25,132 questions
How to Add Federated Credentials to an Existing App Registration Using Bicep?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 94%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMI%3C/text%3E%3C/svg%3E)
Muhammad Ibrahim
0
Reputation points
Hi,
I have manually created an App Registration in Azure Entra ID, and now I want to use Bicep to add federated credentials (for GitHub Actions) to it. Specifically, I want the Bicep script to reference the existing App Registration instead of creating a new one.
The problem I'm facing is that I can't find any official guidance or Bicep examples that show how to reference an existing App Registration and add federated credentials to it.
Could anyone provide an example or point me to documentation on how to:
- Reference an existing App Registration or creating new App Registration in Bicep.
- Add federated identity credentials to it (for GitHub Actions).
Thanks in advance!
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator2025-04-21T19:54:22.4233333+00:00 Hi @Muhammad Ibrahim
I understand that you are trying to create an App Registration in Azure Entra ID, and now you want to use Bicep to add federated credentials (for GitHub Actions) to it.Choose the least privileged permission to create or update a Microsoft.Graph/applications/federatedIdentityCredentials resource. From the following document: https://learn.microsoft.com/en-us/graph/templates/reference/federatedidentitycredentials?view=graph-bicep-1.0
Permissions for personal Microsoft accounts cannot be used to deploy Microsoft Graph resources declared in Bicep files.
You can configure a federated identity credential on an existing application to trust a managed identity. Use the following tabs to choose how to configure a federated identity credential on an existing application.This example shows how to use Bicep to create a FIC to make your app trust the assigned managed identity. Replace the placeholders with the appropriate values.
extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview' param myWorkloadManagedIdentity string = '[MANAGED-IDENTITY-NAME]' param applicationDisplayName string = '[APPLICATION-DISPLAYNAME]' param applicationName string = '[APPLICATION-UNIQUE-NAME]' resource myManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { name: myWorkloadManagedIdentity } resource myApp 'Microsoft.Graph/applications@v1.0' = { displayName: applicationDisplayName uniqueName: applicationName resource myMsiFic 'federatedIdentityCredentials@v1.0' = { name: '${myApp.uniqueName}/msiAsFic' description: 'Trust the workloads UAMI to impersonate the App' audiences: [ 'api://AzureADTokenExchange' ] issuer: '${environment().authentication.loginEndpoint}${tenant().tenantId}/v2.0' subject: myManagedIdentity.properties.principalId } }Hope this helps. Do let us know if you have any further queries.
-
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2025-04-23T17:40:12.7066667+00:00 Hi @Muhammad Ibrahim
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. -
Muhammad Ibrahim 0 Reputation points
2025-04-24T11:50:18.7333333+00:00 The issue is that when trying to reference the App Registration using the resource type
Microsoft.Graph/applications@v1.0, it throws an error saying it's not a valid resource. Additionally, to use thefederatedIdentityCredentialsresource, you either need to pass the App Registration resource as a parent, or define it as a child resource, but in both cases, the problem remains:Microsoft.Graph/applications@v1.0is not recognized as a valid resource type in ARM or Bicep.
As a result, I'm currently resorting to usingaz clicommands to create the federated credentials.Currently using az-cli version 2.70.0.
-
Muhammad Ibrahim 0 Reputation points
2025-04-24T11:50:36.25+00:00 Extra Comment added by mistake
-
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2025-04-24T20:37:09.3233333+00:00 Hi @Muhammad Ibrahim
Thank you for your response. It seems that in both cases, the problem remains that:Microsoft.Graph/applications@v1.0is not recognized as a valid resource type in ARM or Bicep.So, you are currently using
az clicommands to create the federated credentials. Please update about the issue. Do let us know if you have any further queries. -
Muhammad Ibrahim 0 Reputation points
2025-05-05T07:45:39.0266667+00:00 Hi @Bandela Siri Chandana , sorry for the delay. Here are the details. I want to accomplish this using Bicep with the Azure CLI via the deployment scripts module, or alternatively by using
Microsoft.Graph/applications@v1.0in Bicep. The attached script is executing, but it’s not registering the app and isn’t throwing any errors. Any help regarding this would be appreciated. Also, is there any other way to do this usingMicrosoft.Graph/applications@v1.0?Script:
@description('The Application (client) ID of the App Registration')param clientAppId string
@description('The object ID of the Service Principal of App Registration')
param spObjectId string
@description('The GitHub subject in format repo:octo-org/octo-org:ref:refs/heads/master')
param githubSubject string
@description('Web App name')
param webAppName string
@description('Web App resource group')
param webAppResourceGroup string
@description('Role to be Assigned like Website Contributor')
param roleToAssign string
@description('Federated Credential name')
param federatedCredName string
@description('Azure location for deployment script')
param location string = resourceGroup().location
resource runScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
name: 'runFederatedCredAndRoleAssignment'
location: location
kind: 'AzureCLI'
properties: {
azCliVersion: '2.52.0' retentionInterval: 'P1D' cleanupPreference: 'OnSuccess' environmentVariables: [ { name: 'CLIENT_APP_ID' value: clientAppId } { name: 'SP_OBJECT_ID' value: spObjectId } { name: 'GITHUB_SUBJECT' value: githubSubject } { name: 'WEBAPP_NAME' value: webAppName } { name: 'WEBAPP_RG' value: webAppResourceGroup } { name: 'CRED_NAME' value: federatedCredName } { name: 'ROLE_ASSIGNED' value: roleToAssign } ] scriptContent: ''' echo "Creating federated identity credential\n" az ad app federated-credential create --id $CLIENT_APP_ID --parameters '{ "name": "'$CRED_NAME'", "issuer": "https://token.actions.githubusercontent.com/", "subject": "'$GITHUB_SUBJECT'", "description": "OIDC federated credential for GitHub Actions", "audiences": ["api://AzureADTokenExchange"] }' echo "Getting Web App resource ID\n" WEBAPP_ID=$(az webapp show --name $WEBAPP_NAME --resource-group $WEBAPP_RG --query id --output tsv) echo "Assigning role\n" az role assignment create --assignee $SP_OBJECT_ID --role $ROLE_ASSIGNED --scope $WEBAPP_ID '''}
}
-
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2025-05-05T15:39:04.9866667+00:00 Hi @Muhammad Ibrahim
I understand that the attached script is executing, but it’s not registering the app and isn’t throwing any errors.By using this Microsoft.Graph/applications@v1.0' you cannot do add Federated Credentials to an Existing App Registration Using Bicep.
Try to follow the document: Microsoft.Graph/applications - Microsoft Graph Bicep v1.0 reference | Microsoft Learn to add Federated Credentials to an Existing App Registration Using Bicep.
Hope this helps. Do let us know if you have any further queries.
Sign in to comment
Sign in to answer