Bridging the Microsoft Graph Gap with Community Bicep Modules
As someone who’s passionate about Infrastructure as Code and the #NoToClickOps
movement, I’ve been eagerly watching the Azure Verified Modules (AVM) initiative grow. While AVM has made incredible progress with Azure Resource Manager modules, there’s been a noticeable gap when it comes to Microsoft Graph resources - those essential Entra ID components that every modern application needs.
Microsoft has recently released Microsoft Graph Bicep resource modules, which is fantastic news! However, these haven’t yet made it into the Azure Verified Modules (AVM) ecosystem. So, wanting a challenge, I set myself the task of creating some reusable modules. After spending around 6 hours building these, I figured - why not share them with the community? 🔥
Repository: bwc-bicep-microsoft-graph
These modules are built as a community stopgap solution until official AVM Microsoft Graph modules become available.
The Microsoft Graph Gap
The Azure Verified Modules (AVM) project has been fantastic for standardizing Azure resource deployments, but it’s primarily focused on Azure Resource Manager (ARM) resources. Microsoft Graph resources - like Entra Id applications, service principals, groups, and permissions - operate in a different space and require the Microsoft Graph Bicep extension.
While we wait for official AVM support for Microsoft Graph, organizations are left with several suboptimal choices:
- Manual portal clicks - Time-consuming and error-prone
- PowerShell scripts - Inconsistent and hard to maintain
- Custom solutions - Everyone reinventing the wheel
- Mixed approaches - ARM templates for Azure resources, scripts for Graph resources
This gap led me to create a standardized, reusable solution that follows many of the same principles as AVM but specifically targets Microsoft Graph resources.
What I’ve Built
The bwc-bicep-microsoft-graph repository provides a comprehensive collection of production-ready Bicep modules that cover all major Microsoft Graph resource types:
Core Modules
Applications Module - Complete Entra Id application registration management
- Multi-platform support (Web, SPA, Mobile, API applications)
- Authentication behaviors and security configurations
- API permissions and app roles
- Owner assignments and credential management
- Federated identity credentials for OIDC scenarios
Service Principals Module - Service principal lifecycle management
- Automatic service principal creation for applications
- App role assignment requirements
- SSO configuration and credential management
- Comprehensive tagging and metadata support
Groups Module - Entra Id group management with enterprise features
- Security and Microsoft 365 groups
- Dynamic membership rules
- Role-assignable groups
- Owner and member management
- Mail-enabled group configurations
Security & Permissions
App Role Assignments - Granular access control
- Support for users, groups, and service principals
- Configuration templates for common scenarios
- Integration with other modules for seamless workflows
OAuth2 Permission Grants - Delegated permission management
- AllPrincipals and Principal consent types
- Scope management for Microsoft Graph and custom APIs
- Comprehensive permission examples and documentation
Modern Authentication
Federated Identity Credentials - OIDC-based authentication
- GitHub Actions integration for CI/CD pipelines
- Azure DevOps service connections
- Multi-cloud integration (Google Cloud, AWS)
- Multi-environment support with proper isolation
User References - Seamless user integration
- Simple user reference interface for existing accounts
- Comprehensive user information outputs
- Integration points for other modules
Why These Modules Matter
Enterprise-Ready from Day One
These aren’t quick-and-dirty scripts. Each module follows enterprise best practices:
|
|
Seamless Integration
The modules work together to create complete application ecosystems:
|
|
CI/CD Pipeline Ready
Perfect for modern DevOps workflows, especially with GitHub Actions:
|
|
Community First Approach
Save Time, Reduce Errors
Instead of everyone writing their own Microsoft Graph scripts or clicking through portals, these modules provide:
- Tested configurations - Each module includes comprehensive tests
- Real-world examples - Based on actual production scenarios
- Security best practices - Built-in security configurations
- Consistent patterns - Standardized across all modules
Comprehensive Documentation
Every module includes:
- Detailed parameter documentation with examples
- Common usage patterns and scenarios
- Troubleshooting guides for common issues
- Integration examples with other modules
Open Source and Collaborative
The modules are completely open source, and I encourage community contributions:
- Bug reports and feature requests
- Additional modules for other Microsoft Graph resources
- Improved documentation and examples
- Testing and validation in different environments
Getting Started
Prerequisites
Before using these modules, you’ll need:
|
|
Configuration Setup
Create a bicepconfig.json
file in your project root:
|
|
Your First Deployment
|
|
Security Considerations
These modules are built with security as a priority:
Best Practices Built-In
- Least privilege principles - Only required permissions by default
- Secure defaults - Production-ready security configurations
- HTTPS enforcement - All redirect URIs validated for HTTPS in production
- Certificate-based authentication - Support for certificate credentials over secrets
Comprehensive Permission Management
|
|
The Road Ahead
Temporary Solution, Permanent Value
While these modules are designed as a stopgap until official AVM Microsoft Graph modules arrive, they’re built to provide long-term value:
- Migration path planning - Structured to make future AVM migration easier
- Production stability - Battle-tested configurations you can rely on
- Community feedback - Continuously improved based on real-world usage
Contributing to the Ecosystem
If you find these modules useful, consider:
- Using them in your projects - Real-world usage provides valuable feedback
- Contributing improvements - Bug fixes, documentation, new features
- Sharing your experiences - Help others learn from your implementations
- Requesting features - Let me know what additional modules you need
Conclusion
The gap between Azure Resource Manager and Microsoft Graph resources has been a pain point for many organizations pursuing Infrastructure as Code. Rather than wait indefinitely for official solutions, I’ve created these modules to serve the community’s immediate needs.
These Bicep Microsoft Graph modules represent hundreds of hours of development, testing, and documentation work. They’re production-ready, security-focused, and designed to integrate seamlessly into modern DevOps workflows.
Whether you’re building a new application, migrating existing workloads, or establishing governance across your Entra Id tenant, these modules can help you achieve your #NoToClickOps
goals today.
Get Started Today
Repository: bwc-bicep-microsoft-graph
Star the repository, try the modules, and let me know how they work for your scenarios. Together, we can build better tooling for the entire community while we wait for official AVM support.