bicep
bicep copied to clipboard
Azure
MS Graph (AAD) provider for bicep
There appears to be no clean way of registering a new application (App registration) in Azure AD using Bicep. The suggested alternate approach involves using,
- DeploymentScripts
- UserIdentity having the necessary permission to create the App registration
For the above approach, the User identity should be created beforehand which defeats the purpose (of enveloping everything related to app deployment in a Bicep file) as it need to be created manually, or, through Powershell scripts.
I see a similar request as part of ARM, was wondering if this feature can be considered for future implementation by Bicep team.
Note: It appears that Terraform supports similar requirement.
We are working on an MS Graph (AAD) provider for Bicep so you can create App registrations and other AAD objects, but don't have a clear ETA atm.
Related to #6864
We are working on an MS Graph (AAD) provider for Bicep so you can create App registrations and other AAD objects, but don't have a clear ETA atm.
Related to #6864
This is fantastic news. Will this also allow us to reference/query existing AAD objects? (E.g. to set the SQL Server AAD admin to an existing AAD group)
We are working on an MS Graph (AAD) provider for Bicep so you can create App registrations and other AAD objects, but don't have a clear ETA atm. Related to #6864
This is fantastic news. Will this also allow us to reference/query existing AAD objects? (E.g. to set the SQL Server AAD admin to an existing AAD group)
Yes, we will support existing references for AAD objects, which will be semantically equivalent to existing for Azure resources.
I am very happy to have found this issue, and hope to see it implemented at some point. This would be such a huge quality of life update for us! We are currently limited to manually creating certain AAD resources prior to deploying our Azure infrastructure. Do you know whether the MS Graph provider will have support for creating group assignments?
Yes -- service principal, group, and group assignment CRUD are the three Graph objects we are focused on in the first iteration. It's possible we will be able to support more than that, but those three are the priority.
Hi,
Also following this tread. Is there already an estimated time this will be released?
I've got a demo in GitHub of how to use DeploymentScripts in bicep - the sample uses a PowerShell script to grab a Role Definition's GUID, but with minimal effort this could be converted to your usage scenario.
It basically creates a User Assigned Identity, grants the UAI reader to the subscription, assigns that to the DeploymentScript, and then finally runs a PowerShell script to query Azure to get the specified role's GUID.
Hi,
Also following this tread. Is there already an estimated time this will be released?
Also very interested in knowing when this will be available. We want to use it to create Azure Service Bus queues and create/assign the appropriate group/ service principal to it using bicep.
We are still closing on some design details, so we can't give a confident ETA yet. Will share more details as we have them.
This would be great to support the azure landing zones that we are implanting atm. Can do alot in the bicep modules apart from created the AAD groups for the RBAK roles
We have worked around this for now using a deployment script, but really keen to be able to entirely do this in Bicep. Any news?
Hey team,
This was discussed in the last Bicep meeting. When is it going live?
Also following this. I think anyone using Bicep is extremely keen on having support for managing AAD with it too.
ETA is 9/15.
@NsimpragaVolur - it's my understanding that MSGraph/AAD/EntraID are all synonyms, but I could have that wrong. Is there specific functionality you are expecting that is not captured on this issue?
(Personally) I am hoping to replace these scripts with Bicep:
https://github.com/microsoft/sample-app-aoai-chatGPT/blob/main/scripts/auth_init.py https://github.com/microsoft/sample-app-aoai-chatGPT/blob/main/scripts/auth_update.py
It uses the REST API to create a Graph application, add a client secret, and store the resulting app ID / client ID / client secret (to feed into Bicep). It then updates redirect URI.
So I am hoping the 9/15 Bicep will enable all that.
(Personally) I am hoping to replace these scripts with Bicep:
https://github.com/microsoft/sample-app-aoai-chatGPT/blob/main/scripts/auth_init.py https://github.com/microsoft/sample-app-aoai-chatGPT/blob/main/scripts/auth_update.py
It uses the REST API to create a Graph application, add a client secret, and store the resulting app ID / client ID / client secret (to feed into Bicep). It then updates redirect URI.
So I am hoping the 9/15 Bicep will enable all that.
That would be my # 1 use case too.
In addition, looking up the object ID of a user or group by UPN or name.
From monthly call:
(I would have posted this earlier but missed capturing screenshot from live presentation)
The demo on monthly was really good: 5/5 probably will check again soon.
