🐶
Terraform

Create Azure AD App Registrations and Roles with Bicep

By Ondřej Dolanský on 01/06/2025

Learn how to automate Microsoft Entra app registration and role creation using Bicep or ARM templates for streamlined identity and access management in Azure.

Create Azure AD App Registrations and Roles with Bicep

Table of Contents

Introduction

Managing Azure Active Directory (Azure AD) app registrations is a crucial aspect of deploying resources securely on Azure. While Bicep and Azure Resource Manager (ARM) excel at infrastructure provisioning, they currently lack direct support for creating Azure AD app registrations. This limitation presents challenges when you need to automate the creation of app registrations as part of your infrastructure deployments. This article explores workarounds and alternative approaches to address this limitation, enabling you to manage app registrations effectively in your Bicep deployments.

Step-by-Step Guide

  1. Bicep/ARM doesn't directly support creating Azure AD app registrations. This limitation means you can't directly provision app registrations within your Bicep deployments.

  2. Workaround using Deployment Scripts:

    resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'createAppRegistration'
  location: resourceGroup().location
  properties: {
    azPowerShellVersion: '7.2'
    arguments: ''
    primaryScriptUri: 'https://raw.githubusercontent.com/your-repo/your-script.ps1' 
  }
}
    • This script, executed with managed identity permissions, interacts with the Azure AD Graph API or Microsoft Graph to create the app registration.

  3. Alternative approach using Terraform:

    resource "azure_ad_application" "example" {
  display_name = "example"
}
    • Terraform offers native resources for managing Azure AD app registrations, making it a more straightforward option if you're open to using a different IaC tool.

  4. Considerations:

    • Security: Granting deployment scripts the necessary permissions to create app registrations requires careful consideration to avoid potential security risks.
    • Complexity: Managing app registrations through scripts adds complexity compared to native Bicep/ARM support.
    • Tooling: If you're already using Terraform or considering it, its native support for Azure AD app registrations might make it a more suitable choice.

Code Example

This code defines a Bicep template and a PowerShell script to automate the creation of Azure AD app registrations. The Bicep template sets up a deployment script resource that uses a managed identity to execute the PowerShell script. The script then connects to Azure AD and creates an app registration with the specified name, outputting its details. This setup allows for streamlined and secure app registration creation within Azure deployments.

This example demonstrates how to create an Azure AD app registration using a Bicep deployment script.

Bicep Template (main.bicep):

param appRegistrationName string

resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'createAppRegistration'
  location: resourceGroup().location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'createAppRegistrationIdentity')}' : {}
    }
  }
  properties: {
    azPowerShellVersion: '7.2'
    arguments: '-appName "${appRegistrationName}"'
    primaryScriptUri: 'https://raw.githubusercontent.com/your-repo/create-app-registration.ps1' 
  }
}

resource appRegistrationIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: 'createAppRegistrationIdentity'
  location: resourceGroup().location
}

// Grant the managed identity permissions to create app registrations in Azure AD
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01' = {
  name: guid(appRegistrationIdentity.id, 'Application.ReadWrite.All')
  scope: subscription()
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1bfefb4e-c1a0-422e-a5c1-a994f25e1d3f') // Application.ReadWrite.All
    principalId: appRegistrationIdentity.properties.principalId
  }
}

PowerShell Script (create-app-registration.ps1):

param(
    [string]$appName
)

# Connect to Azure AD using the system-assigned managed identity of the deployment script
Connect-AzAccount -Identity

# Create the Azure AD app registration
$appRegistration = New-AzADApplication -DisplayName $appName

# Output the app registration details
Write-Output "App Registration Created:"
Write-Output "  App ID: $($appRegistration.AppId)"
Write-Output "  Display Name: $($appRegistration.DisplayName)"

Explanation:

  1. Bicep Template:

    • Defines a deployment script resource that executes the PowerShell script.
    • Creates a user-assigned managed identity and assigns it to the deployment script.
    • Grants the managed identity the "Application.ReadWrite.All" role at the subscription scope, allowing it to create app registrations in Azure AD.
    • Passes the desired app registration name as an argument to the script.

  2. PowerShell Script:

    • Connects to Azure AD using the system-assigned managed identity of the deployment script.
    • Creates the Azure AD app registration using the provided name.
    • Outputs the app registration details (App ID and Display Name).

Deployment:

  1. Save the Bicep template as main.bicep and the PowerShell script as create-app-registration.ps1.
  2. Upload the PowerShell script to a publicly accessible location, such as a GitHub repository.
  3. Deploy the Bicep template using Azure CLI, PowerShell, or the Azure portal.

