├── src ├── swagger-generation │ ├── .gitignore │ ├── .eslintignore │ ├── jest.config.js │ ├── src │ │ ├── definitions │ │ │ ├── Reference.ts │ │ │ ├── CollectionProperty.ts │ │ │ ├── NavigationProperty.ts │ │ │ ├── EnumType.ts │ │ │ ├── DefinitionMap.ts │ │ │ ├── Property.ts │ │ │ ├── Metadata.ts │ │ │ └── PrimitiveSwaggerType.ts │ │ ├── parser.ts │ │ └── util │ │ │ ├── propertyTypeResolver.ts │ │ │ └── orchestrationTypeResolver.ts │ ├── .eslintrc │ ├── tsconfig.json │ ├── tests │ │ ├── definitions │ │ │ ├── EnumType.test.ts │ │ │ └── Property.test.ts │ │ ├── testUtilities.ts │ │ └── util │ │ │ └── propertyTypeResolver.test.ts │ ├── package.json │ ├── README.md │ └── configs │ │ └── v1.0 │ │ ├── 0.1.7-preview.yml │ │ └── 0.1.8-preview.yml ├── autorest.bicep │ ├── .prettierignore │ ├── .prettierrc │ ├── .gitignore │ ├── jest.config.ts │ ├── .npmignore │ ├── test │ │ └── integration │ │ │ ├── specs │ │ │ └── basic │ │ │ │ └── resource-manager │ │ │ │ └── README.md │ │ │ └── integration.test.ts │ ├── src │ │ ├── utils.ts │ │ └── main.ts │ ├── tsconfig.json │ ├── README.md │ ├── package.json │ └── .eslintrc.js ├── generator │ ├── .gitignore │ ├── tsconfig.json │ ├── .eslintrc.js │ └── package.json ├── Microsoft.Graph.Bicep.Types │ ├── 35MSSharedLib1024.snk │ ├── MicrosoftGraphTypeLoader.cs │ └── Microsoft.Graph.Bicep.Types.csproj ├── extensionConfig │ ├── src │ │ ├── extensionConfig.json │ │ └── config.ts │ ├── tsconfig.json │ ├── package.json │ └── package-lock.json ├── Directory.Build.props ├── Microsoft.Graph.Bicep.Types.UnitTests │ └── Microsoft.Graph.Bicep.Types.UnitTests.csproj └── Directory.Build.targets ├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── feature_request.md │ ├── new_type_request.md │ └── bug_report.md ├── policies │ ├── msgraph-bicep-types-branch-protection.yml │ └── resourceManagement.yml └── workflows │ └── codeql.yml ├── docs ├── getting-started.md ├── VS code graph types in bicep.jpg ├── media │ ├── client-apps-read-from-blob-storage-via-sg.jpg │ └── github-action-deploys-web-app-to-azure-app-services.jpg ├── use-existing-resources.md └── DEVELOPMENT.md ├── quickstart-templates ├── security-group-add-user-members │ ├── userlist.txt │ ├── bicepconfig.json │ ├── metadata.json │ ├── main.bicep │ └── README.md ├── create-client-app-with-logo │ ├── logoImageFile.png │ ├── bicepconfig.json │ ├── metadata.json │ ├── main.bicep │ └── README.md ├── msi-as-a-fic-secretless │ ├── bicepconfig.json │ ├── main.bicepparam │ ├── metadata.json │ └── secretless-graph-request.ps1 ├── apps-permissions-and-grants │ ├── bicepconfig.json │ ├── metadata.json │ ├── appRequiredResourceAccess.bicep │ ├── appGrantScopes.bicep │ └── main.bicep ├── create-fic-for-github-actions │ ├── bicepconfig.json │ ├── metadata.json │ ├── publish.yml │ └── main.bicep ├── create-client-app-sp-with-kv-cert │ ├── bicepconfig.json │ ├── main.bicepparam │ ├── metadata.json │ └── README.md ├── security-group-assign-azure-role │ ├── bicepconfig.json │ ├── metadata.json │ ├── main.bicep │ └── README.md ├── security-group-create-with-owners-and-members │ ├── bicepconfig.json │ ├── metadata.json │ ├── main.bicep │ └── README.md ├── application-serviceprincipal-create-client-resource │ ├── bicepconfig.json │ ├── metadata.json │ ├── main.bicep │ └── README.md └── resource-application-access-grant-to-client-application │ ├── bicepconfig.json │ ├── metadata.json │ ├── main.bicep │ └── README.md ├── .gitmodules ├── samples └── deploy-template │ ├── bicepconfig.json │ ├── grant-deployment-app-arm-and-graph-scopes │ ├── bicepconfig.json │ ├── metadata.json │ ├── main.bicep │ ├── appGrantScopes.bicep │ └── README.md │ ├── deploy-template.csproj │ ├── sample-template.bicep │ ├── deploy-template.sln │ └── sample-template.json ├── quickstart-templates-archive ├── create-fic-for-github-actions │ ├── bicepconfig.json │ ├── main.bicep │ └── README.md └── security-group-assign-azure-role │ ├── bicepconfig.json │ ├── main.bicep │ └── README.md ├── pipelines ├── common-templates │ ├── security-post-checks.yml │ ├── security-pre-checks.yml │ ├── install-tools.yml │ ├── esrp │ │ ├── codesign-nuget.yml │ │ └── codesign.yml │ ├── generate-types.yml │ └── common-steps.yml ├── common-variables.yml ├── ci-build.yml └── productionBuild.yml ├── CODE_OF_CONDUCT.md ├── SUPPORT.md ├── generated ├── microsoftgraph │ └── microsoft.graph │ │ ├── beta │ │ ├── 0.1.7-preview │ │ │ ├── index.json │ │ │ └── index.md │ │ ├── 0.1.8-preview │ │ │ ├── index.json │ │ │ └── index.md │ │ ├── 0.1.9-preview │ │ │ ├── index.json │ │ │ └── index.md │ │ ├── 1.0.0 │ │ │ ├── index.md │ │ │ └── index.json │ │ └── 0.2.0-preview │ │ │ ├── index.md │ │ │ └── index.json │ │ ├── v1.0 │ │ ├── 0.1.7-preview │ │ │ ├── index.json │ │ │ └── index.md │ │ ├── 0.1.8-preview │ │ │ ├── index.json │ │ │ └── index.md │ │ ├── 0.1.9-preview │ │ │ ├── index.json │ │ │ └── index.md │ │ ├── 1.0.0 │ │ │ ├── index.md │ │ │ └── index.json │ │ └── 0.2.0-preview │ │ │ ├── index.md │ │ │ └── index.json │ │ └── log.out ├── index.md └── index.json ├── LICENSE ├── swagger └── specification │ └── microsoftgraph │ └── resource-manager │ └── readme.md ├── scripts ├── UpdateGeneratedTypes.ps1 └── ValidateProjectVersionUpdated.ps1 ├── Microsoft.Graph.Bicep.Types.sln ├── SECURITY.md ├── README.md └── CONTRIBUTING.md /src/swagger-generation/.gitignore: -------------------------------------------------------------------------------- 1 | coverage/ -------------------------------------------------------------------------------- /src/autorest.bicep/.prettierignore: -------------------------------------------------------------------------------- 1 | *.ejs 2 | package.json -------------------------------------------------------------------------------- /src/swagger-generation/.eslintignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | dist -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @microsoftgraph/msgraph-arm-bicep-write 2 | -------------------------------------------------------------------------------- /src/autorest.bicep/.prettierrc: -------------------------------------------------------------------------------- 1 | { 2 | "trailingComma": "none" 3 | } 4 | -------------------------------------------------------------------------------- /docs/getting-started.md: -------------------------------------------------------------------------------- 1 | # Getting started 2 | 3 | Go to [Bicep templates for Microsoft Graph](https://aka.ms/graphbicep). 4 | -------------------------------------------------------------------------------- /quickstart-templates/security-group-add-user-members/userlist.txt: -------------------------------------------------------------------------------- 1 | user1@contoso.com 2 | user2@contoso.com 3 | user3@contoso.com -------------------------------------------------------------------------------- /docs/VS code graph types in bicep.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoftgraph/msgraph-bicep-types/main/docs/VS code graph types in bicep.jpg -------------------------------------------------------------------------------- /src/generator/.gitignore: -------------------------------------------------------------------------------- 1 | dist 2 | node_modules 3 | test.json 4 | test/**/dist 5 | test/**/esm 6 | test/**/node_modules 7 | test-browser 8 | .tmp 9 | coverage -------------------------------------------------------------------------------- /src/Microsoft.Graph.Bicep.Types/35MSSharedLib1024.snk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoftgraph/msgraph-bicep-types/main/src/Microsoft.Graph.Bicep.Types/35MSSharedLib1024.snk -------------------------------------------------------------------------------- /docs/media/client-apps-read-from-blob-storage-via-sg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoftgraph/msgraph-bicep-types/main/docs/media/client-apps-read-from-blob-storage-via-sg.jpg -------------------------------------------------------------------------------- /src/autorest.bicep/.gitignore: -------------------------------------------------------------------------------- 1 | dist 2 | node_modules 3 | test.json 4 | test/**/dist 5 | test/**/esm 6 | test/**/node_modules 7 | test-browser 8 | .tmp 9 | temp 10 | coverage -------------------------------------------------------------------------------- /src/swagger-generation/jest.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('ts-jest').JestConfigWithTsJest} */ 2 | module.exports = { 3 | preset: 'ts-jest', 4 | testEnvironment: 'node', 5 | silent: true, 6 | }; -------------------------------------------------------------------------------- /docs/media/github-action-deploys-web-app-to-azure-app-services.