Announcing public preview of Bicep templates support for Microsoft Graph

Dan Kershaw

May 20th, 20242 8

We’re thrilled to announce that Bicep templates for Microsoft Graph resources will be in public preview starting May 21st. Bicep templates bring declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.

Bicep templates for Microsoft Graph resources allow you to define the tenant infrastructure you want to deploy, such as Microsoft Entra ID groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses declarative syntax to deploy resources—typically used in DevOps, CI/CD, and infrastructure-as-code solutions.

What problems does this solve?

IaC avoids manual configuration and enforces consistency by representing desired environment states. Infrastructure deployments with IaC are repeatable and prevent runtime issues caused by configuration drift or missing dependencies. Release pipelines execute the environment descriptions and version configuration models to configure target environments. To make changes, the team edits the source, not the target.

With Bicep templates for Microsoft Graph resources, we are bringing these IaC benefits to key Microsoft Entra ID resources like applications and service principals. This allows you to deliver stable test environments rapidly and at scale as part of your development cycles, that can be integrated into your continuous delivery pipelines.

The Microsoft Graph Bicep extension

To provide support for Bicep templates for Microsoft Graph resources, we have released the new Microsoft Graph Bicep extension that allows you to author, deploy, and manage supported Microsoft Graph resources (initially Microsoft Entra ID resources) in Bicep template files either on their own, or alongside Azure resources.

Authoring experience

You get the familiar, first-class authoring experience of the Bicep Extension for VS Code when you use it to create your Microsoft Graph resource types in Bicep files. The editor provides rich type-safety, IntelliSense, and syntax validation.

You can also create Bicep files in Visual Studio with the Bicep extension for Visual Studio.

Editing a Bicep file containing Microsoft Graph resources Editing a Bicep file containing Microsoft Graph resources

Let’s look at how this works and then we’ll run through an example.

Deploying Bicep files

Once you have authored your Bicep file, you can deploy it using familiar tools such as Azure PowerShell and Azure CLI. When the deployment request is made to the Azure Resource Manager, the deployments engine orchestrates the deployment of interdependent resources so they’re created in the correct order, including the Microsoft Graph resources.

The following image shows a Bicep template file where the Microsoft Graph group creation is dependent on the managed identity resource, as it is being added as a group member. The deployments engine first sends the managed identity request to the Resource Manager, which routes it to the Microsoft.ManagedIdentity resource provider. Next, the deployments engine sees that Microsoft.Graph/groups is an extensible resource, so it knows to route this resource request to the Microsoft Graph Bicep extension. The Microsoft Graph Bicep extension then translates the groups resource request into a request to Microsoft Graph.

Deploying a Bicep file containing Microsoft Graph resources

Scenario: Managing your team’s application registrations

Ever feel like your team or organization’s internal applications are hard to manage or getting out of control? Are you spending time fixing broken applications because someone manually updated an application configuration without any oversight or testing? Unsure of what is deployed in your production tenants?

By adopting Bicep templates for Microsoft Graph, you can use DevOps practices to declare all your Microsoft Entra ID application registrations as declarative code. This enables you to have one path where your team members can create or update application configurations, using Bicep files, that get reviewed, deployed to a test environment (or tenant) for automated testing, before being checked-in and rolled out to a production tenant.

Let’s see what an application registration looks like in Bicep.

resource clientApp 'Microsoft.Graph/applications@beta' = {
  uniqueName: clientAppName
  displayName: clientAppDisplayName
  signInAudience: 'AzureADMyOrg'
  web: {
    redirectUris: ['${webAppEndpoint}/.auth/login/aad/callback']
    implicitGrantSettings: {enableIdTokenIssuance: true}
  }
  requiredResourceAccess: [
    {
     resourceAppId: '00000003-0000-0000-c000-000000000000'
     resourceAccess: [
       // User.Read
       {id: 'e1fe6dd8-ba31-4d61-89e7-88639da4683d', type: 'Scope'}
       // offline_access
       {id: '7427e0e9-2fba-42fe-b0c0-848c9e6a8182', type: 'Scope'}
       // openid
       {id: '37f7f235-527c-4136-accd-4a02d197296e', type: 'Scope'}
       // profile
       {id: '14dad69e-099b-42c9-810b-d002981feec1', type: 'Scope'}
     ]
    }
  ]
}

resource clientSp 'Microsoft.Graph/servicePrincipals@beta' = {
  appId: clientApp.appId
}

Bicep file declaring a Microsoft Entra ID application and service principal

This file declares an applications resource for a web application, that can only be used in its home tenant, along with the set of permissions that this application requires so it can access the relevant Microsoft Graph APIs. This file also creates an associated service principal. The variables webAppName, webAppDisplayName, and wwebAppEndpoint can be automatically tailored to the target tenant (or environment) that the application is being deployed to, whether it’s test, stage, or production, in a reliable and repeatable manner.

Learn more

To test out other features in the Microsoft Entra portfolio, visit our developer center. Make sure you subscribe to the Identity blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.

Dan Kershaw

Read next

Adding branded URLs to authentication with Microsoft Entra External ID Custom URL Domains
Announcing the Public Preview of Custom URL Domains for Microsoft Entra External ID, which allow you to replace default Microsoft authentication domain endpoints with your own branded domains. This feature offers flexibility and customization for the authentication journey. The blog post explores custom URL domains, detailing how to configure them to create a personalized sign-in experience that reflects your brand identity.
Samiksha Gupta
May 21, 2024
0 comment

2 comments

Leave a comment

  • Yasin Sari 1

    Great addition to bicep! 🙂

  • Mikhail Alekov 1

    Nice to have it for IaC. Thx!

Feedback usabilla icon