Microsoft announced that the Bicep templates for Microsoft Graph resources will be in public review starting May 21. Bicep templates simplify the deployment of Microsoft Graph resources, allowing for efficient infrastructure definition and repeated deployments using declarative syntax, well-suited for DevOps and infrastructure-as-code workflows.
Azure Resource Manager (ARM) and Bicep templates enable the declaration and deployment of Microsoft Azure resources through files. Managing Azure services and infrastructure typically involves handling Microsoft Entra ID resources, such as applications and groups. Previously, orchestrating deployments required utilising ARM or Bicep template files for Azure resources in conjunction with Microsoft Graph PowerShell for Microsoft Entra ID resources. With the Microsoft Graph Bicep release, Microsoft Entra ID resources can now be declared within the same Bicep files as Azure resources. This integration simplifies configuration definitions and enhances the reliability and repeatability of deployments.
The new Microsoft Graph Bicep extension supports Bicep templates for Microsoft Graph resources, enabling the authoring, deployment, and management of supported Microsoft Graph resources (initially Microsoft Entra ID resources) within Bicep template files. These resources can be managed independently or alongside Azure resources.
The Bicep Extension for VS Code offers the possibility to create Microsoft Graph resource types in Bicep files. It includes type safety, IntelliSense, and syntax validation. Additionally, Bicep files can be also created in Visual Studio using the Bicep extension for Visual Studio.
After authoring the Bicep file, it can be deployed using familiar tools like Azure PowerShell and Azure CLI. The Azure Resource Manager orchestrates the deployment of interdependent resources in the correct order, including Microsoft Graph resources. In the Bicep template file, the creation of a Microsoft Graph group depends on the managed identity resource, as it is added as a group member. The deployment engine first sends the managed identity request to the Resource Manager, then routes it to the Microsoft.ManagedIdentity resource provider. Next, it routes the Microsoft.Graph/groups resource request to the Microsoft Graph Bicep extension, which translates it into a request to Microsoft Graph.
Deploying a Bicep file containing Microsoft Graph resources (Source: Microsoft Blog)
Lyon Till, a platform architect at Microsoft, added the following words regarding this announcement:
Bicep templates for Microsoft Graph resources allow you to define the tenant infrastructure you want to deploy, such as Microsoft Entra ID groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses a declarative syntax to deploy resources—typically used in DevOps, CI/CD, and infrastructure-as-code solutions.
In the official announcement, a question appeared asking if the group members' parameter is authoritative. Dan Kershaw, a principal program manager at Microsoft, answered:
The group memberships are not authoritative. We decided with this release to provide a non-destructive membership capability, but we also discussed the possibility of a "destructive" variant.
More information about the bicep templates for Microsoft Graph resources can be found in the documentation.