Note:

  • Replace https://raw.githubusercontent.com/your-repo/create-app-registration.ps1 with the actual URL of your PowerShell script.
  • Ensure that the managed identity has the necessary permissions to create app registrations in your Azure AD tenant.
  • This is a basic example and can be further customized to configure additional app registration properties.

Additional Notes

Here are some additional notes expanding on the provided information:

Bicep/ARM Limitations:

  • No Direct Support: The core issue is that Bicep and ARM lack resource types for directly interacting with Azure AD's Graph API or Microsoft Graph, which are required for app registration management.
  • Future Support: While not currently available, Microsoft may introduce native support for Azure AD app registrations in Bicep/ARM in the future. It's worth checking for updates on this.

Deployment Script Considerations:

  • Permissions:
    • Principle of Least Privilege: Grant the managed identity used by the deployment script only the absolute minimum permissions required to create and configure the app registration. Avoid overly broad roles like "Application.ReadWrite.All" if possible.
    • Scope: Carefully consider the scope at which you grant permissions (e.g., subscription, resource group, specific Azure AD directory).
  • Script Management:
    • Version Control: Store your deployment scripts in a version control system (e.g., Git) to track changes and ensure consistency.
    • Testing: Thoroughly test your scripts in a non-production environment before deploying them to production.
  • Error Handling: Implement robust error handling in your scripts to gracefully handle potential issues during app registration creation.

Terraform Advantages:

  • Native Resources: Terraform's Azure AD provider offers dedicated resources for managing app registrations, simplifying the process and reducing the need for custom scripts.
  • State Management: Terraform's state management capabilities help track the state of your infrastructure, including app registrations, making it easier to manage changes over time.

Other Options:

  • Azure CLI/PowerShell: You can use Azure CLI or PowerShell scripts within your CI/CD pipelines to create app registrations. However, this approach might require more manual management compared to Bicep or Terraform.
  • Azure AD Application Manifest: You can directly interact with the Azure AD application manifest using tools like Microsoft Graph API or PowerShell. This provides fine-grained control but can be more complex.

Best Practices:

  • Automate Where Possible: Strive to automate the creation and management of app registrations to ensure consistency and reduce manual errors.
  • Follow Security Best Practices: Prioritize security by following Azure AD best practices for app registrations, such as using certificates for authentication and implementing the principle of least privilege.
  • Document Your Process: Clearly document your app registration creation and management process, including any scripts or tools used, to facilitate collaboration and troubleshooting.

Summary

This document discusses methods for creating Azure AD app registrations using Infrastructure as Code (IaC), focusing on the limitations of Bicep/ARM and potential workarounds.

Key Takeaways:

  • Bicep/ARM Limitation: Bicep/ARM does not natively support creating Azure AD app registrations.
  • Deployment Script Workaround: A workaround involves using Bicep deployment scripts that leverage Azure PowerShell or Azure CLI to interact with the Azure AD Graph API or Microsoft Graph. This approach requires granting the script appropriate permissions, which introduces security considerations.
  • Terraform Alternative: Terraform offers native resources for managing Azure AD app registrations, providing a more straightforward and potentially secure solution.
  • Considerations: Choosing between deployment scripts and Terraform depends on factors like existing tooling, security requirements, and desired complexity level.

Recommendation:

While deployment scripts offer a workaround for Bicep/ARM, using Terraform for Azure AD app registration management is recommended due to its native support, simplifying the process and potentially enhancing security.

Conclusion

In conclusion, while Bicep/ARM are powerful tools for Azure infrastructure deployment, they currently lack native support for Azure AD app registration. This limitation necessitates workarounds like using deployment scripts with Azure CLI or PowerShell to interact with Azure AD Graph API or Microsoft Graph. However, this approach introduces security considerations as it requires granting the script appropriate permissions. As an alternative, Terraform offers native resources for managing Azure AD app registrations, simplifying the process and potentially enhancing security. Choosing between deployment scripts and Terraform depends on factors like existing tooling, security requirements, and desired complexity level. Ultimately, automating app registration management is crucial for consistency and reducing manual errors, and choosing the right tool can significantly streamline this process.

References

Were You Able to Follow the Instructions?

😍Love it!
😊Yes
😐Meh-gical
😞No
🤮Clickbait

Related posts

Terraform Plan Output Encoding: What Is It?

Learn about the encoding format used in Terraform plan output and how to interpret it effectively for infrastructure management.

Terraform S3 Etag Changes On Every Apply: Fix

Learn why your Terraform S3 object etags are changing on every apply and how to fix this common issue.

Terraform Local Exec: Running Multiple Commands

Learn how to troubleshoot and resolve the common issue of Terraform's inability to execute multiple commands within a local-exec provisioner.