remediation.ps1 `
+  -ManagementGroupId $ManagementGroupId `
+  -ExtensionType $ExtensionType `
+  -SubscriptionId $SubscriptionId `
+  -TargetLicenseType $TargetLicenseType `
+  -GrantMissingPermissions
 ```
 
+> **Note:** Use `-GrantMissingPermissions` to automatically check and assign any missing required roles before remediation starts.
+
 ## Managed Identity And Roles
 
 The policy assignment is created with `-IdentityType SystemAssigned`. Azure creates a managed identity on the assignment and uses it to apply DeployIfNotExists changes during enforcement and remediation.

From 56a70bb591847a2687a080f67bd045e597d56779 Mon Sep 17 00:00:00 2001
From: Tom Claes <claes_tom@outlook.com>
Date: Tue, 7 Apr 2026 23:39:47 +0200
Subject: [PATCH 6/7] Add ConsentToRecurringPAYG support and role assignment
 retry logic

Sync changes from claestom/sql-arc-policy-license-config into the
sql-server-samples fork.

azurepolicy.json:
- Add ConsentToRecurringPAYG compliance checks in existenceCondition:
  when target is PAYG, resources must also have the consent property
  to be considered compliant (handles both new transitions and
  backward compatibility for pre-consent PAYG extensions)
- Add ConsentToRecurringPAYG to the deployment template: when target
  is PAYG, the remediation sets Consented=true with a UTC timestamp;
  non-PAYG targets use the base LicenseType-only settings
- Add consentTimestamp template parameter (auto-generated via utcNow)

deployment.ps1:
- Add retry loop (5 attempts, 10s delay) for managed identity role
  assignments to handle replication delays after policy assignment
  creation; also handles Conflict responses gracefully

README.md:
- Add Recurring Billing Consent (PAYG) section documenting the
  consent behavior, compliance evaluation, and immutability note
---
 .../arc-sql-license-type-compliance/README.md |  8 ++++
 .../policy/azurepolicy.json                   | 43 ++++++++++++++++++-
 .../scripts/deployment.ps1                    | 30 ++++++++++---
 3 files changed, 72 insertions(+), 9 deletions(-)

diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
index 667453a89..b93c182f7 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
@@ -151,6 +151,14 @@ $TargetLicenseType    = "PAYG"                                      # Must match
 
 > **Note:** Use `-GrantMissingPermissions` to automatically check and assign any missing required roles before remediation starts.
 
+## Recurring Billing Consent (PAYG)
+
+When `TargetLicenseType` is set to `PAYG`, the policy automatically includes `ConsentToRecurringPAYG` in the extension settings with `Consented: true` and a UTC timestamp. This is required for recurring pay-as-you-go billing as described in the [Microsoft documentation](https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/manage-pay-as-you-go-transition?view=sql-server-ver17#recurring-billing-consent).
+
+The policy also checks for `ConsentToRecurringPAYG` in its compliance evaluation — resources with `LicenseType: PAYG` but missing the consent property are flagged as non-compliant and remediated. This applies both when transitioning to PAYG and for existing PAYG extensions that predate the consent requirement (backward compatibility).
+
+> **Note:** Once `ConsentToRecurringPAYG` is set on an extension, it cannot be removed — this is enforced by the Azure resource provider. When transitioning away from PAYG, the policy changes `LicenseType` but leaves the consent property in place.
+
 ## Managed Identity And Roles
 
 The policy assignment is created with `-IdentityType SystemAssigned`. Azure creates a managed identity on the assignment and uses it to apply DeployIfNotExists changes during enforcement and remediation.
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json
index 9f5634b53..c6d6f5075 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/policy/azurepolicy.json
@@ -112,6 +112,26 @@
                 {
                   "value": "[length(intersection(field('Microsoft.HybridCompute/machines/extensions/settings'), createObject('LicenseType', parameters('targetLicenseType'))))]",
                   "equals": 1
+                },
+                {
+                  "anyOf": [
+                    {
+                      "value": "[parameters('targetLicenseType')]",
+                      "notEquals": "PAYG"
+                    },
+                    {
+                      "allOf": [
+                        {
+                          "value": "[parameters('targetLicenseType')]",
+                          "equals": "PAYG"
+                        },
+                        {
+                          "field": "Microsoft.HybridCompute/machines/extensions/settings",
+                          "ContainsKey": "ConsentToRecurringPAYG"
+                        }
+                      ]
+                    }
+                  ]
                 }
               ]
             },
@@ -156,6 +176,10 @@
                 {
                   "value": "[contains(parameters('licenseTypesToOverwrite'), 'PAYG')]",
                   "equals": false
+                },
+                {
+                  "field": "Microsoft.HybridCompute/machines/extensions/settings",
+                  "ContainsKey": "ConsentToRecurringPAYG"
                 }
               ]
             },
@@ -214,14 +238,29 @@
                   "metadata": {
                     "description": "LicenseType value to set on the extension."
