diff --git a/.gitignore b/.gitignore
index 7f9f6e57..89a2fa7e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -483,3 +483,8 @@ env/
 venv/
 myvenv/
 ENV/
+
+# Bicep compiled outputs
+infra/**/*.json
+!infra/main.parameters.json
+!infra/abbreviations.json
diff --git a/infra/core/ai/cognitiveservices.bicep b/infra/core/ai/cognitiveservices.bicep
index 3588072c..86e5033f 100644
--- a/infra/core/ai/cognitiveservices.bicep
+++ b/infra/core/ai/cognitiveservices.bicep
@@ -44,9 +44,9 @@ resource deployment 'Microsoft.CognitiveServices/accounts/deployments@2023-05-01
   name: deployment.name
   properties: {
     model: deployment.model
-    raiPolicyName: contains(deployment, 'raiPolicyName') ? deployment.raiPolicyName : null
+    raiPolicyName: deployment.?raiPolicyName ?? null
   }
-  sku: contains(deployment, 'sku') ? deployment.sku : {
+  sku: deployment.?sku ?? {
     name: 'Standard'
     capacity: 20
   }
diff --git a/infra/core/host/container-apps.bicep b/infra/core/host/container-apps.bicep
index 1c656e28..a3aa44c9 100644
--- a/infra/core/host/container-apps.bicep
+++ b/infra/core/host/container-apps.bicep
@@ -21,9 +21,19 @@ module containerAppsEnvironment 'container-apps-environment.bicep' = {
   }
 }
 
-module containerRegistry 'container-registry.bicep' = {
+module containerRegistryInCustomRG 'container-registry.bicep' = if (!empty(containerRegistryResourceGroupName)) {
+  name: '${name}-container-registry'
+  scope: resourceGroup(containerRegistryResourceGroupName)
+  params: {
+    name: containerRegistryName
+    location: location
+    adminUserEnabled: containerRegistryAdminUserEnabled
+    tags: tags
+  }
+}
+
+module containerRegistryInCurrentRG 'container-registry.bicep' = if (empty(containerRegistryResourceGroupName)) {
   name: '${name}-container-registry'
-  scope: !empty(containerRegistryResourceGroupName) ? resourceGroup(containerRegistryResourceGroupName) : resourceGroup()
   params: {
     name: containerRegistryName
     location: location
@@ -36,5 +46,5 @@ output defaultDomain string = containerAppsEnvironment.outputs.defaultDomain
 output environmentName string = containerAppsEnvironment.outputs.name
 output environmentId string = containerAppsEnvironment.outputs.id
 
-output registryLoginServer string = containerRegistry.outputs.loginServer
-output registryName string = containerRegistry.outputs.name
+output registryLoginServer string = !empty(containerRegistryResourceGroupName) ? containerRegistryInCustomRG.outputs.loginServer : containerRegistryInCurrentRG.outputs.loginServer
+output registryName string = !empty(containerRegistryResourceGroupName) ? containerRegistryInCustomRG.outputs.name : containerRegistryInCurrentRG.outputs.name
diff --git a/infra/core/security/keyvault-secrets.bicep b/infra/core/security/keyvault-secrets.bicep
index 7116bf8b..79692267 100644
--- a/infra/core/security/keyvault-secrets.bicep
+++ b/infra/core/security/keyvault-secrets.bicep
@@ -13,11 +13,11 @@ resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = [for se
   tags: tags
   properties: {
     attributes: {
-      enabled: contains(secret, 'enabled') ? secret.enabled : true
-      exp: contains(secret, 'exp') ? secret.exp : 0
-      nbf: contains(secret, 'nbf') ? secret.nbf : 0
+      enabled: secret.?enabled ?? true
+      exp: secret.?exp ?? 0
+      nbf: secret.?nbf ?? 0
     }
-    contentType: contains(secret, 'contentType') ? secret.contentType : 'string'
+    contentType: secret.?contentType ?? 'string'
     value: secret.value
   }
 }]
diff --git a/infra/core/storage/storage-account.bicep b/infra/core/storage/storage-account.bicep
index 6149fb2f..c27ba1c1 100644
--- a/infra/core/storage/storage-account.bicep
+++ b/infra/core/storage/storage-account.bicep
@@ -62,7 +62,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
     resource container 'containers' = [for container in containers: {
       name: container.name
       properties: {
-        publicAccess: contains(container, 'publicAccess') ? container.publicAccess : 'None'
+        publicAccess: container.?publicAccess ?? 'None'
       }
     }]
   }
diff --git a/infra/main.bicep b/infra/main.bicep
index 79010b0d..99d29db8 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -511,6 +511,9 @@ module storage 'core/storage/storage-account.bicep' = {
     location: storageResourceGroupLocation
     tags: updatedTags
     publicNetworkAccess: 'Enabled'
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: false
+    defaultToOAuthAuthentication: true
     sku: {
       name: 'Standard_LRS'
     }
@@ -521,7 +524,7 @@ module storage 'core/storage/storage-account.bicep' = {
     containers: [
       {
         name: storageContainerName
-        publicAccess: 'Blob'
+        publicAccess: 'None'
       }
     ]
   }