Loading...

Announcing public preview of Bicep templates support for Microsoft Graph

Announcing public preview of Bicep templates support for Microsoft Graph

We're thrilled to announce that Bicep templates for Microsoft Graph resources will be in public preview starting May 21st. Bicep templates bring declarative infrastructure-as-code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.

 

Bicep templates for Microsoft Graph resources allow you to define the tenant infrastructure you want to deploy, such as groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses declarative syntax to deploy resources typically used in DevOps and infrastructure-as-code solutions.

 

What problems does this solve?

Azure Resource Manager or Bicep templates allow you to declare Microsoft Azure resources in files and deploy those resources into your infrastructure. Configuring and managing your Azure services and infrastructure often includes managing Microsoft Entra ID resources, like applications and groups. Until now, you had to orchestrate your deployments between two mechanisms using ARM or Bicep template files for Azure resources and Microsoft Graph PowerShell for Microsoft Entra ID resources.

 

Now, with the Microsoft Graph Bicep release, you can declare the Microsoft Entra ID resources in the same Bicep files as your Azure resources, making configurations easier to define, and deployments more reliable and repeatable.

 

Let's look at how this works and then we'll run through an example.

 

The Microsoft Graph Bicep extension

To provide support for Bicep templates for Microsoft Graph resources, we have released the new Microsoft Graph Bicep extension that allows you to author, deploy, and manage supported Microsoft Graph resources (initially Microsoft Entra ID resources) in Bicep template files either on their own, or alongside Azure resources.

 

Authoring experience

You get the same first-class authoring experience of the Bicep Extension for VS Code when you use it to create your Microsoft Graph resource types in Bicep files. The editor provides rich type-safety, IntelliSense, and syntax validation.

Editing a Bicep file containing Microsoft Graph resourcesEditing a Bicep file containing Microsoft Graph resources

You can also create Bicep files in Visual Studio with the Bicep extension for Visual Studio.

 

Deploying Bicep files

Once you have authored your Bicep file, you can deploy it using familiar tools such as Azure PowerShell and Azure CLI. When the deployment request is made to the Azure Resource Manager the deployments engine orchestrates the deployment of interdependent resources so they're created in the correct order, including the Microsoft Graph resources.

 

The following image shows a Bicep template file where the Microsoft Graph group creation is dependent on the managed identity resource, as it is being added as a group member. The deployments engine first sends the managed identity request to the Resource Manager, which routes it to the Microsoft.ManagedIdentity resource provider. Next, the deployments engine sees that Microsoft.Graph/groups is an extensible resource, so it knows to route this resource request to the Microsoft Graph Bicep extension. The Microsoft Graph Bicep extension then translates the groups resource request into a request to Microsoft Graph.

Deploying a Bicep file containing Microsoft Graph resourcesDeploying a Bicep file containing Microsoft Graph resources

 

Scenario: Using managed identities with security groups and app roles

Managed identities can be assigned to security groups and Microsoft Entra ID app roles as an authorization strategy. Using security groups can simplify management by reducing the number of role assignments.

 

Using a Microsoft Entra ID group to assigned roles to managed identitiesUsing a Microsoft Entra ID group to assigned roles to managed identities

However, this configuration isn't possible using a Bicep or Resource Manager template. With Microsoft Graph Bicep extension, this limitation is removed. Rather than assigning and managing multiple Microsoft Azure role assignments, role assignments can be managed via a security group through a single Bicep file.

Bicep file declaring an Microsoft Entra ID group with a managed identity memberBicep file declaring an Microsoft Entra ID group with a managed identity member
In the example above, a security group can be created and referenced, whose members can be managed identities. With Bicep templates for Microsoft Graph resources, declaring Microsoft Graph and Microsoft Azure resources together in the same Bicep files, enables new and simplifies existing deployment scenarios, bringing reliable and repeatable deployments.

 

Learn more

Published on:

Learn more
Azure Governance and Management Blog articles
Azure Governance and Management Blog articles

Azure Governance and Management Blog articles

Share post:

Related posts

Microsoft 365 & Power Platform Community Call – July 16th, 2026 – Screenshot Summary

Call Highlights   SharePoint Quicklinks: Primary PnP Website: https://aka.ms/m365pnp Documentation & Guidance SharePoint Dev Videos Issues...

20 hours ago

Microsoft SharePoint Online: Restricted access control for sites enforced across Microsoft 365 search

Restricted Access Control (RAC) for SharePoint and OneDrive sites will be enforced across Microsoft 365 search, limiting search results to con...

23 hours ago

Microsoft Teams: AI meeting archive file generation

Microsoft Teams will generate AI meeting archive files capturing key insights to enhance Microsoft 365 Copilot and Facilitator responses while...

23 hours ago

Microsoft Teams: Enhanced delegated calling with delegate call access restrictions and join notifications

Microsoft Teams is adding call delegation enhancements: delegators can lock active calls to block delegate participation and enable warning to...

1 day ago

How to Schedule Teams Meetings from Shared Mailboxes

It is possible to schedule Teams meetings from shared mailboxes without incurring the need to license the shared mailboxes. However, Microsoft...

1 day ago

Microsoft Teams: Teams shared display mode and peripheral detection available for DoD environments

Shared display mode in Teams is now available in government DOD environments, enabling more seamless and private meeting hosting from your PC....

1 day ago

SharePoint Copy File Action

Copies a file to another library or site. Version history and metadata don't carry over.

1 day ago

Is Your Dynamics 365 SharePoint Integration Ready for Microsoft 365 Copilot?

As organizations embrace Microsoft 365 Copilot to boost productivity, one question is becoming increasingly important: Can AI access your busi...

2 days ago

Microsoft SharePoint: Restricted content discovery enhancements for Copilot and Microsoft 365 search

Microsoft is enhancing SharePoint’s Restricted Content Discovery (RCD) to prevent content from RCD-enabled sites appearing in Copilot an...

2 days ago

Network best practices for Teams town halls and live events with third‑party providers

To prevent streaming issues in Teams town halls and live events, review network settings, especially if using third-party secure web gateways,...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy