How can I add RBAC roles to a Azure AD group in bicep format?

Emran Hossain 195 Reputation points
2023-07-18T13:57:33.37+00:00

Hi ,

I have a assignment for my company client " Create a bicep file for AAD groups to Azure RBAC Role in Key Vault , App configuration, Azure Service Bus " (Solution will be by Bicep)

I did not get any idea anywhere

if someone come to help me here

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
879 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,300 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,150 questions
0 comments No comments
{count} vote

Accepted answer
  1. Shweta Mathur 30,301 Reputation points Microsoft Employee
    2023-07-19T10:09:04.7633333+00:00

    Hi @Anonymous ,

    Thanks for reaching out.

    There is no direct template available for your requirement.

    However, you can leverage the samples provided to create a bicep file accordingly.

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-rbac

    Currently you cannot create a group with bicep template. Our team is working on an MS Graph (AAD) provider for Bicep so you can create App registrations and other AAD objects, but don't have a clear ETA as of now.

    You can create a group using Graph API and then assign roles to the group using principal Id where you can assign the object Id of a group.

    resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
      name: guid(subscription().id, 'keyVaultRoleAssignment', keyVaultName, adGroup.name)
      scope: resourceGroup(keyVaultName)
      properties: {
        principalId: adGroup.properties.objectId
        roleDefinitionId: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/027d7fcf-ec02-4c6f-b5bf-935c71b4ba42' // Key Vault Contributor
      }
    }
    
    resource appConfigRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
      name: guid(subscription().id, 'appConfigRoleAssignment', appConfigName, adGroup.name)
      scope: resourceGroup(appConfigName)
      properties: {
        principalId: adGroup.properties.objectId
        roleDefinitionId: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' // App Configuration Data Owner
      }
    }
    
    resource serviceBusRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
      name: guid(subscription().id, 'serviceBusRoleAssignment', serviceBusName, adGroup.name)
      scope: resourceGroup(serviceBusName)
      properties: {
        principalId: adGroup.properties.objectId
        roleDefinitionId: '/subscriptions/${subscription().subscriptionId}/providers
    
    
    

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.