DEVHIDE
Login Or Sign up

How can I execute Microsoft Graph Powershell commands via bicep in azure pipelines?

174 Views Asked by At

I am trying to grant an app role to a newly created service as part of my bicep script, but I cannot seem to get the MS Graph module loaded/installed.

This is the script:

resource roleAssignment 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'assign-custom-role'
  location: location
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '10.4'
    retentionInterval: 'P1D'
    arguments: '-managedIdentityObjectId ${containerApp.identity.principalId}'
    scriptContent: '''
      param (
        [string] $managedIdentityObjectId
      )
     Install-Module Microsoft.Graph -Scope CurrentUser
     
     $tenantID = 'xxxx'
     Connect-AzureMG -TenantId $tenantID -Scopes 'Application.Read.All'
     
     # The name of the server app that exposes the app role.
     $serverApplicationName = 'My API'
     
     # The name of the app role that the managed identity should be assigned to.
     $appRoleName = 'MyApi.FullAccess'
     
     # Look up the details about the server app's service principal and app role.
     $serverServicePrincipal = (Get-MGServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
     $serverServicePrincipalObjectId = $serverServicePrincipal.Id
     $appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
         
     # Assign the managed identity access to the app role.
     New-MgServicePrincipalAppRoleAssignment `
         -ServicePrincipalId $managedIdentityObjectId `
         -AppRoleId $appRoleId `
         -PrincipalId $managedIdentityObjectId `
         -ResourceId $serverServicePrincipalObjectId 
    '''
  }
}

This throws an exception when executed both locally and by Azure DevOps Pipelines: "The term 'Connect-AzureMG' is not recognized as a name of a cmdlet, function, script file, or executable program"

What am I doing wrong?

azure powershell azure-bicep
Original Q&A
1

There are 1 best solutions below

0
On BEST ANSWER

Note that: I agree with @Thomas, to connect to Microsoft Graph, make use of Connect-MgGraph not Connect-AzureMG command.

Initially, I got the same error by using same script as you:

enter image description here

To resolve the error, modify the script by using Connect-MgGraph like below:

resource roleAssignment 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'assign-custom-role'
  location: location
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '10.4'
    retentionInterval: 'P1D'
    arguments: '-managedIdentityObjectId ${containerApp.identity.principalId}'
    scriptContent: '''
      param (
        [string] $managedIdentityObjectId
      )
     Install-Module Microsoft.Graph -Scope CurrentUser
     
     $tenantID = 'xxxx'
     Connect-MgGraph -TenantId $tenantID -Scopes 'Application.Read.All'
     
     # The name of the server app that exposes the app role.
     $serverApplicationName = 'My API'
     
     # The name of the app role that the managed identity should be assigned to.
     $appRoleName = 'MyApi.FullAccess'
     
     # Look up the details about the server app's service principal and app role.
     $serverServicePrincipal = (Get-MGServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
     $serverServicePrincipalObjectId = $serverServicePrincipal.Id
     $appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
         
     # Assign the managed identity access to the app role.
     New-MgServicePrincipalAppRoleAssignment `
         -ServicePrincipalId $managedIdentityObjectId `
         -AppRoleId $appRoleId `
         -PrincipalId $managedIdentityObjectId `
         -ResourceId $serverServicePrincipalObjectId 
      }
}

I modified the script and executed successfully like below via PowerShell:

$tenantID = '226cf998-ddcc-4005-acfb-xxx'
Connect-MgGraph -TenantId $tenantID -Scopes 'Application.Read.All'
     
 # The name of the server app that exposes the app role.
$serverApplicationName = 'ServerApp'
     
 # The name of the app role that the managed identity should be assigned to.
$appRoleName = 'MyApi.FullAccess'
     
 # Look up the details about the server app's service principal and app role.
$serverServicePrincipal = (Get-MGServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
$serverServicePrincipalObjectId = $serverServicePrincipal.Id
$appRoleId = "938f49ec-abc7-4ee6-a911-xxx"

    $params = @{
principalId = "1b38ff60-a4b6-4c36-975c-xxx"
resourceId = "d88c4e23-5176-4f7d-926e-xxx"
appRoleId = "938f49ec-abc7-4ee6-a911-xxx"
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "1b38ff60-a4b6-4c36-975c-xxx" -BodyParameter $params

enter image description here

The App role assigned to the Managed Identity successfully:

enter image description here

Reference:

New-MgServicePrincipalAppRoleAssignment (Microsoft.Graph.Applications) | Microsoft

Related Questions in AZURE

Related Questions in POWERSHELL

Related Questions in AZURE-BICEP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.