Azure AD Application registration using ARM template

Question

Created a ARM template to create a AD Application using deployment scripts in ARM via powershell.

Getting this error

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'failed'

Here is the template

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {
        "cliResourceName": "AzAppRegDeploymentScript"
    },
    "resources": [
        {
            "type": "Microsoft.Resources/deploymentScripts",
            "apiVersion": "2019-10-01-preview",
            "name": "[variables('cliResourceName')]",
            "location": "[resourceGroup().location]",
            "kind": "AzurePowerShell",
            "identity": {
                "type": "UserAssigned",
                "userAssignedIdentities": {
                    "/subscriptions/XXXXX-bXXd-4XX5-b&*e-YDTXXYYYYS/resourceGroups/sample/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mientity": {}
                }
            },
            "properties": {
                "azPowerShellVersion": "9.7",
                "timeout": "PT30M",
                "scriptContent": "$app = New-AzureADApplication -DisplayName 'app-d'",
                "cleanupPreference": "OnSuccess",
                "retentionInterval": "P1D"
            }
        }
    ]
}

what's the error here? CLI also failing. The user managed identity 'mientity' is provided with a contributor role. and roles mentioned in this https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template#configure-the-minimum-permissions

score 0 · Answer 1 · answered Jul 10 '23 at 11:08

To create an Azure AD application using deployment scripts via ARM template, you can use below scripts which are given in both PowerShell & CLI.

Using AzCLI:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {
        "cliResourceName": "AzAppRegDeploymentScript"
    },
    "resources": [{
            "type": "Microsoft.Resources/deploymentScripts",
            "apiVersion": "2019-10-01-preview",
            "name": "[variables('cliResourceName')]",
            "location": "[resourceGroup().location]",
            "kind": "AzureCLI",
            "identity": {
                "type": "UserAssigned",
                "userAssignedIdentities": {
                    "/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/newui": {}
                }
            },
            "properties": {
                "AzCliVersion": "2.0.80",
                "timeout": "PT30M",
                "scriptContent": "

                appInfo = $(az ad app create--display - name $1--identifier - uris\ "$2\" --reply-urls \"$3\")
                    echo $appInfo

                    ",
                    "cleanupPreference": "OnSuccess",
                    "retentionInterval": "P1D"
                }
            }
        ]
    }

Output:

enter image description here

Using AzPowershell:

I received the same error as you when I tried with PowerShell in my environment.

After a workaround on this issue, I found an approach to deploy it by referring to the blog by @Thakur Prasad Mishra.

You can create a script in the GitHub content page and add that respective URL in the "primaryscripturi" property of the PowerShell deployment script of ARM template as detailed in the above given blog.

For any of the above deployments(either Powershell or CLI), you need to provide the below permissions to the user identity.

Add the contributor role under subscription level by going to subscriptions -> Access control -> Add -> Add role assignment -> Privileged administrator roles -> Contributor and then select a user identity.

enter image description here

You must add an "Application Administrator" role for the user identity by going to Roles & Administrators under Azure Active Directory.

enter image description here

I modified your PowerShell deployment code propertiesblock as follows:

  "properties": {
       "azPowerShellVersion": "9.7",
        "timeout": "PT30M",
        "scriptContent": "
         $ScriptPath = '/home/admin/script.ps1'
         $Info = Get-Content -Path $ScriptPath
         ",
         "cleanupPreference": "OnSuccess",
         "retentionInterval": "P1D"
        }
    }]
}

Script.ps1:

Install-Module -Name AzureAD -Force
Import-Module -Name AzureAD
New-AzureADApplication -DisplayName 'app-d'

Output:

enter image description here

Note: I would suggest you use Azure CLI version to create deployment scripts for an AD application.

You can also refer article by @Moim Hossain for more relevant information.

Thanks @Jahnavi. Is there anyway to add ***Application Administrator role*** to Managed Identity via ARM template itself — DAK, Jul 10 '23 at 16:57
You can add this PowerShell command `New-AzureADServiceAppRoleAssignment` with the managed identity resource inside the `Script.ps1`. Refer [MsDoc](https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell?tabs=azurepowershell) for better understanding. @DAK — Jahnavi, Jul 11 '23 at 04:46
You can also use [`az app role assignment create`](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli#step-4-assign-role) in the above `scriptcontent` block using CLI. @DAK — Jahnavi, Jul 11 '23 at 04:48
Add this to the `script content` block after `New-AzureADApplication`. `\nNew-AzureADMSRoleAssignment -ObjectId $app.ObjectId -PrincipalId $app.ObjectId -ResourceId $app.ObjectId -RoleDefinitionId '18a4783c-866b-4cc7-a460-3d5e5662c884'`. @DAK — Jahnavi, Jul 11 '23 at 04:53
it's failing. without Application Administrator role for managed identity, deployment scripts won't work right? — DAK, Jul 11 '23 at 10:43
For your requirement, this role has to be added and I would suggest you add through Portal itself to make this works efficiently. @DAK — Jahnavi, Jul 11 '23 at 11:52
Through portal i can add. tried that it worked but my requirement is to add it via ARM template — DAK, Jul 27 '23 at 10:17
If you want to use only ARM template, you can pass [`New-AzureADMSRoleAssignment`](https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadmsroleassignment?view=azureadps-2.0) PowerShell command under `script content` block in main ARM json file or `script.ps1` with the required parameters. @DAK — Jahnavi, Jul 27 '23 at 10:24

Azure AD Application registration using ARM template

1 Answers1