Release v0.1.8-preview

We're excited to announce the release of v0.1.8-preview! This version is exclusively available on the Microsoft Artifact Registry (MAR) and can be accessed using dynamic types. Please note that it requires a minimum Bicep version of 0.30.3. For more information on how to migrate to dynamic types, check out How to migrate to dynamic types. Quickstart templates are also updated with examples using Graph Bicep resources in v0.1.8-preview.

Important

Built-in types are deprecated and will be retired on January 24, 2025. Until the retirement date, built-in types, denoted by extension microsoftGraph, will coexist with the new dynamic types. Any Microsoft Graph Bicep type changes will only be available through new versions of the dynamic types.

What's changes

• Added isManagementRestricted property in [email protected] resource type

Issues fixed

• Fixed an issue with managing app role assignment for all principal types #161

Release v0.1.7-preview

Hello everyone,

We've just rolled out updates for v0.1.7-preview! Please upgrade to latest Bicep version 0.30.3 of your VS Code extension, Azure CLI, or Bicep CLI if using Azure Powershell, for the latest updates.

What's Changed

• Update provider statement to use extension in quickstart templates
• appOwnerOrganizationId is marked as read-only property in servicePrincipals

Issues fixed

• oauth2RequirePostResponse is removed from applications #155

Release v0.1.6-preview

Hello everyone,

We've just rolled out updates for v0.1.6-preview! Please upgrade to latest Bicep version v0.29.45 of your VS Code extension, Azure CLI, or Bicep CLI if using Azure Powershell, for the latest updates.

What's changed

• origin property is removed from application.api.oauth2PermissionScopes
• securityIdentifier and onPremisesProvisioningErrors property are marked as readonly in groups resource
• Reference docs updates

Issues fixed

• (Pending Validation) owners of groups and applications is correctly set as the application that creates the deployment #114
• appRoleAssignedTo can now be deployed by application #125
• Bicep template in reference doc for nested resource fixed with correct resource type #142

Release v0.1.5-preview

Hello everyone,

We've just rolled out updates for v0.1.5-preview! Please upgrade to latest Bicep version v0.27.1 of your VS Code extension, Azure CLI, or Bicep CLI if using Azure Powershell, for the latest updates.

What's changed

• applications/federatedIdentityCredentials now available in v1.0 api version
• microsoftGraphPreview feature flag is no longer required and removed from Bicep experimental features. extensibility is still required to import Microsoft Graph resources
• Quickstart templates updated to reflect the changes

v0.1.4-preview

What's Changed

• applications/federatedIdentityCredentials available in beta api version
• applications, servicePrincipals, groups, appRoleAssignedTo, and oauth2PermissionGrants available in v1 api version
• Updated quickstart example templates

Known issues

• applications/federatedIdentityCredentials needs to be declared either within parent resource or outside parent without specifying parent property. The identifier property name currently only supports full resource name, e.g. '<parent-app-uniquename>/<fic-name>', where <fic-name> is the actual identifier for the FederatedIdentityCredential.

Contributors

@anthony-c-martin
Update to latest version of Azure.Bicep.Types in #75

@Tapanila
Update provider syntax documentation #82

v0.1.2-preview

What's Changed

• Rename groups and applications name property to uniqueName
• Quickstart templates updated to reflect the renaming

v0.1.1-preview

What's Changed

• Bicep Types can now be auto generated from public metadata
• Minor updates on some properties with readonly and length restrictions
• Docs updated with more details

Private Preview 1 (September 2023)

New Microsoft Graph Bicep types

• Group
  • Group membership
  • Group ownership​
• Application​
• ServicePrincipal​
• Oauth2PermissionGrant
• AppRoleAssignedTo

Limitations

• Bicep types for Microsoft Graph /beta version only​.
• Deployment requires a signed-in user (zero-touch deployment is not possible with this release)​.
• Microsoft Accounts are not supported for deployments.
• Deployments supported only in the public cloud.
• Oauth2PermissionGrant and AppRoleAssignedTo do not have client-provided keys, so the use of "existing" is not possible for these resources.
• Group membership and ownership is a non-destructive additive operation:
  • "Create" can add a maximum of 20 "relationships" (members and/or owners).
  • "Update" can add a maximum of 20 "relationships" (members and/or owners).
• Deployment stacks are not supported (they aren't yet supported for the extension framework).

Known issues

• A client app granted just the user_impersonation permission to ARM can deploy Identity resources. The scope of what a client can do is (at least) limited by the operations that the Microsoft Graph Bicep Extension can perform (via the Group.ReadWrite.All ,User.ReadWrite.All , Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, and AppRoleAssignment.ReadWrite.All delegated permissions). As with any user delegated permissions, the signed-in user must also be in a privileged Entra (Azure AD) role that allows management of the target Identity resources.
  Therefore, we strongly recommend that the private preview is not enabled to deploy in any production tenants.
• Removing existing appRoles or oauth2PermissionScopes from their respective collections (on the application resource) and redeploying will fail, as an appRole or an oauth2PermissionScope needs to first be disabled (via the isEnabled property) before it can be deleted.
  • Redeploying with additional appRoles (or oauth2PermissionScopes) added to the collection (in the template) is possible.
  • If any appRoles or oauth2PermissionScopes need to be removed, disable those items first in the template (and deploy), before removing those items from the collection in the template (and redeploy).
• Creating appRoles or oauth2PermissionScopes requires the client to provide a GUID identifier in the request payload.
  These will need to be pre-generated and tracked in the template.
• "Preview save" (pre-flight and what-if functionality) has very limited support:
  • It has limited validation of the resource type name (and does not compare against API schema).
  • It only returns the request's resource body in the response, rather than a review of the deployed resource body.
• The "deployment details page" in the Azure Portal currently only shows deployed ARM resources, and will not show any Graph (Entra) resources deployed by the extension.

What's Changed

• Initial Setup for Bicep Types, Typeloader, and Deployment Pipeline by @jason-dou in #1
• Update API version and optional name for Graph Resources by @jason-dou in #7
• Replace approleassignment with approleassignedto by @jason-dou in #8
• Update Beta types to be consistent with schema by @jason-dou in #16