2

Is there a way to create or access an existing Azure AD Group using Azure Bicep. The scenario is that I want to create an Azure SQL Database, but in order to do so I need to create a server first. I want to create the server with an AD group as an administrator so I don't have passwords/secrets to manage. I also want to use managed identities for access.

Is there a way to get the group name and sid? When I create a resource in bicep (i.e. resource sqlAdminGroup...) and search for 'group', I don't see a

Here is my bicep code:

resource sqlServer 'Microsoft.Sql/servers@2022-02-01-preview' = {
  name: '${namePrefix}sqlserver1'
  location: location
  properties: {

    administrators: {
      administratorType: 'ActiveDirectory'
      azureADOnlyAuthentication: true
      principalType: 'Group'
      login: sqlAdminGroupName
      sid: sqlAdminGroupObjectId
      tenantId: subscription().tenantId
    }

    publicNetworkAccess: 'Enabled'
    restrictOutboundNetworkAccess: 'Disabled'

    //subnetId: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, subnetName)
  }
  identity: {
    type: 'SystemAssigned'
  }
}

I assume this is a common approach but I have not really found much on it when searching. I would like to create the group if it doesn't exist and get the the login (sqlAdminGroupName) and sid (sqlAdminGroupObjectId) regardless for use in the above code.

lcj
  • 1,355
  • 16
  • 37
  • creating group is part of ms grpah api not arm api so wont be available in bicep, you could alway execute az cli command using deployment scripts: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template – Thomas Aug 10 '22 at 22:35
  • There’s plan for AAD extensibility in Bicep that will provided this functionality. However there’s no exact ETA, only that it should be available in 1.0 version. – Miq Aug 27 '22 at 18:00

1 Answers1

3

Just got mine to work, maybe this help you as well, there were 2 things that I had to change to get mine to deploy.

First, did not specify admin login or password under properties, second, the 'login' string, does not have to be the same as your actual AAD group, in my instance, the AAD group had spaces in it and was causing an error.

Here is my bicep, maybe it helps you or someone:

resource sqlServer 'Microsoft.Sql/servers@2022-02-01-preview' = {
  location: location
  name: 'sql${name}'
  properties: {
    version: '12.0'
    administrators: {
      administratorType: 'ActiveDirectory'
      principalType: 'Group'
      login: 'MyFunkyAdminGroupNameNotSameAsAAD'
      sid: '0000-my-aad-group-id-0000'
      tenantId: subscription().tenantId
    }
  }
}
Altus Baard
  • 151
  • 1
  • 11