Quickstart: Deploy a Bicep file as a service principal
In this quickstart, you deploy a Bicep file that contains Microsoft Graph resources using app-only authentication, also known as non-interactive authentication. You can use this mechanism for zero-touch deployment integration into continuous integration and continuous delivery (CI/CD) pipelines.
To deploy using delegated or interactive authentication, see Create a Bicep file with Microsoft Graph resources.
Important
Microsoft Graph Bicep is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Prerequisites
- For this quickstart, use the Bicep file created in Create a Bicep file with Microsoft Graph resources.
- You're an owner of an Azure subscription.
- You're an Entra Privileged Role Admin, which enables you to assign Microsoft Graph app roles to a service principal.
Create a service principal and assign an Azure role
Create the service principal that you use later to deploy the Bicep file. In this quickstart, the service principal is created with an application password, also known as a client secret. Also, assign the service principal the Managed Identity Contributor role, scoped to a resource group:
Caution
This quickstart is using an application password for simplicity and testing purposes only. Do not use in production environments.
az group create --name exampleRG --location eastus
az ad sp create-for-rbac --name myServicePrincipalName --role "Managed Identity Contributor" --scopes "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName"
Output Console:
{
"appId": "myServicePrincipalId",
"displayName": "myServicePrincipalName",
"password": "myServicePrincipalPassword",
"tenant": "myOrganizationTenantId"
}
The output includes the password key. Make sure you copy this value - it can't be retrieved.
Assign Microsoft Graph permissions to the service principal
Use Microsoft Graph PowerShell to grant the Group.ReadWrite.All application-only permission to the service principal.
Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All","Application.Read.All"
# Find the service principal created to run the deployment
$mySP = Get-MgServicePrincipalByAppId -AppId "myServicePrincipalId"
# Find the service principal for Microsoft Graph
$graphSP = Get-MgServicePrincipalByAppId -AppId "00000003-0000-0000-c000-000000000000"
# Assign Group.ReadWrite.All app-only permission (id = 62a82d76-70ea-41e2-9197-370581804d09)
New-MgServicePrincipalAppRoleAssignedTo -ResourceId $graphSP.Id -ServicePrincipalId $graphSP.Id -PrincipalId $mySP.Id -AppRoleId "62a82d76-70ea-41e2-9197-370581804d09"
Tip
Use the Microsoft Graph permissions reference to look up the permission ID by permission name (for example User.Read.All).
Sign-in as service principal to deploy the Bicep file
Use either Azure CLI or Azure PowerShell to sign-in as the service principal created earlier.
spID=$(az ad sp list --display-name myServicePrincipalName --query "[].{spID:appId}" --output tsv)
tenantID=$(az ad sp list --display-name myServicePrincipalName --query "[].{tenantID:appOwnerOrganizationId}" --output tsv)
echo "Using appId $spID in tenant $tenantID"
az login --service-principal --username $spID --password {paste your SP password here} --tenant $tenantID
Important
If you want to avoid displaying your password on console and are using az login interactively, use the read -s command in bash.
read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant <tenant>
Deploy the Bicep file
Now deploy the Bicep file using your resource group's scope.
az deployment group create --resource-group exampleRG --template-file main.bicep
Note
Due to replication delays, adding the managed service identity (MSI) as an owner of the Microsoft Entra group may cause the deployment to fail. Wait a little and then deploy the same Bicep file again.
Clean up resources
When the Azure resources are no longer needed, use the Azure CLI or Azure PowerShell module to delete the quickstart resource group.
Note
Resource groups are an Azure concept and have no impact on Microsoft Graph resources. Microsoft Graph resources need to be cleaned up with an additional request to Microsoft Graph. For this you can use Azure CLI or Azure PowerShell, Microsoft Graph CLI, or Microsoft Graph PowerShell.
The following examples show commands to delete the Azure resource first then the Microsoft Graph resources using Azure CLI and Azure PowerShell.
az group delete --name exampleRG
az rest --method delete --url https://graph.microsoft.com/v1.0/groups(uniqueName=%27myExampleGroup%27)
spID=$(az ad sp list --display-name myServicePrincipalName --query "[].{spID:id}" --output tsv)
az ad sp delete --id $spID
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for