                   }
+                },
+                "consentTimestamp": {
+                  "type": "string",
+                  "defaultValue": "[utcNow('yyyy-MM-ddTHH:mm:ssZ')]",
+                  "metadata": {
+                    "description": "UTC timestamp for recurring PAYG consent. Auto-generated at deployment time."
+                  }
                 }
               },
               "functions": [],
               "variables": {
                 "vmExtensionPublisher": "Microsoft.AzureData",
-                "licenseSettings": {
+                "baseSettings": {
                   "LicenseType": "[parameters('targetLicenseType')]"
-                }
+                },
+                "paygConsentSettings": {
+                  "LicenseType": "[parameters('targetLicenseType')]",
+                  "ConsentToRecurringPAYG": {
+                    "Consented": true,
+                    "ConsentTimestamp": "[parameters('consentTimestamp')]"
+                  }
+                },
+                "licenseSettings": "[if(equals(parameters('targetLicenseType'), 'PAYG'), variables('paygConsentSettings'), variables('baseSettings'))]"
               },
               "resources": [
                 {
diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1 b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
index 459459922..a9b4e4475 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/scripts/deployment.ps1
@@ -109,13 +109,29 @@ if (-not $SkipManagedIdentityRoleAssignment) {
       -ErrorAction SilentlyContinue
 
     if (-not $existingRole) {
-      New-AzRoleAssignment `
-        -ObjectId $principalId `
-        -RoleDefinitionName $requiredRoleName `
-        -Scope $AssignmentScope `
-        -ErrorAction Stop | Out-Null
-
-      Write-Output "Assigned '$requiredRoleName' to policy assignment identity ($principalId) at scope $AssignmentScope."
+      $maxRetries = 5
+      $retryDelay = 10
+      for ($i = 1; $i -le $maxRetries; $i++) {
+        try {
+          New-AzRoleAssignment `
+            -ObjectId $principalId `
+            -RoleDefinitionName $requiredRoleName `
+            -Scope $AssignmentScope `
+            -ErrorAction Stop | Out-Null
+
+          Write-Output "Assigned '$requiredRoleName' to policy assignment identity ($principalId) at scope $AssignmentScope."
+          break
+        }
+        catch {
+          if ($_.Exception.Message -match 'Conflict') {
+            Write-Output "Assigned '$requiredRoleName' to policy assignment identity ($principalId) at scope $AssignmentScope (confirmed after retry)."
+            break
+          }
+          if ($i -eq $maxRetries) { throw }
+          Write-Output "Waiting ${retryDelay}s for identity replication before assigning '$requiredRoleName' ($i/$maxRetries)..."
+          Start-Sleep -Seconds $retryDelay
+        }
+      }
     }
     else {
       Write-Output "Policy assignment identity already has '$requiredRoleName' at scope $AssignmentScope."

From 3159341ab690309ff22045952a3b7fddf85f61b5 Mon Sep 17 00:00:00 2001
From: Tom Claes <claes_tom@outlook.com>
Date: Tue, 7 Apr 2026 23:42:38 +0200
Subject: [PATCH 7/7] Update README: rename section to 'What Is In This
 Folder', remove Screenshots section

---
 .../arc-sql-license-type-compliance/README.md         | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
index b93c182f7..d49534415 100644
--- a/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
+++ b/samples/manage/azure-arc-enabled-sql-server/compliance/arc-sql-license-type-compliance/README.md
@@ -2,7 +2,7 @@
 
 This repo deploys and remediates a custom Azure Policy that configures and enforces Arc-enabled SQL Server extension `LicenseType` to a selected target value (for example `Paid` or `PAYG`).
 
-## What Is In This Repo
+## What Is In This Folder
 
 - `policy/azurepolicy.json`: Custom policy definition (DeployIfNotExists).
 - `scripts/deployment.ps1`: Creates/updates the policy definition and policy assignment.
@@ -177,11 +177,4 @@ Use one of these options:
 
 - Re-run `scripts/deployment.ps1` (default behavior assigns `Resource Policy Contributor` automatically).
 - Re-run `scripts/deployment.ps1` (default behavior assigns required roles automatically).
-- Run `scripts/start-remediation.ps1 -GrantMissingPermissions` (checks and assigns missing required roles before remediation).
-
-## Screenshots
-
-![overview](./docs/screenshots/overview.png)
-![pre-policy](./docs/screenshots/pre-policy.png)
-![remediation](./docs/screenshots/remediation.png)
-![postpolicy](./docs/screenshots/post-policy.png)
\ No newline at end of file
+- Run `scripts/start-remediation.ps1 -GrantMissingPermissions` (checks and assigns missing required roles before remediation).
\ No newline at end of file