New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MS Graph (AAD) provider for bicep #7724
Comments
We are working on an MS Graph (AAD) provider for Bicep so you can create App registrations and other AAD objects, but don't have a clear ETA atm. Related to #6864 |
This is fantastic news. Will this also allow us to reference/query existing AAD objects? (E.g. to set the SQL Server AAD admin to an existing AAD group) |
Yes, we will support |
I am very happy to have found this issue, and hope to see it implemented at some point. This would be such a huge quality of life update for us! We are currently limited to manually creating certain AAD resources prior to deploying our Azure infrastructure. |
Yes -- service principal, group, and group assignment CRUD are the three Graph objects we are focused on in the first iteration. It's possible we will be able to support more than that, but those three are the priority. |
Hi, Also following this tread. Is there already an estimated time this will be released? |
I've got a demo in GitHub of how to use DeploymentScripts in bicep - the sample uses a PowerShell script to grab a Role Definition's GUID, but with minimal effort this could be converted to your usage scenario. It basically creates a User Assigned Identity, grants the UAI reader to the subscription, assigns that to the DeploymentScript, and then finally runs a PowerShell script to query Azure to get the specified role's GUID. |
Also very interested in knowing when this will be available. We want to use it to create Azure Service Bus queues and create/assign the appropriate group/ service principal to it using bicep. |
We are still closing on some design details, so we can't give a confident ETA yet. Will share more details as we have them. |
This would be great to support the azure landing zones that we are implanting atm. Can do alot in the bicep modules apart from created the AAD groups for the RBAK roles |
We have worked around this for now using a deployment script, but really keen to be able to entirely do this in Bicep. Any news? |
Hey team, This was discussed in the last Bicep meeting. When is it going live? |
Last ETA I heard was September. @stephaniezyen can confirm. |
Following this thread.Any ETA? |
Also following this. I think anyone using Bicep is extremely keen on having support for managing AAD with it too. |
ETA is 9/15. @NSimpragaVolur - it's my understanding that MSGraph/AAD/EntraID are all synonyms, but I could have that wrong. Is there specific functionality you are expecting that is not captured on this issue? |
(Personally) I am hoping to replace these scripts with Bicep: https://github.com/microsoft/sample-app-aoai-chatGPT/blob/main/scripts/auth_init.py It uses the REST API to create a Graph application, add a client secret, and store the resulting app ID / client ID / client secret (to feed into Bicep). It then updates redirect URI. So I am hoping the 9/15 Bicep will enable all that. |
That would be my # 1 use case too. In addition, looking up the object ID of a user or group by UPN or name. |
From monthly call: The demo on monthly was really good: 5/5 probably will check again soon. About MS Graph/Entra something/Azure AD/etc: Footnotes |
Just to recap - capabilities and limitations for private preview:
@pamelafox - yes that should be possible through a Bicep template alone. Hope this helps. |
@alex-frankel When I say AAD functionality I mean being able to reference and create AAD types, primarily Security Groups, App Registrations and Service Principals/Enterprise applications. |
This PR implements Microsoft Graph provider to enable Microsoft Graph resources in Bicep, behind the feature flag `MicrosoftGraphPreview` under `experimentalFeaturesEnabled`. Note that this functionality is only usable if you have enrolled in the private preview. Capabilities and signup form for private preview is mentioned in #7724. ###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/11595)
@alex-frankel just wanted to get an idea, when bicep officially supports this, is it just adding more types for |
@franklixuefei - the Microsft.Identity RP is only internal-facing. The MS Graph provider is the functional replacement for this provider for both internal and external users. |
So any update when and how i can create app registration for web auth using bicep? |
Right now there is a private preview running, but last I heard signups are closed until a Private Preview refresh planned for early next year. cc @dkershaw10 as FYI. |
I am creating azure managed app using biceps |
In order to do MS Graph operations, like create an App Registration, as part of a bicep deployment, there are now two options:
|
This option would go against various recommendations from Microsoft that IaC should be declarative:
And it is possible to use declarative definition files for this: |
Hi @aucampia - I was only trying to spell out the options to accomplish this with Bicep today. We certainly agree that having to fallback to Deployment Scripts is not an ideal option. That is why we are working on the MS Graph provider.. Of course, the other tools you mentioned are also great options to use in conjunction with or as an alternative to bicep. |
I believe the new link is: |
Is this bicep template going to be available for Azure AD B2C ? To create app registrations there for web authentication using MSAL. |
@dkershaw10 & @alex-frankel |
@alex-frankel Wondering about the progress as well! |
Right now I am at the point I'd need this… bummer it's only scheduled for May! |
Is Graph provider available now for internal use? If yes, could you please share the guidance? We're looking for a declarative approach as a replacement of Microsoft.Identity provider to provision AAD applications (add certificate, configure SN+I, etc.) on all tenants (xME and non-ME). |
@huajunzhao let's continue this conversation over email. |
@Keilor2019 app registration is part of the private preview offering, although I think we are pivoting towards the newer Entra External ID for customers. While app config is supported, some elements around External ID apps is not yet, like Bicep types for user flows, MFA/CA policy, tenant branding, etc. @Bandgren @frankz217 @kdambekalns - we are still on track for public preview in May. Sorry we can't deliver this sooner (I wish we could). @Bandgren - interested to learn more about your super nice use case. |
There's been some customer interest around using the Graph provider for multitenant scenarios, stemming from some observations that some organizations prefer to have app registrations done in a separate tenant from the tenant that houses their Azure resources:
az login --tenant-id foo
az deployment tenant create --location westus --template-file app.bicep # Or does it matter what scope I use for the deployment here?
|
There appears to be no clean way of registering a new application (App registration) in Azure AD using Bicep. The suggested alternate approach involves using,
For the above approach, the User identity should be created beforehand which defeats the purpose (of enveloping everything related to app deployment in a Bicep file) as it need to be created manually, or, through Powershell scripts.
I see a similar request as part of ARM, was wondering if this feature can be considered for future implementation by Bicep team.
Note: It appears that Terraform supports similar requirement.
The text was updated successfully, but these errors were encountered: