Microsoft.Graph - Custom Bicep Modules

Introducing a comprehensive collection of Bicep modules for Microsoft Graph resources

Bridging the Microsoft Graph Gap with Community Bicep Modules

As someone who’s passionate about Infrastructure as Code and the #NoToClickOps movement, I’ve been eagerly watching the Azure Verified Modules (AVM) initiative grow. While AVM has made incredible progress with Azure Resource Manager modules, there’s been a noticeable gap when it comes to Microsoft Graph resources - those essential Entra ID components that every modern application needs.

Microsoft has recently released Microsoft Graph Bicep resource modules, which is fantastic news! However, these haven’t yet made it into the Azure Verified Modules (AVM) ecosystem. So, wanting a challenge, I set myself the task of creating some reusable modules. After spending around 6 hours building these, I figured - why not share them with the community? 🔥

Repository: bwc-bicep-microsoft-graph

These modules are built as a community stopgap solution until official AVM Microsoft Graph modules become available.

The Microsoft Graph Gap

The Azure Verified Modules (AVM) project has been fantastic for standardizing Azure resource deployments, but it’s primarily focused on Azure Resource Manager (ARM) resources. Microsoft Graph resources - like Entra Id applications, service principals, groups, and permissions - operate in a different space and require the Microsoft Graph Bicep extension.

While we wait for official AVM support for Microsoft Graph, organizations are left with several suboptimal choices:

  1. Manual portal clicks - Time-consuming and error-prone
  2. PowerShell scripts - Inconsistent and hard to maintain
  3. Custom solutions - Everyone reinventing the wheel
  4. Mixed approaches - ARM templates for Azure resources, scripts for Graph resources

This gap led me to create a standardized, reusable solution that follows many of the same principles as AVM but specifically targets Microsoft Graph resources.

What I’ve Built

The bwc-bicep-microsoft-graph repository provides a comprehensive collection of production-ready Bicep modules that cover all major Microsoft Graph resource types:

Core Modules

Applications Module - Complete Entra Id application registration management

  • Multi-platform support (Web, SPA, Mobile, API applications)
  • Authentication behaviors and security configurations
  • API permissions and app roles
  • Owner assignments and credential management
  • Federated identity credentials for OIDC scenarios

Service Principals Module - Service principal lifecycle management

  • Automatic service principal creation for applications
  • App role assignment requirements
  • SSO configuration and credential management
  • Comprehensive tagging and metadata support

Groups Module - Entra Id group management with enterprise features

  • Security and Microsoft 365 groups
  • Dynamic membership rules
  • Role-assignable groups
  • Owner and member management
  • Mail-enabled group configurations

Security & Permissions

App Role Assignments - Granular access control

  • Support for users, groups, and service principals
  • Configuration templates for common scenarios
  • Integration with other modules for seamless workflows

OAuth2 Permission Grants - Delegated permission management

  • AllPrincipals and Principal consent types
  • Scope management for Microsoft Graph and custom APIs
  • Comprehensive permission examples and documentation

Modern Authentication

Federated Identity Credentials - OIDC-based authentication

  • GitHub Actions integration for CI/CD pipelines
  • Azure DevOps service connections
  • Multi-cloud integration (Google Cloud, AWS)
  • Multi-environment support with proper isolation

User References - Seamless user integration

  • Simple user reference interface for existing accounts
  • Comprehensive user information outputs
  • Integration points for other modules

Why These Modules Matter

Enterprise-Ready from Day One

These aren’t quick-and-dirty scripts. Each module follows enterprise best practices:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
// Example: Creating a production-ready application with proper security
module appRegistration 'modules/microsoft-graph/applications/main.bicep' = {
  name: 'my-production-app'
  params: {
    displayName: 'Production Web Application'
    appName: 'prod-webapp-001'
    signInAudience: 'AzureADMyOrg'
    webRedirectUris: ['https://myapp.contoso.com/auth/callback']
    requiredResourceAccess: [
      {
        resourceAppId: '00000003-0000-0000-c000-000000000000' // Microsoft Graph
        resourceAccess: [
          {
            id: 'e1fe6dd8-ba31-4d61-89e7-88639da4683d' // User.Read
            type: 'Scope'
          }
        ]
      }
    ]
    owners: ['admin@contoso.com']
  }
}

Seamless Integration

The modules work together to create complete application ecosystems:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
// Complete application setup in a single deployment
module app 'modules/microsoft-graph/applications/main.bicep' = {
  name: 'my-application'
  params: {
    displayName: 'My Web Application'
    appName: 'my-web-app-001'
    signInAudience: 'AzureADMyOrg'
    webRedirectUris: ['https://myapp.contoso.com/auth/callback']
  }
}

module sp 'modules/microsoft-graph/servicePrincipals/main.bicep' = {
  name: 'my-service-principal'
  params: {
    appId: app.outputs.applicationId
    appRoleAssignmentRequired: true
  }
}

module group 'modules/microsoft-graph/groups/main.bicep' = {
  name: 'app-users'
  params: {
    displayName: 'My App Users'
    groupName: 'my-app-users-001'
    mailNickname: 'myappusers001'
    securityEnabled: true
  }
}

module assignment 'modules/microsoft-graph/appRoleAssignedTo/main.bicep' = {
  name: 'assign-group'
  params: {
    principalId: group.outputs.groupId
    principalType: 'Group'
    resourceId: sp.outputs.servicePrincipalId
    appRoleId: '00000000-0000-0000-0000-000000000000' // Default access role
  }
}

