CODEWITHSUNDEEP
azureazure-resource-managerazure-powershellazure-cliazure-deployment
DAK
DAK

Reputation: 362

Azure AD Application registration using ARM template

Created a ARM template to create a AD Application using deployment scripts in ARM via powershell.

Getting this error

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'failed'

Here is the template

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {
        "cliResourceName": "AzAppRegDeploymentScript"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/deploymentScripts",
            "apiVersion": "2019-10-01-preview",
            "name": "[variables('cliResourceName')]",
            "location": "[resourceGroup().location]",
            "kind": "AzurePowerShell",
            "identity": {
                "type": "UserAssigned",
                "userAssignedIdentities": {
                    "/subscriptions/XXXXX-bXXd-4XX5-b&*e-YDTXXYYYYS/resourceGroups/sample/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mientity": {}
                }
            },
            "properties": {
                "azPowerShellVersion": "9.7",
                "timeout": "PT30M",
                "scriptContent": "$app = New-AzureADApplication -DisplayName 'app-d'",
                "cleanupPreference": "OnSuccess",
                "retentionInterval": "P1D"
            }
        }
    ]
}

what's the error here? CLI also failing. The user managed identity 'mientity' is provided with a contributor role. and roles mentioned in this https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template#configure-the-minimum-permissions

Upvotes: 0

Views: 349

Answers (1)

Jahnavi
Jahnavi

Reputation: 8008

To create an Azure AD application using deployment scripts via ARM template, you can use below scripts which are given in both PowerShell & CLI.

Using AzCLI:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {
        "cliResourceName": "AzAppRegDeploymentScript"
    },
    "resources": [{
            "type": "Microsoft.Resources/deploymentScripts",
            "apiVersion": "2019-10-01-preview",
            "name": "[variables('cliResourceName')]",
            "location": "[resourceGroup().location]",
            "kind": "AzureCLI",
            "identity": {
                "type": "UserAssigned",
                "userAssignedIdentities": {
                    "/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/newui": {}
                }
            },
            "properties": {
                "AzCliVersion": "2.0.80",
                "timeout": "PT30M",
                "scriptContent": "

                appInfo = $(az ad app create--display - name $1--identifier - uris\ "$2\" --reply-urls \"$3\")
                    echo $appInfo

                    ",
                    "cleanupPreference": "OnSuccess",
                    "retentionInterval": "P1D"
                }
            }
        ]
    }

Output:

enter image description here

enter image description here

Using AzPowershell:

I received the same error as you when I tried with PowerShell in my environment.

After a workaround on this issue, I found an approach to deploy it by referring to the blog by @Thakur Prasad Mishra.

You can create a script in the GitHub content page and add that respective URL in the "primaryscripturi" property of the PowerShell deployment script of ARM template as detailed in the above given blog.

For any of the above deployments(either Powershell or CLI), you need to provide the below permissions to the user identity.

  1. Add the contributor role under subscription level by going to subscriptions -> Access control -> Add -> Add role assignment -> Privileged administrator roles -> Contributor and then select a user identity.

enter image description here

  1. You must add an "Application Administrator" role for the user identity by going to Roles & Administrators under Azure Active Directory.

enter image description here

I modified your PowerShell deployment code propertiesblock as follows:

  "properties": {
       "azPowerShellVersion": "9.7",
        "timeout": "PT30M",
        "scriptContent": "
         $ScriptPath = '/home/admin/script.ps1'
         $Info = Get-Content -Path $ScriptPath
         ",
         "cleanupPreference": "OnSuccess",
         "retentionInterval": "P1D"
        }
    }]
}

Script.ps1:

Install-Module -Name AzureAD -Force
Import-Module -Name AzureAD
New-AzureADApplication -DisplayName 'app-d'

Output:

enter image description here

enter image description here

Note: I would suggest you use Azure CLI version to create deployment scripts for an AD application.

You can also refer article by @Moim Hossain for more relevant information.

Upvotes: 0

Related Questions