EntraID Security Azure

Using Bicep for Microsoft Graph Resources

Implementing Role Based Access with bicep

Introduction

For those who are not familiar with Bicep, Bicep is a domain-specific language (DSL) that simplifies the deployment and management of Azure resources. With the introduction of the Microsoft Graph Bicep extension, you can now author, deploy, and manage Microsoft Graph resources using Bicep templates. This extension allows you to define resources such as groups, users, and role assignments in a declarative manner, ensuring consistency and repeatability across your deployments. This blog post will guide you through the process of using Bicep to create a group, add a user to it, and assign it to an Azure RBAC role contributor to the resource group. This new resource type in bicep has only recently made it to public preview you can see a full list of resource types avaliable through this bicep provider here: Microsoft Graph Bicep resource reference overview

Step-by-Step Implementation Guide

Prerequisites

Before you begin, ensure you have the following:

  • An Azure subscription
  • Bicep CLI installed
  • Visual Studio Code with Bicep extension

Using Bicep and Microsoft Graph Provider

Step 1: Enabling extensibility in VSCode

In your vscode directory create a bicepconfig.json file with this json to enable the extensibility extension.

1
2
3
4
5

{
    "experimentalFeaturesEnabled": {
        "extensibility": true
    }
}

Step 2: Define the Bicep File

Create a new Bicep file (e.g., azure-group-rbac.bicep) and define the parameters and resources needed for the Microsoft Graph resources.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

param groupNameDisplay string = 'My Graph Group'
param groupNameUnique string = 'MyGraphGroup'
param groupNameMail string = 'mygroup@contoso.com'
param userName string = 'myUser'
param roleDefinitionId string = 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor role ID
param resourceGroupId string = resourceGroup().id

extension microsoftGraph

resource graphGroup 'Microsoft.Graph/groups@v1.0' = {
    displayName: groupNameDisplay
    mailEnabled: false
    securityEnabled: true
    isAssignableToRole: true
    uniqueName: groupNameUnique
    mailNickname: groupNameMail
    members: [
      graphUser.id
    ]
}

resource graphUser 'Microsoft.GraphServices/accounts@2023-04-13' existing = { 
  name: userName
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroupId, graphUser.id, roleDefinitionId)
  properties: {
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
    principalId: graphUser.id
  }
}

output name string = roleAssignment.name
output resourceGroupName string = resourceGroup().name
output resourceId string = roleAssignment.id

Step 3: Deploy the Bicep File

Use the Azure CLI to deploy the Bicep file to your Azure subscription.

1

az deployment group create --resource-group <Your-Resource-Group> --template-file azure-group-rbac.bicep

Step : Verify the Resources

After deployment, verify that the Microsoft Graph resources have been created and are configured as expected. You can do this by navigating to the Azure portal and checking the resources under Entra ID and the resource group.

Conclusion

Using Bicep for Microsoft Graph resources provides a streamlined and efficient way to manage your tenant’s infrastructure. By defining resources as code, you can ensure consistency, simplify management, and leverage DevOps practices for continuous integration and deployment. The Microsoft Graph Bicep extension enhances your ability to manage both Azure and Microsoft Graph resources seamlessly.

Learn More

For more detailed information and tutorials, visit the following Microsoft Learn resources: