How can I add API permissions to an app registration from a Bicep file?

Valeria Naldi 145 Reputation points
2024-01-25T16:27:52.12+00:00

I'm using a bicep file to deploy an Azure solution composed of several Azure resources. I want to add API permissions to an app registration to allow API calls to ADX and ADT. This is what I follow to manually add API permissions https://learn.microsoft.com/en-us/azure/digital-twins/how-to-create-app-registration?tabs=portal#provide-api-permissions https://learn.microsoft.com/en-us/azure/data-explorer/provision-entra-id-app#configure-delegated-permissions-for-the-application How can I do the same in a bicep file? Thanks for the help

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
975 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2024-01-29T09:12:33.42+00:00

    @Valeria Naldi

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking to add API permission in an existing Entra ID registered App via Bicep template.

    Please do correct me if this is not the case by responding in the comments.

    We don't have a direct way to make changes to Entra ID App registration via Bicep.

    As of now in order to do MS Graph operations, like create an App Registration, as part of a bicep deployment, there are now two options:

    Use the MS Graph provider (in Private Preview, which is not currently accepting new members until sometime this year)

    Use a Deployment Script, like this doc suggests: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep#use-microsoft-graph-within-a-deployment-script

    As per deployment scripts in Bicep using the deploymentScripts resource, you can run scripts in Bicep deployments and review execution results. You can use these scripts to perform only following custom steps such as:

    • Add users to a directory.
    • Perform data plane operations; for example, copy blobs or seed a database.
    • Look up and validate a license key.
    • Create a self-signed certificate.
    • Create an object in Microsoft Entra ID.
    • Look up IP address blocks from a custom system.

    Referring to Quickstart templates I found a sample to Use a deployment script to create Azure AD objects

    Also following the Bicep Community Call - July '23 I was able to find that this is on the roadmap. The current timelines are as follows:

    image


    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.