Known issues: Microsoft Graph Bicep templates

This article describes the known issues for Bicep templates for Microsoft Graph resources, and solutions if they exist.

Important

Microsoft Graph Bicep is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Child resources

Child resources are resources that exist only with the context of another resource. An example is federatedIdentityCredentials, which is a child resource of applications.

Bicep provides three different ways to declare a child resource. With Bicep extensible resources like Microsoft Graph resources, not all of these mechanisms are supported.

You can resolve the authoring or deployment time child resource errors listed, by using either:

• the within parent resource mechanism (preferred), or
• the outside parent without specifying parent property mechanism.

Whichever option you choose, the identifier property name currently only supports full resource name, like <parent-identifier>/<child-identifier>.

Linting error: The property "parent" isn't allowed on objects of type "Microsoft.Graph/<full resource name of child resource>"

During Bicep file authoring, if you specify the parent property you see this linting error. Extensible resources like Microsoft Graph resources don't have built-in support for the parent property like Azure resources do, so the outside parent resource mechanism can't be supported, currently.

Linting error: Remove unnecessary dependsOn entry '<parent-identifier-name>'

If the parent resource is referenced in the full resource name, then you see this linting error because the dependsOn property isn't necessary, as the reference implies dependsOn. However, if the full resource name is defined as plain text, then dependsOn is required, otherwise the Bicep deployment would have no idea about the dependency.

Deployment error: Invalid identifier format for {<parent-identifier>/<child-identifier>}

This deployment error indicates that the name identifier property value for the child resource declaration isn't using the full resource name format - <parent-identifier>/<child-identifier>.

Deployment Error: This application {0} isn't authorized to call Microsoft Graph using a Bicep template

When you attempt to interactively deploy a Bicep file containing Microsoft Graph resources using apps like Visual Studio Code (in VS Code, right-click "Deploy Bicep file..." and other custom apps, you see this error message:

[{"code":"Forbidden","target":"/resources/resourceApp","message":"This application {0} is not authorized to call Microsoft Graph using a Bicep template. Currently only Azure CLI and Azure PowerShell are supported for interactive deployments using a signed-in user."}]

Only Azure PowerShell and Azure CLI apps are supported for interactive deployments of Microsoft Graph resources.

This restriction doesn't apply for app-only deployments (also known as zero-touch deployments or sign-in with service principals).

Deploying with Azure PowerShell or a custom app has unexpected errors about unknown types, versions, properties, or capabilities

After you upgrade the Bicep extension for VS Code, you also need to upgrade the Bicep CLI to match the Bicep extension version to take advantage of new features or new or updated resource type definitions. If you're using Azure CLI, it warns you if a newer version is available. However, Azure PowerShell doesn't offer such a warning and the only clue you get is when the deployment fails, likely with an error to do with unknown type, version, property, or capability.

Resolution

Upgrade your Bicep CLI version to match the Visual Studio Code Bicep extension version.

1. Check the Bicep CLI version by opening a command prompt and using:

bicep --version

2. If the version number is different from the VS Code Bicep extension version number, continue to step 3 for Azure CLI and step 4 for manual install/upgrade (if you're using anything other than Azure CLI).

3. If you're using Azure CLI, you can upgrade your installed version to the latest version using the following command:

az bicep upgrade

4. If you're using Azure PowerShell or a custom app for your deployments, you need to upgrade manually. Follow the steps in Bicep install for your platform.

Deployment Issue: App-only deploy of Microsoft Entra groups sets the wrong owner

When you use app-only (zero-touch) deployments to deploy Microsoft Entra groups, the owner of the group is incorrectly set. Instead of being set to the service principal that initiates the deployment operation, the owner is set to the Microsoft Graph Bicep extension.

Resolution

To workaround, explicitly add the service principal as an owner, as part of any groups definitions in the Bicep file.

Deployment Error: Another object with the same value for property uniqueName already exists

When redeploying a Bicep file with Microsoft Graph resources, it's possible to see this error message.

It happens if one of the Microsoft Graph resources declared in the Bicep file is deleted from the service, maybe via Microsoft Graph PowerShell, CLI, or the REST API. When the Bicep file is deployed again, the service is unable to recreate the resource because a bug in the service indicates a conflict on the unique name value between the newly created item and the one in the deleted items container.

Resolution

There are a few options you can take:

• Permanently delete the deleted item, and then redeploy the Bicep file.
• Specify a different unique name in the Bicep file, and then redeploy.
• Restore the deleted item, then redeploy the Bicep file.

Deployment Error: App-only deployment fails when property membershipRule is declared on a group

When using app-only deployment, if the Bicep file contains a declaration of a groups resource with the membershipRule property, the deployment fails with the following error message:

{
    "error": {
        "code":"BadRequest",
        "target":"/resources/<groupsResourceName>",
        "message":"AppOnly OBO tokens not supported by target service. ..."
    }
}

This issue is due to an auxiliary microservice, which is used to support the groups dynamic membership feature, not currently supporting template deployment automation flows.

Deployment Behavior: Group members and owners are append-only

Groups membership and ownership declarations on a Groups Bicep resource are append-only. Removing a member or owner from the membership or ownership list in an existing deployed Bicep file does not remove the member or owner from the target Groups resource. Removing members or owners cannot be done declaratively via Bicep.