This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 3%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Greetings,
is there still not support for creating AAD App registrations using Bicep/ARM? It is quite ridiculous that 3rd party IAC like Terraform have this capability, while Micosoft's own - Bicep - doesn't.
I've read that the alternative is to use deployment scripts in Bicep, but there's a huge problem with this - I would need to access the created App's secrets using output, which is considered insecure even by Microsoft!
There might be some workaround by putting the secret in a key vault and retrieving it, but that complicates things a lot.
Any suggestions for this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 3%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Disclaimer: While I work for Microsoft, I do not work on the Bicep team.
Below I read that Microsoft should support AAD through Bicep. I believe this feeling is based on an incomplete understanding of the differences between Terraform and ARM/Bicep.
Terraform's AzureRM provider makes REST API calls against ARM, it does not send templates, which is what ARM/Bicep does. Similarly, the AzureAD provider does the same against the REST API's for AAD. ARM/Bicep is used to define a template of Azure resources for transmission to Azure Resource Manager (ARM).
In fact, Microsoft recently made available the AzApi provider (https://registry.terraform.io/providers/Azure/azapi/latest) which enables Terraform to send ARM templates, instead of API calls - this provider is supported by Microsoft, whereas AzureRM and AzureAD are both supported by HashiCop.
The use of Bicep against AAD would, to me, represent an incorrect tool choice. I would instead prefer to see az cli (or Powershell), or a combination involving Bicep and AzureAD TF provider.
Hi @Jason Farrell , while I am perfectly aware of the gap between Azure AD and Azure resources, how they are structured and instantiated - this means very little to any end-user of Microsoft-provided tools, like Bicep for example.
It turns out that engineers who opt into the Microsoft cloud tools ecosystem are punished by Microsoft for chosing the very tools that were provided to us by Microsoft!
It would be common sense to expect that a cloud provider's native solution for building their own cloud would cover such an important aspect, such as Azure AD is to Azure.
App Registrations being a perfect example for this - anyone who wants to use the Microsoft Identity platform to deliver their apps built on Microsoft's cloud to customers, must use App Registrations - and for this we are forced to use imperative-style, clumsy workarounds to proper IaC!
From a high-level perspective - this just does not make sense. My life would've been easier if I went with a 3rd party IaC provider like Terraform or Pulumi, which is dissapointing to say the least.
My only point here is AAD does not have the concept of "templates" that Bicep would rely upon. As to a debate on the quality of tools for AAD, I am sure everyone would always like tools to improve. Cheers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 87%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL8%3C/text%3E%3C/svg%3E)
Microsoft should just add a managed identity service for that so we can use the system identity for rbac, so we don't even have to touch the AD, just create a object of the type of the managed identity and use it for RBAC. Just like you can do for a VM. If they don't want to surface the AD as proper ARM resources because of technical limitations, that would solve the problem.
It's January 2023, are App Registrations still not supported in Bicep? Jon Reginbald's workaround is fine, but like OP said terraform has had support for this feature for years, and the whole point of the Bicep DSL is to avoid writing imperative style code.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 25%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHR%3C/text%3E%3C/svg%3E)
Any updates on this? Thanks!
Hello @NSimpraga
Thank you for sharing this question on this community space.
I would like to gather the next articles which fits into your previous statement the one you were describing previously.... So please direct yourself down below:
https://reginbald.medium.com/creating-app-registration-with-arm-bicep-b1d48a287abb
I hope you can find this useful to overcome your concern.
Looking forward to your feedback,
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello @NSimpraga
I hope you are doing excellent,
I just wanted to see if you were able to review the previous post made or if you have any other concern that we can address it.
Looking forward to your feedback,
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Greeting @risolis . I am aware of the deployment script method to create App registrations, which I already mentioned in the original post. I was hoping there was support for native Bicep/ARM syntax to create App registrations (other AAD object too?), since other providers like Terraform have this capability.
The deployment script method is more a workaround than a proper solution. The problem is in using script/imperative syntax in IaC which is declarative by design. Many issues which are hard to foresee can pop up by using this workaround.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 34%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
Upvote - this functionality is extremely useful. There is a segregation between "Azure" objects and "Azure AD" objects, but hopefully there's a solution!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 23%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOS%3C/text%3E%3C/svg%3E)
Hi, this is not applicable since there's a need for manual step to assign App administrator role. Similar articles have the same issue.
Could you please address this issue? There's plenty of scenarios requiring ClientId and Secret of App registration, for example to allow AAD authentication for web apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 98%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
The aws identity service does support IaC...
Its 2025, AAD got rebranded to MS Entra, much progress has been made. Still no Bicep support :-(