Can we use az rest in ARM deployment scripts?

Question

I am using ARM Deploymentscripts AzCli. Can we use az rest in ARM deployment scripts? I am getting Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."

Answer 1

I can reproduce your issue on my side, it means your user-assigned identity(MSI) does not have enough permissions to create the AD App via Microsoft Graph in your tenant.

To solve this issue, just give an AAD admin role e.g. Application administrator to the service principal of your MSI, follow the steps below.

1.Navigate to the Azure Active Directory in the portal -> Roles and administrators -> click Application administrator.

2.Click Add assignments -> Select member(s) -> search for the name of your MSI -> add it.

Note: You can also give the Microsoft Graph application permission Application.ReadWrite.All to the MSI instead of Application administrator, won't say too much here, if you are interested in it, let me know, I can post it.

Besides, if you just want to create the AD App with Azure CLI, actually no need to use az rest manually, you can use the built-in command az ad app create directly.

Test sample:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "identity": {
      "type": "string"
    },
    "utcValue": {
      "type": "string",
      "defaultValue": "[utcNow()]"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Resources/deploymentScripts",
      "apiVersion": "2020-10-01",
      "name": "runAzureCLI",
      "location": "[resourceGroup().location]",
      "kind": "AzureCLI",
      "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
          "[parameters('identity')]": {
          }
        }
      },
      "properties": {
        "forceUpdateTag": "[parameters('utcValue')]",
        "AzCliVersion": "2.15.0",
        "timeout": "PT30M",
        "scriptContent": "landingPageApp=$(az rest --method POST --headers \"Content-Type=application/json\" --uri https://graph.microsoft.com/v1.0/applications --body '{\"displayName\": \"LandingpageAppARM\"}')",
        "cleanupPreference": "OnSuccess",
        "retentionInterval": "P1D"
      }
    }
  ]
}