I'm in the process of setting up a Bicep-based pipeline to provision and manage the infrastructure for an application, and I am currently running into an obstacle with the AAD B2C tenant. I have sorted out the basics of deploying a B2C tenant from Bicep given the following resource definition (deployed via a module):
resource b2cDirectory 'Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01' = {
location: country.name
name: tenantName
sku: {
name: 'PremiumP2'
tier: 'A0'
}
properties: {
createTenantProperties: {
countryCode: country.code
displayName: 'B2C - ${tenantDisplayName}'
}
}
}
I can provision this resource just fine while logged into the az cli with an AAD user account that's granted Owner or Contributor in the target subscription, however, this creates a small hitch for further automation due to the B2C tenant management model (requiring B2C identities for management rather than existing organization identities). When the Azure Resource Manager provisions B2C, it adds the creator as a Global Administrator of the new tenant. Further management tasks, e.g., app registrations and custom policy deployment, require the user to be logged in to the B2C tenant.
In order to automate the end-to-end process, especially within a pipeline, I would like to use a service principal to provision B2C so that my deployment scripts can continue to log in to the new tenant and perform additional management tasks. However, when attempting this, I encounter an error while creating the new tenant:
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"DeploymentFailed\",\r\n \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.\",\r\n \"details\": [\r\n {\r\n \"code\": \"Unauthorized\",\r\n \"message\": \"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\": \\\"Unauthenticated\\\",\\r\\n \\\"message\\\": \\\"Unauthenticated\\\",\\r\\n \\\"details\\\": null,\\r\\n \\\"target\\\": \\\"Authentication\\\",\\r\\n \\\"additionalInfo\\\": null\\r\\n }\\r\\n}\"\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"
}
]
}
}
My best guess at this point is that service principals are not supported for this case and that AAD does not know how to bootstrap the Global Administrator for the new tenant. Has anyone overcome this with a service principal? If not, I'd appreciate other suggestions.
If I can't automate it completely, the fallback approach will likely be to write a local script to perform the initial B2C provisioning and manually bootstrap an internal service principal that will be accessible from a devops pipeline and Bicep deployment scripts. This isn't ideal, but it will work for now.
