Search code examples
azureazure-resource-managerazure-managed-identityazure-bicep

Retrieve app id of Synapse service principal and add as administrator to AAS using Bicep

I'm deploying Azure services by using Bicep. The property 'identity type system assigned' creates an enterprise application/service principal with a name, object id and app id. This is required to be able to process Azure Analysis Services from a Synapse pipeline.

//Create Synapse Analytics
resource synapseAnalytics 'Microsoft.Synapse/workspaces@2021-06-01' = {
  name: synapse_name
  location: region
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    defaultDataLakeStorage: {
      filesystem: storage_account_fileshare_name
      resourceId: storageAccount.id
      accountUrl: storage_account_url
      createManagedPrivateEndpoint: true
    }
    managedVirtualNetwork: 'default'
    publicNetworkAccess: 'Enabled'
    managedResourceGroupName: synapse_workspace_name
    azureADOnlyAuthentication: false
    cspWorkspaceAdminProperties: {
      initialWorkspaceAdminObjectId: xxxx
    }
  }
  dependsOn: [
    storageAccountFileshare
  ]
}

I need to retrieve the app id of the created resource to add to Azure Analysis Service as an administrator.

resource analysisServices 'Microsoft.AnalysisServices/servers@2017-08-01' = {
  name: anaylsis_services_name
  location: region
  sku: {
    name: 'B1'
    tier: 'Basic'
    capacity: 1
  }
  properties: {
    asAdministrators: {
      members: [
        'obj:xxxxxx-xxxxxx-xxxxx-xxxxx@xxxxx-xxx-xxxxx-xxxxx'
        'app:{GET APP ID OF SYNAPSE}' <------------------
      ]
    }
    managedMode: 1
  }
}

How can I access the app id in my Bicep code?

I'm able to retrieve the app id by using a powershell command. Unfortunately this command needs an object id which I'm not able to retrieve by using powershell commands.

az ad sp show --id {object-id} --query appId
Solution

  • Using a system-assigned identity, you can't get the appId directly from bicep. But you could output the principalId

    //Create Synapse Analytics
resource synapseAnalytics 'Microsoft.Synapse/workspaces@2021-06-01' = {
  name: synapse_name
  ...
}

// return the principalId to query the appId
output principalId string = synapseAnalytics.identity.principalId

    You can then use the principalId to get the appId

    az ad sp show --id <principalId from bicep> --query appId

    Using a user-assigned identity, you would be able to do it all in bicep:

    // Create a user identity for synapse
resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: userAssignedIdentityName
  location: region
}

//Create Synapse Analytics
resource synapseAnalytics 'Microsoft.Synapse/workspaces@2021-06-01' = {
  name: synapse_name
  identity: {
    type: 'SystemAssigned,UserAssigned'
    userAssignedIdentities: {
      // assign the managed identity
      '${userAssignedIdentity.id}': {}
    }
  }
  ...
}

// Create the analysis service
resource analysisServices 'Microsoft.AnalysisServices/servers@2017-08-01' = {
  name: anaylsis_services_name
  ...
  properties: {
    asAdministrators: {
      members: [
        ...
        // Set app id and tenantid as per documentation
        'app:${userAssignedIdentity.properties.clientId}@${userAssignedIdentity.properties.tenantId}' 
      ]
    }
    ...
  }
}