Deploy Microsoft Graph resources without an Azure subscription

Deployments can be scoped so that the resources defined in a Bicep template are deployed to a specific Azure scope such as a management group, subscription, or resource group. These scopes all require an Azure subscription.

There are several scenarios where you need to use Bicep templates to deploy Microsoft Graph resources, but:

1. Your company or tenant doesn't use Azure services
2. You have an Azure AD B2C tenant that can't support Azure subscriptions
3. You have a Microsoft Entra External ID external tenant that can't support Azure subscriptions

Using a tenant-scoped deployment, it's possible to deploy Microsoft Graph resources without an Azure subscription.

This article demonstrates how to scope your deployments to a tenant scope and without using an Azure subscription. It only applies if your Bicep template file contains Microsoft Graph resources only. If your template file contains Azure resources in addition to Microsoft Graph resources, you need a valid Azure subscription.

Important

Microsoft Graph Bicep is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

• Your tenant has no Azure subscriptions.
• To deploy a Bicep file, the principal performing the deployment needs the least-privileged permissions to deploy the resources declared in the Bicep file.
• Install Bicep tools for authoring and deployment. This how-to article uses VS Code with the Bicep extension for authoring and Azure CLI for deployment. Samples are also provided for Azure PowerShell.
• You can deploy the Bicep files interactively or via zero-touch (app-only) deployment.

Deploy Microsoft Graph resources

The following steps show how to deploy Microsoft Graph resources at the tenant scope without requiring an Azure subscription.

1. Assign the requisite deployment permissions to the principal performing the deployment.

   1. Elevate account access to the User Access Administrator role if you're not assigned the role.
   2. Assign deployment permissions to the <principalId> of the user or service principal, <principalType>, that needs to deploy the templates. The / scope refers to a tenant-wide scope. The following options indicate ways to assign the deployment permissions to the principal, listed in the order of least to highest privileged.
      • Assign a custom role with the Microsoft.Resources/deployments/* permission.
      • Assign a built-in Azure role for DevOps that has the Microsoft.Resources/deployments/* permission.
      • Assign the Owner or Contributor role.
   Azure CLI

   Azure CLI

   az role assignment create --assignee-object-id "<principalId>" --assignee-principal-type "<principalType>" --scope "/" --role "Owner"`
   

   Azure PowerShell

   Azure PowerShell

   New-AzRoleAssignment -ObjectId "<principalId>" -ObjectType "<principalType>" -Scope "/" -RoleDefinitionName "Owner"
   

   3. Remove the elevated access assignment.

2. In your main.bicep file, add targetScope = 'tenant' to set a tenant-level deployment scope. Your Bicep file must declare only Microsoft Graph resources.

3. Perform a tenant deployment using the security principal that has deployment privileges, using az deployment tenant create or New-AzTenantDeployment:

   Azure CLI

   Azure CLI

   az deployment tenant create --location WestUS --template-file main.bicep
   

   Azure PowerShell

   Azure PowerShell

   New-AzTenantDeployment -location "WestUS" -TemplateFile ".\main.bicep"
   

   The location is required and tells Azure Resource Manager where to store the deployment data.

For more information about tenant deployments, see Deploy to a tenant.