Freigeben über

Additional Bicep samples on GitHub

  • Artikel

The following samples on GitHub demonstrate different scenarios for deploying various Microsoft Graph Bicep types and configurations.

Samples from the msgraph-bicep-types repo

You can also contribute to this collection of samples. For more information, see Contributing to the Microsoft Graph Bicep Extension.

Sample Sample summary
Create client and resource apps
  • Create a client app registration with an optional X509 certificate
  • Create a resource app registration
  • Create service principals for both apps
    		•
    Create a client app with an X509 certificate from Key Vault
  • Create a client app registration
  • Add an X509 certificate from Key Vault using a deployment script
  • Create a service principal for the app
    		•
    Configure a client app with OAuth2.0 scopes to call Microsoft Graph Create a client application and either:
  • Set required resource access on the client app definition, or
  • Grant OAuth2.0 scopes to the client application.
    		•
    Configure GitHub Actions to access Azure resources, using zero secrets Enable a GitHub Action to log into Microsoft Entra, build and deploy a web app into an Azure App Service, without using any secrets.
  • Create a secret-less app configured with a federated identity credential for GitHub
  • Create a service principal and assign it a resource group scoped Azure Contributor role
    		•
    Configure an app with a user-assigned managed identity as a credential Enable an app running in Azure to call Microsoft Graph API, without using any secrets
  • Create a secret-less client application, using a user-assigned managed identity as the credential
  • Create a service principal and assign it Microsoft Graph app roles
  • Assign the managed identity to an Azure Automation account, enabling the app to call Microsoft Graph
    		•
    Grant a client app access to a resource app Create an app role assignment for the client app to the resource app that were created in Create client and resource apps
    Enable a client service to read from Blob storage, using a security group Configure three user-assigned managed identities to read from a Blob Storage account via a security group:
  • Create 3 managed identities and add them as members of a security group
  • Assign an Azure Reader role to the Blob Storage account for the security group
    		•
    Configure a security group's user members, using user principal names
  • Fetch users by UPN
  • Create a security group
  • Add the fetched users as members of the group
    		•
    Create a group with members and owners
  • Create a security group and:
  • Add a resource service principal as owner
  • Add a managed identity as member
    		•

    Samples from the Azure-Samples repo

    These samples represent more complete end-to-end samples that integrate the use of Microsoft Graph Bicep types into Azure infrastructure deployment scenarios.

    Sample Sample summary
    Built-in Auth for Azure App Service with Microsoft Entra ID Provision an Azure App Service app with the built-in authentication feature and a Microsoft Entra ID identity provider. The Bicep files use the Microsoft Graph Bicep extension to create the Entra application registration using managed identity with Federated Identity Credentials, so that no client secrets or certificates are necessary.
    Built-in Auth for Azure Container Apps with Microsoft Entra ID Provision an Azure Container App with the built-in authentication feature and a Microsoft Entra ID identity provider. The Bicep files use the Microsoft Graph Bicep extension to create the Entra application registration using managed identity with Federated Identity Credentials, so that no client secrets or certificates are necessary.