Search code examples
azurepowershellazure-bicep

How can I execute Microsoft Graph Powershell commands via bicep in azure pipelines?

I am trying to grant an app role to a newly created service as part of my bicep script, but I cannot seem to get the MS Graph module loaded/installed.

This is the script:

resource roleAssignment 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'assign-custom-role'
  location: location
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '10.4'
    retentionInterval: 'P1D'
    arguments: '-managedIdentityObjectId ${containerApp.identity.principalId}'
    scriptContent: '''
      param (
        [string] $managedIdentityObjectId
      )
     Install-Module Microsoft.Graph -Scope CurrentUser
     
     $tenantID = 'xxxx'
     Connect-AzureMG -TenantId $tenantID -Scopes 'Application.Read.All'
     
     # The name of the server app that exposes the app role.
     $serverApplicationName = 'My API'
     
     # The name of the app role that the managed identity should be assigned to.
     $appRoleName = 'MyApi.FullAccess'
     
     # Look up the details about the server app's service principal and app role.
     $serverServicePrincipal = (Get-MGServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
     $serverServicePrincipalObjectId = $serverServicePrincipal.Id
     $appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
         
     # Assign the managed identity access to the app role.
     New-MgServicePrincipalAppRoleAssignment `
         -ServicePrincipalId $managedIdentityObjectId `
         -AppRoleId $appRoleId `
         -PrincipalId $managedIdentityObjectId `
         -ResourceId $serverServicePrincipalObjectId 
    '''
  }
}

This throws an exception when executed both locally and by Azure DevOps Pipelines: "The term 'Connect-AzureMG' is not recognized as a name of a cmdlet, function, script file, or executable program"

What am I doing wrong?

Solution

  • Note that: I agree with @Thomas, to connect to Microsoft Graph, make use of Connect-MgGraph not Connect-AzureMG command.

    Initially, I got the same error by using same script as you:

    enter image description here

    To resolve the error, modify the script by using Connect-MgGraph like below:

    resource roleAssignment 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'assign-custom-role'
  location: location
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '10.4'
    retentionInterval: 'P1D'
    arguments: '-managedIdentityObjectId ${containerApp.identity.principalId}'
    scriptContent: '''
      param (
        [string] $managedIdentityObjectId
      )
     Install-Module Microsoft.Graph -Scope CurrentUser
     
     $tenantID = 'xxxx'
     Connect-MgGraph -TenantId $tenantID -Scopes 'Application.Read.All'
     
     # The name of the server app that exposes the app role.
     $serverApplicationName = 'My API'
     
     # The name of the app role that the managed identity should be assigned to.
     $appRoleName = 'MyApi.FullAccess'
     
     # Look up the details about the server app's service principal and app role.
     $serverServicePrincipal = (Get-MGServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
     $serverServicePrincipalObjectId = $serverServicePrincipal.Id
     $appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
         
     # Assign the managed identity access to the app role.
     New-MgServicePrincipalAppRoleAssignment `
         -ServicePrincipalId $managedIdentityObjectId `
         -AppRoleId $appRoleId `
         -PrincipalId $managedIdentityObjectId `
         -ResourceId $serverServicePrincipalObjectId 
      }
}

    I modified the script and executed successfully like below via PowerShell:

    $tenantID = '226cf998-ddcc-4005-acfb-xxx'
Connect-MgGraph -TenantId $tenantID -Scopes 'Application.Read.All'
     
 # The name of the server app that exposes the app role.
$serverApplicationName = 'ServerApp'
     
 # The name of the app role that the managed identity should be assigned to.
$appRoleName = 'MyApi.FullAccess'
     
 # Look up the details about the server app's service principal and app role.
$serverServicePrincipal = (Get-MGServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
$serverServicePrincipalObjectId = $serverServicePrincipal.Id
$appRoleId = "938f49ec-abc7-4ee6-a911-xxx"

    $params = @{
principalId = "1b38ff60-a4b6-4c36-975c-xxx"
resourceId = "d88c4e23-5176-4f7d-926e-xxx"
appRoleId = "938f49ec-abc7-4ee6-a911-xxx"
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "1b38ff60-a4b6-4c36-975c-xxx" -BodyParameter $params

    enter image description here

    The App role assigned to the Managed Identity successfully:

    enter image description here

    Reference:

    New-MgServicePrincipalAppRoleAssignment (Microsoft.Graph.Applications) | Microsoft