What should be the type under resources, if I want to create an ARM template for Azure Active Directory?
Is there any resources for adding User/Group/Application features in Azure Active Directory through ARM templates?
Currently, there is no way to programmatically provision an Azure Active Directory. Thus, there is also no ARM templates available for that.
You have to use either, the Graph API (REST) or a PowerShell Module like AzureAD to create User / Application for an existing AAD.
I'm pretty sure there is none, looking at the Azure ARM schema I don't see anything Azure AD related. You can look at the ARM Schema here.
Related
I'm looking into publishing bicep templates to a Bicep registry (ACR), and then deploying them via the ARM REST api. However the REST create deployment api only allows me to specify a templateSpec - I don't see any way to reference an ACR url. Is this possible, or do I need to use template specs for this?
For context, I need to create an automated service that can deploy resources when a particular event happens, e.g. add new customer -> spin up Azure resources xyz. Having my service use the REST api seems reasonable, and I'd prefer to use the bicep registry over template specs.
Currently Content in the Bicep module registry can only be deployed from another Bicep file. Template specs can be deployed directly from the API, Azure PowerShell, Azure CLI, and the Azure portal. You can even use UiFormDefinition to customize the portal deployment experience.
You can refer to this documentation for more information.
I have some function apps and I found how to allow access to Azure cloud by following the steps in https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions. But I use ARM template to deploy the function apps and every time I do a deployment, the restrictions are gone. So, I would like to include the access restriction in my ARM template so add the restrictions every time they get deployed. I couldn't find a relevant resource anywhere to do this. Does anyone have any idea?
As suggested by #classicSchmosby98 that would be one of the solutions to restrict the azure function app using ARM template.
Create your own azure function manually from portal and add all the restrictions what you need.
Now export the template from the resource group for your resource with this you can even include the IP restrictions.
Also, you can go through the Assign roles using Azure Manager templates.
For more information you can refer explore ARM templates.
Is there a way to use arm template to automatically deploy workspace roles, e.g. workspace admin assigning an object Id. I can't find any relevant resources online and it is not so well documented. I could already successfully assign roles to the data lake and other services. I can't seem to find the arm template Provider for workspace level assignment. I would be happy if someone could give me an example or clarify if it is possible.
ARM template is designed for management APIs and not data for plane APIs. Role assignment APIs belong to data plane. AFAIK, we cannot use ARM template for data plane APIs
Most of the sample ARM templates I find for deploying an Azure App Service + Azure SQL database end up configuring the connection string for the web app using the administrator login credentials provided when creating the Azure SQL Server (this one from Microsoft, for example). I've also seen the App Service configured for Managed Identity and then that user granted administrative access over the Azure SQL instance via AAD.
I'd never want to provision a production application this way, but I can't find examples in a more secure configuration.
The only other info I find about provisioning non-admin users is via SQL after the Azure SQL instance is already up. This means I have to add another step outside of my ARM deployment to get my system fully functional.
As of the time this question was written, running custom Powershell scripts as part of an ARM deploy is in preview and that could be a path forward, but it's not ideal.
Can non-administrative users be provisioned in Azure SQL via an ARM template, without resorting to PowerShell?
If you want to create non-administrative users in Azure SQL database via arm template, it is impossible. Because Azure ARM template team just defines Administrators type and does not define user type or user property in server. We just can create SQL Admin or Azure AD Admin via ARM template. For more details, please refer to here and here
So if you want to create non-administrative users, you need to write custom scripting.
If you want to create the users as part of a template deployment, you can use the deploymentScripts resource to run TSQL or any arbitrary script:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template?tabs=CLI
If you want to do it as part of the declaration of the Microsoft.SQL/servers resource, no you can't (as Jim mentioned).
I have manually registered App in Azure Active Directory.
To this App, I need to configure Microsoft Graph, Azure Key vault API's and set permissions to that.
Is it possible to configure API's and set permission to AAD app using ARM template.
No this is not possible using ARM Template