Microsoft Graph Bicep feature limitations
This article lists the limits and restrictions for Microsoft Graph Bicep. Some limits are due to the underlying Microsoft Graph service or the Bicep extensibility service, while others are specific to Microsoft Graph Bicep.
Important
Microsoft Graph Bicep is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Deployments are supported for the public cloud only
Microsoft Graph Bicep deployments are supported only for the public cloud and not for sovereign clouds like Azure Government and Azure China 21Vianet.
Application passwords are not supported for applications and service principals
Application passwords or secrets - passwordCredentials - are not supported for the applications and servicePrincipals Bicep types. The only credentials supported for applications and servicePrincipals are keyCredentials. This template sample shows configuring an application with a key credential created and stored in Azure Key Vault. Depending on your scenario, a credential-less option is also possible, for example using federated identity credentials to enable GitHub actions to access Azure resources.
If application passwords are required, the workaround is to use a DeploymentScript resource to call Microsoft Graph to add a password.
No more than 20 members and/or owners can be declared for a Groups resource
While a single Groups resource definition in a Bicep file can declare more than 20 members and/or owners, declaring more than 20 results in a 400 error at deployment time.
Deploying role-assignable groups is not supported
You can declare a role-assignable group resource by setting the isAssignableToRole property to true, in a Bicep file. However, deployment of role-assignable group resources fails, even if the application and/or user have been granted the necessary privileges for both delegated (interactive) and app-only deployment flows.
If role-assignable groups are required, the workaround is to use a DeploymentScript resource to call Microsoft Graph to create this type of group resource.
Unsupported deployment features
The following deployment features are currently not supported for Bicep extensible resources like the Microsoft Graph resources:
- Preview changes using the what-if check
- Verbose output
- Deployment stacks
- Granular delegated admin permissions to allow Cloud Solution Providers to deploy Bicep files to their customers' tenants is not supported if the Bicep file contains Microsoft Graph resources.
- The Azure portal deployments details page only supports showing deployed Azure Resource Manager resources. Deployed Microsoft Graph resources don't appear on this page.