Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the known issues for Bicep templates for Microsoft Graph resources, and solutions if they exist.
Important
Microsoft Graph Bicep is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Child resources
Child resources are resources that exist only with the context of another resource. An example is federatedIdentityCredentials, which is a child resource of applications.
Bicep provides three different ways to declare a child resource. With Bicep extensible resources like Microsoft Graph resources, not all of these mechanisms are supported.
You can resolve the authoring or deployment time child resource errors listed, by using either:
- the within parent resource mechanism (preferred), or
- the outside parent without specifying parent property mechanism.
Whichever option you choose, the identifier property name currently only supports full resource name, like <parent-identifier>/<child-identifier>.
Linting error: The property "parent" isn't allowed on objects of type "Microsoft.Graph/<full resource name of child resource>"
During Bicep file authoring, if you specify the parent property you see this linting error.
Extensible resources like Microsoft Graph resources don't have built-in support for the parent property like Azure resources do, so the outside parent resource mechanism can't be supported, currently.
Linting error: Remove unnecessary dependsOn entry '<parent-identifier-name>'
If the parent resource is referenced in the full resource name, then you see this linting error because the dependsOn property isn't necessary, as the reference implies dependsOn. However, if the full resource name is defined as plain text, then dependsOn is required, otherwise the Bicep deployment would have no idea about the dependency.
Deployment error: Invalid identifier format for {<parent-identifier>/<child-identifier>}
This deployment error indicates that the name identifier property value for the child resource declaration isn't using the full resource name format - <parent-identifier>/<child-identifier>.
Deployment Error: This application {0} isn't authorized to call Microsoft Graph using a Bicep template
When you attempt to interactively deploy a Bicep file containing Microsoft Graph resources using apps like Visual Studio Code (in VS Code, right-click "Deploy Bicep file..." and other custom apps, you see this error message:
[{"code":"Forbidden","target":"/resources/resourceApp","message":"This application {0} is not authorized to call Microsoft Graph using a Bicep template. Currently only Azure CLI and Azure PowerShell are supported for interactive deployments using a signed-in user."}]
Only Azure PowerShell and Azure CLI apps are supported for interactive deployments of Microsoft Graph resources.
This restriction doesn't apply for app-only deployments (also known as zero-touch deployments or sign-in with service principals).
Deploying with Azure PowerShell or a custom app has unexpected errors about unknown types, versions, properties, or capabilities
After you upgrade the Bicep extension for VS Code, you also need to upgrade the Bicep CLI to match the Bicep extension version to take advantage of new features or new or updated resource type definitions. If you're using Azure CLI, it warns you if a newer version is available. However, Azure PowerShell doesn't offer such a warning and the only clue you get is when the deployment fails, likely with an error to do with unknown type, version, property, or capability.
Resolution
Upgrade your Bicep CLI version to match the Visual Studio Code Bicep extension version.
- Check the Bicep CLI version by opening a command prompt and using:
bicep --version
If the version number is different from the VS Code Bicep extension version number, continue to step 3 for Azure CLI and step 4 for manual install/upgrade (if you're using anything other than Azure CLI).
If you're using Azure CLI, you can upgrade your installed version to the latest version using the following command:
az bicep upgrade
- If you're using Azure PowerShell or a custom app for your deployments, you need to upgrade manually. Follow the steps in Bicep install for your platform.
Deployment Error: Another object with the same value for property uniqueName already exists
When redeploying a Bicep file with Microsoft Graph resources, it's possible to see this error message.
It happens if one of the Microsoft Graph resources declared in the Bicep file is deleted from the service, maybe via Microsoft Graph PowerShell, CLI, or the REST API. When the Bicep file is deployed again, the service is unable to recreate the resource because a bug in the service indicates a conflict on the unique name value between the newly created item and the one in the deleted items container.
Resolution
There are a few options you can take:
- Permanently delete the deleted item, and then redeploy the Bicep file.
- Specify a different unique name in the Bicep file, and then redeploy.
- Restore the deleted item, then redeploy the Bicep file.
Deployment Error: App-only deployment fails when property membershipRule is declared on a group
When using app-only deployment, if the Bicep file contains a declaration of a groups resource with the membershipRule property, the deployment fails with the following error message:
{
"error": {
"code":"BadRequest",
"target":"/resources/<groupsResourceName>",
"message":"AppOnly OBO tokens not supported by target service. ..."
}
}
This issue is due to an auxiliary microservice, which is used to support the groups dynamic membership feature, not currently supporting template deployment automation flows.
Deployment error: Publisher verification ID (MPN) can't be set on an application
When defining an application resource with a verifiedPublisher.publisherVerificationId property, the deployment fails with the following error message:
{
"error": {
"code":"Forbidden",
"message":"verifiedPublisher properties cannot be set during Application creation. Graph client request id: {request-id-value}. Graph request timestamp: {UTC-timestamp-value}."
}
}
The verifiedPublisher property is read-only and hence the verifiedPublisherId can't be set in the application resource definition. Currently, a different endpoint is used in Microsoft Graph to set the verified publisher, rather than setting the property on the application resource.
Resolution
Create the application resource without defining a verifiedPublisher. Then use Microsoft Graph REST API or other options like CLI and PS to set the verified publisher. This operation can also be incorporated into a deployment script within the Bicep file.
Deployment error: Stream properties like application logo can't be deployed
While stream properties (like the application resource's logo property) can be defined in Microsoft Graph Bicep resource definitions, deploying these resources leads to an error of "Unexpected contents in request body", no matter how you format the property in the Bicep file.
In Microsoft Graph, stream properties must be updated separately from the rest of the resource type's properties. Even though logo is exposed as a property of application, it can't be updated directly as it is currently modelled in Microsoft Graph Bicep.
Resolution
Create the application resource without defining any stream properties, like logo on application. Then use Microsoft Graph REST API or other options like CLI and PS to set the stream property. For example for the application logo property set the application logo using REST or set the application logo using PowerShell. This operation can also be incorporated into a deployment script within the Bicep file.