Merge pull request #225 from microsoftgraph/dkershaw10-updateSamples-0.1.10

Sample updates for v0.2.0 release

Author: dkershaw10

msgraph-metadata

@@ -25,11 +25,13 @@ This sample operates in two modes, depending on the `mode` parameter.
 
 The `appScopes` array parameter allows the deployer to select the Microsoft Graph Oauth2.0 scopes to set for or grant to the client application. The sample validates the set of provided scopes in the array parameter against [Microsoft Graph delegated permission scopes][graph-permissions]. Any invalid scopes provided are ignored. `appScores` should contain a list of scope names (for example *User.Read.All* and *Group.ReadWrite.All*).
 
+The sample also enables the deployer to set an owner of the client application, using the `userUPN` parameter.
+
 ### Prerequisites
 
 - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
 - An **Azure resource group** that you own under a valid Azure subscription, or [deploy without an Azure subscription][no-azure-sub].
-- [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is v0.30.3.
+- [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is v0.32.4.
 - Have the requisite **Microsoft Entra roles** to deploy this template:
 
   - Permissions to create applications. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer) role.

quickstart-templates/apps-permissions-and-grants/README.md

@@ -3,7 +3,8 @@ extension microsoftGraphV1
 // TEMPLATE DESCRIPTION
 /* Grant OAuth2.0 scopes to a client application definition,
    where the target resource used is Microsoft Graph, and the deployer can select which
-   Microsoft Graph OAuth2.0 scopes are granted on the client app.
+   Microsoft Graph OAuth2.0 scopes are granted on the client app. The template also
+   assigns an owner to the application and service principal.
    
    NOTE: Setting requiredResourceAccess on a client application is NOT required
    to grant OAuth2.0 permissions to the client application.
@@ -13,22 +14,34 @@ param date string
 param displayName string?
 param filteredScopes array
 param graphSpId string
+param userUPN string?
 
 var app = 'myApp'
 
 // convert scopes array into space separate scopes string
 var scopeArray = [for (scopeItem,i) in filteredScopes: filteredScopes[i].value]
 var scopeString = join(scopeArray, ' ')
 
+// fetch the user's ID based on their UPN
+resource userOwner 'Microsoft.Graph/[email protected]' existing = if (!empty(userUPN)) {
+  userPrincipalName: userUPN!
+}
+
 // create basic app
 resource myApp 'Microsoft.Graph/[email protected]' = {
   displayName: displayName == null ? '${app}-${date}' :'${displayName}-${app}-${date}'
   uniqueName: uniqueString(app, date)
+  owners: {
+    relationships: (!empty(userUPN)) ? [userOwner.id] : []
+  }
 }
 
 // Create service principal for the basic app
 resource mySP 'Microsoft.Graph/[email protected]' = {
   appId: myApp.appId
+  owners: {
+    relationships: (!empty(userUPN)) ? [userOwner.id] : []
+  }
 }
 
 // Grant the OAuth2.0 scopes (requested in parameters) to the basic app,
@@ -44,5 +57,6 @@ resource graphScopesAssignment 'Microsoft.Graph/[email protected]' =
 output appName string = myApp.displayName 
 output appObjectID  string = myApp.id
 output appID  string = myApp.appId
+output appOwners array = myApp.owners.relationships
 output scopes array = scopeArray
 output grantedScopes string = graphScopesAssignment.scope

quickstart-templates/apps-permissions-and-grants/appGrantScopes.bicep

@@ -3,7 +3,8 @@ extension microsoftGraphV1
 // TEMPLATE DESCRIPTION
 /* Set the required resource access on a client application definition.
    The target resource used is Microsoft Graph, and the deployer can select which
-   Microsoft Graph OAuth2.0 scopes are configured on the client app.
+   Microsoft Graph OAuth2.0 scopes are configured on the client app. The template also
+   assigns an owner to the application.
    
    NOTE: requiredResourceAccess configures which permissions the client application
    requires and this drives the user consent experience where permissions are granted. 
@@ -13,15 +14,24 @@ extension microsoftGraphV1
 param date string
 param displayName string?
 param filteredScopes array
+param userUPN string?
 
 var app = 'myApp'
 var graphAppId = '00000003-0000-0000-c000-000000000000'
 
+// fetch the user's ID based on their UPN
+resource userOwner 'Microsoft.Graph/[email protected]' existing = if (!empty(userUPN)) {
+  userPrincipalName: userUPN!
+}
+
 // create an application with the requiredResourceAccess property
 // creates a resourceAccess scope for each Microsoft Graph scope in filteredScopes 
 resource myApp 'Microsoft.Graph/[email protected]' = {
   displayName: displayName == null ? '${app}-${date}' :'${displayName}-${app}-${date}'
   uniqueName: uniqueString(app, date)
+  owners: {
+    relationships: (!empty(userUPN)) ? [userOwner.id] : []
+  }
   requiredResourceAccess: [
     {
       resourceAppId: graphAppId
@@ -38,5 +48,6 @@ resource myApp 'Microsoft.Graph/[email protected]' = {
 output appName string = myApp.displayName 
 output appObjectID  string = myApp.id
 output appID  string = myApp.appId
+output appOwners array = myApp.owners.relationships
 output scopes array = [for (scopeItem,i) in filteredScopes: filteredScopes[i].value]
 output clientAppResourceAccessList array = myApp.requiredResourceAccess[0].resourceAccess