CI/CD Pipeline Ready

Perfect for modern DevOps workflows, especially with GitHub Actions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
// Multi-environment GitHub Actions setup
var environments = ['dev', 'staging', 'prod']
var repoInfo = {
  organization: 'myorg'
  repository: 'myrepo'
}

module githubApps 'modules/microsoft-graph/applications/federatedIdentityCredentials/main.bicep' = [for env in environments: {
  name: 'github-${env}-app'
  params: {
    parentApplicationDisplayName: 'MyApp-${env}'
    parentApplicationUniqueName: 'myapp-${env}'
    credentialName: 'github-${env}'
    issuer: 'https://token.actions.githubusercontent.com'
    subject: env == 'prod' 
      ? 'repo:${repoInfo.organization}/${repoInfo.repository}:ref:refs/heads/main'
      : 'repo:${repoInfo.organization}/${repoInfo.repository}:environment:${env}'
    audiences: ['api://AzureADTokenExchange']
    environmentName: env
  }
}]

Community First Approach

Save Time, Reduce Errors

Instead of everyone writing their own Microsoft Graph scripts or clicking through portals, these modules provide:

  • Tested configurations - Each module includes comprehensive tests
  • Real-world examples - Based on actual production scenarios
  • Security best practices - Built-in security configurations
  • Consistent patterns - Standardized across all modules

Comprehensive Documentation

Every module includes:

  • Detailed parameter documentation with examples
  • Common usage patterns and scenarios
  • Troubleshooting guides for common issues
  • Integration examples with other modules

Open Source and Collaborative

The modules are completely open source, and I encourage community contributions:

  • Bug reports and feature requests
  • Additional modules for other Microsoft Graph resources
  • Improved documentation and examples
  • Testing and validation in different environments

Getting Started

Prerequisites

Before using these modules, you’ll need:

1
2
3
4
5
6
# Install Azure CLI and Bicep
az bicep install
az extension add --name graph

# Verify extension is available
az bicep list-versions

Configuration Setup

Create a bicepconfig.json file in your project root:

1
2
3
4
5
{
  "extensions": {
    "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0"
  }
}

Your First Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
extension microsoftGraphV1

module myApp 'br/public:bicep/modules/microsoft-graph/applications:1.0.0' = {
  name: 'my-first-app'
  params: {
    displayName: 'My First Bicep Graph App'
    appName: 'my-first-app-001'
    signInAudience: 'AzureADMyOrg'
  }
}

Security Considerations

These modules are built with security as a priority:

Best Practices Built-In

  • Least privilege principles - Only required permissions by default
  • Secure defaults - Production-ready security configurations
  • HTTPS enforcement - All redirect URIs validated for HTTPS in production
  • Certificate-based authentication - Support for certificate credentials over secrets

Comprehensive Permission Management

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
// Example: Secure application with minimal permissions
module secureApp 'modules/microsoft-graph/applications/main.bicep' = {
  name: 'secure-application'
  params: {
    displayName: 'Secure Application'
    appName: 'secure-app-001'
    signInAudience: 'AzureADMyOrg'
    requiredResourceAccess: [
      {
        resourceAppId: '00000003-0000-0000-c000-000000000000'
        resourceAccess: [
          {
            id: 'e1fe6dd8-ba31-4d61-89e7-88639da4683d' // User.Read only
            type: 'Scope'
          }
        ]
      }
    ]
    webRedirectUris: ['https://myapp.contoso.com/auth/callback'] // HTTPS only
  }
}

The Road Ahead

Temporary Solution, Permanent Value

While these modules are designed as a stopgap until official AVM Microsoft Graph modules arrive, they’re built to provide long-term value:

  • Migration path planning - Structured to make future AVM migration easier
  • Production stability - Battle-tested configurations you can rely on
  • Community feedback - Continuously improved based on real-world usage

Contributing to the Ecosystem

If you find these modules useful, consider:

  1. Using them in your projects - Real-world usage provides valuable feedback
  2. Contributing improvements - Bug fixes, documentation, new features
  3. Sharing your experiences - Help others learn from your implementations
  4. Requesting features - Let me know what additional modules you need

Conclusion

The gap between Azure Resource Manager and Microsoft Graph resources has been a pain point for many organizations pursuing Infrastructure as Code. Rather than wait indefinitely for official solutions, I’ve created these modules to serve the community’s immediate needs.

These Bicep Microsoft Graph modules represent hundreds of hours of development, testing, and documentation work. They’re production-ready, security-focused, and designed to integrate seamlessly into modern DevOps workflows.

Whether you’re building a new application, migrating existing workloads, or establishing governance across your Entra Id tenant, these modules can help you achieve your #NoToClickOps goals today.

Get Started Today

Repository: bwc-bicep-microsoft-graph

Star the repository, try the modules, and let me know how they work for your scenarios. Together, we can build better tooling for the entire community while we wait for official AVM support.

Share with your network!

Built with Hugo - Theme Stack designed by Jimmy