Skip to content

Latest commit

 

History

History

deployment-script-azcli-graph-azure-ad

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
scripts
scripts
 
 
README.md
README.md
 
 
azuredeploy.json
azuredeploy.json
 
 
azuredeploy.parameters.json
azuredeploy.parameters.json
 
 
main.bicep
main.bicep
 
 
metadata.json
metadata.json
 
 

README.md

description page_type products urlFragment languages
This sample uses a deployment script to create objects in Azure Active Directory.
sample
azure
azure-resource-manager
deployment-script-azcli-graph-azure-ad
json
bicep

Use a deployment script to create Azure AD objects

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure Deploy To Azure US Gov Visualize

This example shows how to use a deployment script to interact with Microsoft Graph. The deployment script creates an Azure AD application and service principal, but you could use a similar approach to create other objects in Azure Active Directory.

As of October 2022, you can't use Bicep or ARM templates to grant Microsoft Graph permissions to a user-assigned managed identity. Before the deployment runs, you need to create a user-assigned managed identity, and grant it the appropriate permisions to the Graph API.

Create a user-assigned managed identity

PowerShell with Azure cmdlets:

$managedIdentityName = 'MyIdentity'
$resourceGroupName = 'MyResourceGroup'
$location = 'westus'

$userAssignedIdentity = New-AzUserAssignedIdentity `
  -Name $managedIdentityName `
  -ResourceGroupName $resourceGroupName `
  -Location $location
$managedIdentityObjectId = $userAssignedIdentity.PrincipalId

Azure CLI with Bash:

managedIdentityName='MyIdentity'
resourceGroupName='MyResourceGroup'
location='westus'

userAssignedIdentity=$(az identity create \
  --name $managedIdentityName \
  --resource-group $resourceGroupName \
  --location $location)
managedIdentityObjectId=$(jq -r '.principalId' <<< "$userAssignedIdentity")

Grant permission to the Graph API

Next, you grant the user-assigned identity permission to create applications in Azure Active Directory.

PowerShell with Azure AD cmdlets:

$tenantID = '<Your Azure AD tenant ID>'
Connect-AzureAD -TenantId $tenantID

# Get the app role for the Graph API.
$graphAppId = '00000003-0000-0000-c000-000000000000' # This is a well-known Microsoft Graph application ID.
$graphApiAppRoleName = 'Application.ReadWrite.All'
$graphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$graphAppId'"
$graphApiAppRole = $graphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $graphApiAppRoleName -and $_.AllowedMemberTypes -contains "Application"}

# Assign the role to the managed identity.
New-AzureADServiceAppRoleAssignment `
  -ObjectId $managedIdentityObjectId `
  -PrincipalId $managedIdentityObjectId `
  -ResourceId $graphServicePrincipal.ObjectId `
  -Id $graphApiAppRole.Id

Azure CLI with Bash:

tenantId='<Your Azure AD tenant ID>'

graphAppId='00000003-0000-0000-c000-000000000000' # This is a well-known Microsoft Graph application ID.
graphApiAppRoleName='Application.ReadWrite.All'
graphApiApplication=$(az ad sp list --filter "appId eq '$graphAppId'" --query "{ appRoleId: [0] .appRoles [?value=='$graphApiAppRoleName'].id | [0], objectId:[0] .id }" -o json)

# Get the app role for the Graph API.
graphServicePrincipalObjectId=$(jq -r '.objectId' <<< "$graphApiApplication")
graphApiAppRoleId=$(jq -r '.appRoleId' <<< "$graphApiApplication")

# Assign the role to the managed identity.
requestBody=$(jq -n \
                  --arg id "$graphApiAppRoleId" \
                  --arg principalId "$managedIdentityObjectId" \
                  --arg resourceId "$graphServicePrincipalObjectId" \
                  '{id: $id, principalId: $principalId, resourceId: $resourceId}' )
az rest -m post -u "https://graph.windows.net/$tenantId/servicePrincipals/$managedIdentityObjectId/appRoleAssignments?api-version=1.6" -b "$requestBody"

PowerShell with Microsoft Graph cmdlets:

$tenantID = '<Your Azure AD tenant ID>'

Connect-MgGraph -TenantId $tenantID

# Get the app role for the Graph API.
$graphAppId = '00000003-0000-0000-c000-000000000000' # This is a well-known Microsoft Graph application ID.
$graphApiAppRoleName = 'Application.ReadWrite.All'
$graphServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$graphAppId'"
$graphApiAppRole = $graphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $graphApiAppRoleName -and $_.AllowedMemberTypes -contains "Application"}

# Assign the role to the managed identity.
New-MgServicePrincipalAppRoleAssignment `
  -ServicePrincipalId $managedIdentityObjectId `
  -PrincipalId $managedIdentityObjectId `
  -ResourceId $graphServicePrincipal.Id `
  -AppRoleId $graphApiAppRole.Id

Deploy the Bicep file or template

After creating the managed identity and assigning it permission, you can use it in the Bicep or template file deployment.

PowerShell with Azure cmdlets:

New-AzResourceGroupDeployment `
  -ResourceGroupName $resourceGroupName `
  -TemplateFile main.bicep `
  -ManagedIdentityName $managedIdentityName `
  -AzureADApplicationName MyApp

Azure CLI with Bash:

az deployment group create \
  --resource-group $resourceGroupName \
  --template-file main.bicep \
  --parameters managedIdentityName=$managedIdentityName azureADApplicationName=MyApp

Tags: