Quickstart: Deploy a Bicep file as a service principal

In this quickstart, you deploy a Bicep file that contains Microsoft Graph resources using app-only authentication, also known as non-interactive authentication. You can use this mechanism for zero-touch deployment integration into continuous integration and continuous delivery (CI/CD) pipelines.

To deploy using delegated or interactive authentication, see Create a Bicep file with Microsoft Graph resources.

Important

Microsoft Graph Bicep is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

Create a service principal and assign an Azure role

While still signed in to Azure CLI from the previous session, create the service principal that you use later to deploy the Bicep file.

In this quickstart, the service principal is created with an application password, also known as a client secret. Also, assign the service principal the Managed Identity Contributor role, scoped to a resource group:

Caution

This quickstart is using an application password for simplicity and testing purposes only. Do not use in production environments.

# Create a resource group
az group create --name exampleRG --location eastus

# Create a service principal with the Managed Identity Contributor role. Replace {myServicePrincipalName}, {mySubscriptionId}, and {myResourceGroupName} with your values.
az ad sp create-for-rbac --name {myServicePrincipalName} --role "Managed Identity Contributor" --scopes "/subscriptions/{mySubscriptionId}/resourceGroups/{myResourceGroupName}"

Output Console:

{
  "appId": "myServicePrincipalId",
  "displayName": "myServicePrincipalName",
  "password": "myServicePrincipalPassword",
  "tenant": "myOrganizationTenantId"
}

The output includes the password key. Make sure you copy this value - it can't be retrieved.

Assign Microsoft Graph permissions to the service principal

Use Microsoft Graph PowerShell to grant the Group.ReadWrite.All application-only permission to the service principal. The Privileged Role Administrator role allows you to grant yourself the AppRoleAssignment.ReadWrite.All and Application.Read.All permissions to perform this operation.

Caution

Apps that have been granted the AppRoleAssignment.ReadWrite.All permission should only be accessed by appropriate users. For more information, see AppRoleAssignment.ReadWrite.All.

# Authenticate to Microsoft Graph
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All","Application.Read.All"

# Find the service principal created to run the deployment
$mySP = Get-MgServicePrincipalByAppId -AppId "myServicePrincipalId"

# Find the service principal for Microsoft Graph
$graphSP = Get-MgServicePrincipalByAppId -AppId "00000003-0000-0000-c000-000000000000"

# Assign Group.ReadWrite.All app-only permission (id = 62a82d76-70ea-41e2-9197-370581804d09)
New-MgServicePrincipalAppRoleAssignedTo -ResourceId $graphSP.Id -ServicePrincipalId $graphSP.Id -PrincipalId $mySP.Id -AppRoleId "62a82d76-70ea-41e2-9197-370581804d09" 

Sign in as service principal to deploy the Bicep file

Sign in as the service principal created earlier.

# Sign in with the service principal created earlier. This sample uses the Bash console.
spID=$(az ad sp list --display-name myServicePrincipalName --query "[].{spID:appId}" --output tsv)
tenantID=$(az ad sp list --display-name myServicePrincipalName --query "[].{tenantID:appOwnerOrganizationId}" --output tsv)
echo "Using appId $spID in tenant $tenantID"

az login --service-principal --username $spID --password {paste your SP password here} --tenant $tenantID

Important

If you want to avoid displaying your password on console and are using az login interactively, use the read -s command in bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>

Deploy the Bicep file

Now deploy the Bicep file using your resource group's scope.

az deployment group create --resource-group exampleRG --template-file main.bicep

Note

Due to replication delays, adding the managed service identity (MSI) as an owner of the Microsoft Entra group may cause the deployment to fail. Wait a little and then deploy the same Bicep file again.

Clean up resources

When the Azure resources are no longer needed, use the Azure CLI or Azure PowerShell module to delete the resource group that you created.

Note

Resource groups are an Azure concept and have no impact on Microsoft Graph resources. Microsoft Graph resources need to be cleaned up with an additional request to Microsoft Graph. For this you can use Azure CLI or Azure PowerShell, Microsoft Graph CLI, or Microsoft Graph PowerShell.

The following examples show commands to delete the Azure resource first then the Microsoft Graph resources using Azure CLI and Azure PowerShell.

# Delete the resource group
az group delete --name exampleRG

# Delete the Microsoft Graph group
az rest --method delete --url 'https://graph.microsoft.com/v1.0/groups%28uniqueName=%27myExampleGroup%27%29'

# Delete the client service principal
spID=$(az ad sp list --display-name myServicePrincipalName --query "[].{spID:id}" --output tsv)
az ad sp delete --id $spID