Share via

"BadRequestFormat" deploying bicep template at tenant level

Joakim 21 Reputation points
2021-08-19T05:29:57.813+00:00

I'm trying to deploy a #Biceplang template at the tenant level to set role assignments.

But I keep getting "BadRequestFormat" - I'd appreciate any pointers on how to find the underlying issue

The template is available as a GiHub Gist here.

I'm posting here as suggested by @AzureSupport on Twitter.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,741 Reputation points Volunteer Moderator
    2021-08-19T21:23:17.11+00:00

    Hello @Joakim ,

    Thanks for reaching out.

    The roleDefinitionId needs to be fully qualified for an example: /subscriptions/123a3941-b0ee-12ad-bd9f-d9de123e9c4e/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635 and would recommend using the subscriptionResourceId() function. Here is good sample one for your reference. hope this helps.

    I just tweaked roleDefinitionId as shown below which works as expected: 

    targetScope = 'tenant'  
// Groups defined in Azure AD  
var AzureAdmininstrators = '6f769210-651f-4579-9577-7b1f3fd2bfd3'  
var AzureSubscriptionOwners = '690fd5cb-1d22-4a35-afe4-a34d36be150d'  
  
// Azure built-in role IDs (see: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)  
var OwnerRoleDefinitionId = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'  
var ContributorRoleDefinitionId = 'b24988ac-6180-42a0-ab88-20f7382dd24c'  
  
  
// Generate uniqe names for the assignent and role  
var OwnerRoleAssignmentName = guid(AzureSubscriptionOwners, OwnerRoleDefinitionId)  
var ContributorRoleAssignmentName = guid(AzureAdmininstrators, ContributorRoleDefinitionId)  
  
  
resource assignOwnerRole 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {  
  name: OwnerRoleAssignmentName  
  properties: {  
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', OwnerRoleDefinitionId)  
    principalId: AzureSubscriptionOwners  
  }  
}  
  
resource assignContributorRole 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {  
  name: ContributorRoleAssignmentName  
  properties: {  
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', ContributorRoleDefinitionId)  
    principalId: AzureAdmininstrators  
  }  
}  
  
  
// To deploy this, use the following AZ CLI command (adapted to your needs of course)  
//   
// az deployment tenant create --template-file .\tenant-roles.bicep -l westeurope

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.