Skip to content

Releases: microsoftgraph/msgraph-bicep-types

Private Preview 1 (September 2023)

14 Sep 20:27
@dkershaw10 dkershaw10
v0.1.0-alpha.5
8d5e697
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Private Preview 1 (September 2023) Pre-release
Pre-release

New Microsoft Graph Bicep types

Limitations

  • Bicep types for Microsoft Graph /beta version only​.
  • Deployment requires a signed-in user (zero-touch deployment is not possible with this release)​.
  • Microsoft Accounts are not supported for deployments.
  • Deployments supported only in the public cloud.
  • Oauth2PermissionGrant and AppRoleAssignedTo do not have client-provided keys, so the use of "existing" is not possible for these resources.
  • Group membership and ownership is a non-destructive additive operation:
    • "Create" can add a maximum of 20 "relationships" (members and/or owners).
    • "Update" can add a maximum of 20 "relationships" (members and/or owners).
  • Deployment stacks are not supported (they aren't yet supported for the extension framework).

Known issues

  • A client app granted just the user_impersonation permission to ARM can deploy Identity resources. The scope of what a client can do is (at least) limited by the operations that the Microsoft Graph Bicep Extension can perform (via the Group.ReadWrite.All ,User.ReadWrite.All , Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, and AppRoleAssignment.ReadWrite.All delegated permissions). As with any user delegated permissions, the signed-in user must also be in a privileged Entra (Azure AD) role that allows management of the target Identity resources.
    Therefore, we strongly recommend that the private preview is not enabled to deploy in any production tenants.
  • Removing existing appRoles or oauth2PermissionScopes from their respective collections (on the application resource) and redeploying will fail, as an appRole or an oauth2PermissionScope needs to first be disabled (via the isEnabled property) before it can be deleted.
    • Redeploying with additional appRoles (or oauth2PermissionScopes) added to the collection (in the template) is possible.
    • If any appRoles or oauth2PermissionScopes need to be removed, disable those items first in the template (and deploy), before removing those items from the collection in the template (and redeploy).
  • Creating appRoles or oauth2PermissionScopes requires the client to provide a GUID identifier in the request payload.
    These will need to be pre-generated and tracked in the template.
  • "Preview save" (pre-flight and what-if functionality) has very limited support:
    • It has limited validation of the resource type name (and does not compare against API schema).
    • It only returns the request's resource body in the response, rather than a review of the deployed resource body.
  • The "deployment details page" in the Azure Portal currently only shows deployed ARM resources, and will not show any Graph (Entra) resources deployed by the extension.

What's Changed

  • Initial Setup for Bicep Types, Typeloader, and Deployment Pipeline by @jason-dou in #1
  • Update API version and optional name for Graph Resources by @jason-dou in #7
  • Replace approleassignment with approleassignedto by @jason-dou in #8
  • Update Beta types to be consistent with schema by @jason-dou in #16

Contributors

jason-dou
Loading