quickstart-templates/apps-permissions-and-grants/appRequiredResourceAccess.bicep

@@ -4,6 +4,6 @@
   },
   // specify an alias for the version of the v1.0 dynamic types package you want to use
   "extensions": {
-    "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.9-preview"
+      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.2.0-preview"
   }
 }

quickstart-templates/apps-permissions-and-grants/bicepconfig.json

@@ -24,6 +24,10 @@ param appScopes array = ['profile','User.Read']
 @allowed(['set-required-scopes','grant-scopes'])
 param mode string = 'set-required-scopes'
 
+@description('Owner UPN for the client application')
+param userUPN string?
+
+
 var graphAppId = '00000003-0000-0000-c000-000000000000'
 
 // Get the Microsoft Graph service principal so that the scope names
@@ -52,13 +56,15 @@ module appCreateGrantScopesModule './appGrantScopes.bicep' = if (mode == 'grant-
     date: date
     displayName: displayName
     graphSpId: msGraphSP.id
+    userUPN: userUPN
   }
 }
 
 // outputs
 output appName string = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appName : appCreateGrantScopesModule.outputs.appName)
 output appObjectID string = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appObjectID : appCreateGrantScopesModule.outputs.appObjectID)
 output appID  string = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appID : appCreateGrantScopesModule.outputs.appID)
+output appOwners array = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appOwners : appCreateGrantScopesModule.outputs.appOwners)
 output foundInputScopes array = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.scopes: appCreateGrantScopesModule.outputs.scopes)
 output clientAppResourceAccessList array = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.clientAppResourceAccessList : ['Not set'])
 output grantedScopes string = ((mode == 'grant-scopes') ? appCreateGrantScopesModule.outputs.grantedScopes : 'Not set')

quickstart-templates/apps-permissions-and-grants/main.bicep

@@ -14,8 +14,6 @@ This template sample:
 1. Creates a user UPN list from a txt file.
 2. Creates/updates a security group with its members set based on the user UPN list
 
-**NOTE:** Due to current modelling limitations [no more than 20 members can be added/updated at a time][20-members], and only [update semantics][update-only] are supported for members (and owners).
-
 ### Prerequisites
 
 - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

quickstart-templates/security-group-add-user-members/README.md

@@ -4,6 +4,6 @@
     },
     // specify an alias for the version of the v1.0 dynamic types package you want to use
     "extensions": {
-      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.9-preview"
+      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.2.0-preview"
     }
 }

quickstart-templates/security-group-add-user-members/bicepconfig.json

@@ -1,9 +1,15 @@
-extension microsoftGraphV1
+// Setting replace semantics for all relationships in this template unless overridden
+extension microsoftGraphV1 with {
+  relationshipSemantics: 'replace'
+}
+
 
 // TEMPLATE OVERVIEW:
 // Creates a security group and adds the referenced users as members.
 // The user list are in a txt file, with each user's UPN on a separate line.
 // Replace example userlist.txt file values with user UPNs from your tenant.
+// The group members are added using replace semantics overwriting any
+// existing group members.
 
 @description('Today\'s date used to configure a unique daily app name')
 param date string
@@ -33,10 +39,13 @@ resource group 'Microsoft.Graph/[email protected]' = {
   mailNickname: uniqueString(groupName)
   securityEnabled: true
   uniqueName: groupName
-  members: [for i in range(0, upnListLength): userList[i].id]
+  members: {
+    relationships: [for i in range(0, upnListLength): userList[i].id]
+  }
 }
 
 // outputs
 output addedUserList array = upnList
 output groupName string = group.displayName
 output groupId string = group.id
+output groupMembers array = group.members.relationships

quickstart-templates/security-group-add-user-members/main.bicep

@@ -1,13 +1,14 @@
 # Create a group with members and owners
 
-> **Note**: Minimum Bicep version required to deploy this quickstart template is [v0.30.3](https://github.com/Azure/bicep/releases/tag/v0.30.3).
+> **NOTE**:
+>
+> - Minimum Bicep version required to deploy this quickstart template is [v0.32.4](https://github.com/Azure/bicep/releases/tag/v0.32.4).
+> - This template depends on a successful deployment of [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/)
 
-> **Note2**: This template depends on a successful deployment of [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/)
+This template allows you to create a security group with members and owners. Both `members` and `owners` take a [MicrosoftGraphRelationship](../../generated/microsoftgraph/microsoft.graph/v1.0/0.1.10-preview/types.md#microsoftgraphrelationship) type.
 
-This template allows you to create a security group with members and owners. Both `members` and `owners` take a list of object ids.
-
-* The resource service principal created in [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/) is added to the owners
-* A managed identity is created and added to the members
+- The resource service principal created in [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/) is added to the owners
+- A managed identity is created and added to the members
 
 You can deploy the template with the following Azure CLI command (replace `<resource-group>` with the name of your resource group):