About MS Graph/Entra something/Azure AD/etc:
Just to recap - capabilities and limitations for private preview:
- Bicep types for:
- Group, group membership, group ownership
- Application
- ServicePrincipal
- Oauth2PermissionGrant and AppRoleAssignment
- Bicep types for Microsoft Graph /beta version only
- Deployment requires a signed-in user (we'll add zero-touch deployment in the private preview refresh)
- Deployment in public cloud only
@pamelafox - yes that should be possible through a Bicep template alone. @SvenAelterman - we won't have support for user as a bicep type in the private preview, but we can add that later. You'll be able to reference groups you create via a client provided key (just like Azure resources).
Hope this helps.
@alex-frankel When I say AAD functionality I mean being able to reference and create AAD types, primarily Security Groups, App Registrations and Service Principals/Enterprise applications.
@alex-frankel just wanted to get an idea, when bicep officially supports this, is it just adding more types for Microsoft.Identity RP, or it is fundamentally different than what Microsoft.Identity RP does? As of today, Microsoft.Identity supports full AAD app/serviceprincipal buildout as per the doc, but only under Azure infra tenants (xME tenants). Will bicep support all tenants?
@franklixuefei - the Microsft.Identity RP is only internal-facing. The MS Graph provider is the functional replacement for this provider for both internal and external users.
So any update when and how i can create app registration for web auth using bicep?
Right now there is a private preview running, but last I heard signups are closed until a Private Preview refresh planned for early next year. cc @dkershaw10 as FYI.
I am creating azure managed app using biceps So can you suggest how can I create a function with ms provider for auth? I need to create the registered application with the right web redirect url? I think that the ama has no permissions for creating register web app in the tenant...even if i will use the scripts.. Am i missing something?
In order to do MS Graph operations, like create an App Registration, as part of a bicep deployment, there are now two options:
- Use the MS Graph provider (in Private Preview, which is not currently accepting new members until sometime next year)
- Use a Deployment Script, like this doc suggests: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep#use-microsoft-graph-within-a-deployment-script
3rd option for internal folks - use the Microsoft.Identity RP!
On Tue, Dec 5, 2023 at 4:10 PM Alex Frankel @.***> wrote:
In order to do MS Graph operations like create an App Registration as part of a bicep deployment, there are now two options:
- Use the MS Graph provider (in Private Preview, which is not currently accepting new members until sometime next year)
- Use a Deployment Script, like this doc suggests: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep#use-microsoft-graph-within-a-deployment-script
— Reply to this email directly, view it on GitHub https://github.com/Azure/bicep/issues/7724#issuecomment-1841858151 or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKF5RTYSPLMSMSLYR4B62DYH6ZXXBFKMF2HI4TJMJ2XIZLTSWBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDANJWHAZTMOJUGOSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRSHE4TIMZUG42DMMVENZQW2ZNJNBQXGX3MMFRGK3FMON2WE2TFMN2F65DZOBS2YSLTON2WKQ3PNVWWK3TUUZ2G64DJMNZZJAVEOR4XAZNKOJSXA33TNF2G64TZUV3GC3DVMWUTENRTGUYDGMRVGCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGEZTCOJVGI3TKNRQQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRSGA2TMOBTGY4TIM4CUR2HS4DFUVWGCYTFNSSXMYLMOVS2UMRZHE2DGNBXGQ3DFJ3UOJUWOZ3FOKTGG4TFMF2GK . You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .
- Use a Deployment Script, like this doc suggests: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep#use-microsoft-graph-within-a-deployment-script
This option would go against various recommendations from Microsoft that IaC should be declarative:
https://learn.microsoft.com/en-us/devops/deliver/what-is-infrastructure-as-code#use-declarative-definition-files
IaC should use declarative definition files if possible.
https://learn.microsoft.com/en-us/azure/well-architected/operational-excellence/infrastructure-as-code-design
Prefer declarative over imperative tools. Declarative tools and their associated files are a better overall choice for deploying and managing IaC than imperative tools.
https://microsoft.github.io/azureml-ops-accelerator/1-MLOpsFoundation/0-DevOpsOverview/9-IaaC.html#prefer-declarative-definitions
The preferred approach to IaC is to use declarative definition files where possible.
And it is possible to use declarative definition files for this:
- https://www.pulumi.com/registry/packages/azuread/api-docs/
- https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
- https://marketplace.upbound.io/providers/upbound/provider-azuread/v0.14.0
