Greetings to my fellow Technology Advocates and Specialists.
In this Session, I will demonstrate How to Create Azure Active Directory (AAD) Group Using Azure DevOps.
I had the Privilege to talk on this topic in TWO Azure Communities:-
NAME OF THE AZURE COMMUNITY | TYPE OF SPEAKER SESSION |
---|---|
Journey to the Cloud 9.0 | Virtual |
Festive Tech Calendar 2022 | Virtual |
IMPORTANT NOTE:- |
---|
We can create one or more AAD Group with Same Name. The Unique Identifier for AAD Group is the Object ID. |
USE CASE:- |
---|
Cloud Engineer DOES NOT have access to Azure Active Directory to Create Group(s). |
Cloud Engineer CANNOT ELEVATE rights using __PIM (Privileged Identity Management)__to Create AAD Group(s). |
AUTOMATION OBJECTIVE:- |
---|
Validate If the AAD Group Exists. If Yes, Pipeline will FAIL. |
If the above validation is SUCCESSFUL, Pipeline will then Create Group in Azure Active Directory. |
IMPORTANT NOTE:- |
---|
The YAML Pipeline is tested on WINDOWS BUILD AGENT Only!!! |
REQUIREMENTS:- |
---|
- Azure Subscription.
- Azure DevOps Organisation and Project.
- Service Principal either assigned Global Administrator, Privileged Identity Management (PIM) Azure AD Role or Required Microsoft Graph API Rights.(Directory.ReadWrite.All: Read and Write Directory Data).
- Azure Resource Manager Service Connection in Azure DevOps.
HOW DOES MY CODE PLACEHOLDER LOOKS LIKE:- |
---|
PIPELINE CODE SNIPPET:- |
---|
AZURE DEVOPS YAML PIPELINE (azure-pipelines-add-single-aad-group-v1.0.yml):- |
---|
trigger:
none
######################
#DECLARE PARAMETERS:-
######################
parameters:
- name: SubscriptionID
displayName: Subscription ID Details Follow Below:-
type: string
default: 210e66cb-55cf-424e-8daa-6cad804ab604
values:
- 210e66cb-55cf-424e-8daa-6cad804ab604
- name: AADGRPNAME
displayName: Please Provide the AAD Group Name:-
type: object
default:
######################
#DECLARE VARIABLES:-
######################
variables:
ServiceConnection: amcloud-cicd-service-connection
BuildAgent: windows-latest
#########################
# Declare Build Agents:-
#########################
pool:
vmImage: $(BuildAgent)
###################
# Declare Stages:-
###################
stages:
- stage: CREATE_SINGLE_AAD_GROUP
jobs:
- job: CREATE_SINGLE_AAD_GROUP
displayName: CREATE SINGLE AAD GROUP
steps:
- task: AzureCLI@2
displayName: VALIDATE AND CREATE AAD GROUP
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az --version
az account set --subscription ${{ parameters.SubscriptionID }}
az account show
$name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv
if ($name -eq "${{ parameters.AADGRPNAME }}") {
echo "################################################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"
echo "################################################################################################"
exit 1
}
else {
echo "############################################################################"
echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"
echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"
echo "############################################################################"
az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}
echo "##################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"
echo "##################################################################"
}
Now, let me explain each part of YAML Pipeline for better understanding.
PART #1:- |
---|
BELOW FOLLOWS PIPELINE RUNTIME VARIABLES CODE SNIPPET:- |
---|
######################
#DECLARE PARAMETERS:-
######################
parameters:
- name: SubscriptionID
displayName: Subscription ID Details Follow Below:-
type: string
default: 210e66cb-55cf-424e-8daa-6cad804ab604
values:
- 210e66cb-55cf-424e-8daa-6cad804ab604
- name: AADGRPNAME
displayName: Please Provide the AAD Group Name:-
type: object
default:
PART #2:- |
---|
BELOW FOLLOWS PIPELINE VARIABLES CODE SNIPPET:- |
---|
######################
#DECLARE VARIABLES:-
######################
variables:
ServiceConnection: amcloud-cicd-service-connection
BuildAgent: windows-latest
NOTE:- |
---|
Please change the values of the variables accordingly. |
The entire YAML pipeline is build using Runtime Parameters and Variables. No Values are Hardcoded. |
PART #3:- |
---|
BELOW FOLLOWS THE CONDITIONS AND LOGIC DEFINED IN THE PIPELINE (AS MENTIONED ABOVE IN THE "AUTOMATION OBJECTIVE"):- |
---|
inlineScript: |
az --version
az account set --subscription ${{ parameters.SubscriptionID }}
az account show
$name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv
if ($name -eq "${{ parameters.AADGRPNAME }}") {
echo "################################################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"
echo "################################################################################################"
exit 1
}
else {
echo "############################################################################"
echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"
echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"
echo "############################################################################"
az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}
echo "##################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"
echo "##################################################################"
}
NOW ITS TIME TO TEST !!!...
TEST CASES:- |
---|
Hope You Enjoyed the Session!!!
Stay Safe | Keep Learning | Spread Knowledge