Deploy Microsoft Graph resources without an Azure subscription

You can deploy Microsoft Graph resources using Bicep templates even if your tenant doesn't have an Azure subscription. This article explains how to deploy at the tenant scope, so you can automate Microsoft Graph resource deployment without Azure. This approach is useful when:

• Your organization doesn't use Azure services.
• You have an Azure AD B2C tenant that can't support Azure subscriptions.
• You have a Microsoft Entra external tenant that can't support Azure subscriptions.

Note

This method applies only if your Bicep template contains Microsoft Graph resources exclusively. If your template includes Azure resources, you need a valid Azure subscription.

Prerequisites

• The tenant doesn't have any Azure subscriptions.
• The user and/or service principal deploying the Bicep file must have the minimum permissions required for the resources in the Bicep file.
• Install Bicep tools for authoring and deployment. This article uses Visual Studio Code with the Bicep extension for authoring and Azure CLI for deployment. Azure PowerShell examples are also provided.
• You can deploy Bicep files interactively or using app-only (zero-touch) deployment.

Deploy Microsoft Graph resources

Follow these steps to deploy Microsoft Graph resources at the tenant scope without an Azure subscription.

1. Assign deployment permissions to the principal:

   1. Elevate account access to the User Access Administrator role if needed.
   2. Assign deployment permissions to the user or service principal at the tenant (/) scope. Use one of the following methods, listed from least to most privileged:
      • Assign a custom role with the Microsoft.Resources/deployments/* permission.
      • Assign a built-in Azure DevOps role with the Microsoft.Resources/deployments/* permission.
      • Assign the Owner or Contributor role.

   In the following request, <principalId> is the ID of the user (in interactive deployments) or service principal (in app-only deployments) deploying the resources; <principalType> is "user" or "servicePrincipal" for interactive or app-only deployments respectively.

   Azure CLI

   az role assignment create --assignee-object-id "<principalId>" --assignee-principal-type "<principalType>" --scope "/" --role "Owner"`
   

   Azure PowerShell

   New-AzRoleAssignment -ObjectId "<principalId>" -ObjectType "<principalType>" -Scope "/" -RoleDefinitionName "Owner"
   

   3. Remove the elevated access assignment when you're done.

2. Set the deployment scope in your Bicep file:

   • In your main.bicep file, add targetScope = 'tenant' at the top. The template must contain only Microsoft Graph resources.

3. Deploy at the tenant scope using the security principal with deployment privileges. Use az deployment tenant create or New-AzTenantDeployment:

   Azure CLI

   az deployment tenant create --location WestUS --template-file main.bicep
   

   Azure PowerShell

   New-AzTenantDeployment -location "WestUS" -TemplateFile ".\main.bicep"
   

   • The location parameter is required and specifies where Azure Resource Manager stores deployment data.

See also

• Deploy to a tenant
• Understand deployment scopes