Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains Microsoft Graph Bicep feature limitations and restrictions. You'll learn which features are unsupported and discover workarounds for these challenges. Some limitations come from the Microsoft Graph service or the Bicep extensibility service, while others are specific to the Microsoft Graph Bicep extension.
Application passwords are not supported for applications and service principals
Application passwords (secrets), defined by passwordCredentials, aren't supported for the applications and servicePrincipals Bicep types. Only keyCredentials are supported. For example, see the template sample that sets up an application with a key credential stored in Azure Key Vault. In some cases, you can use a credential-less approach, like federated identity credentials for GitHub Actions.
If you need application passwords, use a DeploymentScript resource to call Microsoft Graph and add a password.
Deploying role-assignable groups is not supported
While you declare a role-assignable group in a Bicep template by setting the isAssignableToRole property to true, deploying the group fails, even if the application or user has the required permissions for both interactive and app-only deployment flows.
If you need role-assignable groups, use a DeploymentScript resource to call Microsoft Graph to create the group.
Unsupported deployment features
These deployment features aren't supported for Bicep extensible resources, including Microsoft Graph resources:
- Preview changes using what-if
- Verbose output
- Deployment stacks
- The Azure portal deployment details page only shows Microsoft Graph resources for deployments run in debug mode, under the Operations details menu