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoftgraph/msgraph-bicep-types/main/docs/media/github-action-deploys-web-app-to-azure-app-services.jpg -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-with-logo/logoImageFile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoftgraph/msgraph-bicep-types/main/quickstart-templates/create-client-app-with-logo/logoImageFile.png -------------------------------------------------------------------------------- /docs/use-existing-resources.md: -------------------------------------------------------------------------------- 1 | # Use existing Microsoft Graph resources in Bicep templates 2 | 3 | Go to [How to reference existing resources](https://learn.microsoft.com/graph/templates/how-to-reference-existing-resources) 4 | -------------------------------------------------------------------------------- /src/extensionConfig/src/extensionConfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "beta": { 3 | "name": "MicrosoftGraphBeta", 4 | "version": "1.0.0" 5 | }, 6 | "v1.0": { 7 | "name": "MicrosoftGraph", 8 | "version": "1.0.0" 9 | } 10 | } -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "bicep-types"] 2 | path = bicep-types 3 | url = https://github.com/Azure/bicep-types.git 4 | [submodule "msgraph-metadata"] 5 | path = msgraph-metadata 6 | url = https://github.com/microsoftgraph/msgraph-metadata 7 | -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/Reference.ts: -------------------------------------------------------------------------------- 1 | export class Reference{ 2 | id: string 3 | depth: number 4 | 5 | constructor(id: string, depth: number){ 6 | this.id = id 7 | this.depth = depth 8 | } 9 | } -------------------------------------------------------------------------------- /samples/deploy-template/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /src/extensionConfig/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "outDir": "./dist", 4 | "module": "commonjs", 5 | "target": "es2019", 6 | "declaration": true, 7 | "strict": true 8 | }, 9 | "include": [ 10 | "src/**/*.ts" 11 | ] 12 | } -------------------------------------------------------------------------------- /quickstart-templates/msi-as-a-fic-secretless/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/apps-permissions-and-grants/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-with-logo/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/create-fic-for-github-actions/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-sp-with-kv-cert/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/security-group-add-user-members/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/security-group-assign-azure-role/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /src/extensionConfig/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "extensionconfig", 3 | "version": "1.0.0", 4 | "main": "index.js", 5 | "keywords": [], 6 | "author": "", 7 | "license": "ISC", 8 | "description": "", 9 | "devDependencies": { 10 | "@types/node": "^22.5.1" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /samples/deploy-template/grant-deployment-app-arm-and-graph-scopes/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/security-group-create-with-owners-and-members/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/application-serviceprincipal-create-client-resource/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/resource-application-access-grant-to-client-application/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | // specify an alias for the version of the v1.0 dynamic types package you want to use 3 | "extensions": { 4 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0" 5 | } 6 | } -------------------------------------------------------------------------------- /quickstart-templates/msi-as-a-fic-secretless/main.bicepparam: -------------------------------------------------------------------------------- 1 | using './main.bicep' 2 | 3 | param myWorkloadManagedIdentity = '[MANAGED-IDENTITY-NAME]' 4 | param applicationDisplayName = '[APPLICATION-DISPLAY-NAME]' 5 | param applicationName = '[APPLICATION-UNIQUE-NAME]' 6 | param cloudEnvironment = 'publicCloud' 7 | param graphRoles = ['Group.Read.All'] 8 | 9 | -------------------------------------------------------------------------------- /quickstart-templates-archive/create-fic-for-github-actions/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "experimentalFeaturesEnabled": { 3 | "extensibility": true 4 | }, 5 | // specify an alias for the version of the v1.0 dynamic types package you want to use 6 | "extensions": { 7 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview" 8 | } 9 | } -------------------------------------------------------------------------------- /quickstart-templates-archive/security-group-assign-azure-role/bicepconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "experimentalFeaturesEnabled": { 3 | "extensibility": true 4 | }, 5 | // specify an alias for the version of the v1.0 dynamic types package you want to use 6 | "extensions": { 7 | "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview" 8 | } 9 | } -------------------------------------------------------------------------------- /src/autorest.bicep/jest.config.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | module.exports = { 4 | verbose: true, 5 | moduleFileExtensions: [ 6 | "ts", 7 | "js" 8 | ], 9 | transform: { 10 | '^.+\\.(ts|tsx)$': 'ts-jest' 11 | }, 12 | testMatch: [ 13 | '**/test/**/*.test.(ts)' 14 | ], 15 | testEnvironment: 'node', 16 | }; -------------------------------------------------------------------------------- /src/autorest.bicep/.npmignore: -------------------------------------------------------------------------------- 1 | .gulp/ 2 | .vscode/ 3 | src/Model/ 4 | src/Properties/ 5 | test/ 6 | src/obj/ 7 | package/ 8 | *.tar 9 | *.tgz 10 | 11 | gulpfile.js 12 | *.sln 13 | *.cs 14 | *.resx 15 | src/obj/ 16 | yarn.lock 17 | 18 | *.log 19 | *.csproj 20 | 21 | .travis.yml 22 | .git* 23 | .git 24 | .vs/ 25 | node_modules/ 26 | .ntvs_analysis.* 27 | .nuget/ 28 | packages/ 29 | packages.config 30 | gulpfile.js -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/CollectionProperty.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { PrimitiveSwaggerTypeStruct } from "./PrimitiveSwaggerType" 5 | 6 | export class CollectionProperty { 7 | Type: string | PrimitiveSwaggerTypeStruct 8 | constructor(type: string | PrimitiveSwaggerTypeStruct){ 9 | this.Type = type 10 | } 11 | } -------------------------------------------------------------------------------- /pipelines/common-templates/security-post-checks.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | steps: 5 | - task: PublishSecurityAnalysisLogs@2 6 | displayName: "Publish Security Analysis Logs" 7 | inputs: 8 | ArtifactName: SecurityLogs 9 | 10 | - task: PostAnalysis@1 11 | displayName: "Post Analysis" 12 | inputs: 13 | BinSkim: true 14 | CredScan: true 15 | PoliCheck: true 16 | -------------------------------------------------------------------------------- /src/extensionConfig/src/config.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | export enum ApiVersion { 4 | Beta = "beta", 5 | V1_0 = "v1.0", 6 | } 7 | 8 | export interface apiExtensionConfig { 9 | name: string; 10 | version: string; 11 | } 12 | 13 | export interface apiExtenisonConfigMap { 14 | [key: string]: apiExtensionConfig; 15 | } 16 | 17 | export const extensionConfig: apiExtenisonConfigMap = require('./extensionConfig.json'); -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /src/autorest.bicep/test/integration/specs/basic/resource-manager/README.md: -------------------------------------------------------------------------------- 1 | # basic 2 | 3 | ## Configuration 4 | 5 | ### Information 6 | 7 | ```yaml 8 | title: Basic 9 | description: Contains a set of basic spec samples for integration tests 10 | openapi-type: arm 11 | tag: package-2021-10-31 12 | ``` 13 | 14 | ### Tag: package-2021-10-31 15 | 16 | These settings apply only when `--tag=package-2021-10-31` is specified on the command line. 17 | 18 | ```yaml $(tag) == 'package-2021-10-31' 19 | input-file: 20 | - Test.Rp1/stable/2021-10-31/spec.json 21 | ``` -------------------------------------------------------------------------------- /src/swagger-generation/.eslintrc: -------------------------------------------------------------------------------- 1 | { 2 | "root": true, 3 | "parser": "@typescript-eslint/parser", 4 | "plugins": [ 5 | "@typescript-eslint" 6 | ], 7 | "extends": [ 8 | "eslint:recommended", 9 | "plugin:@typescript-eslint/eslint-recommended", 10 | "plugin:@typescript-eslint/recommended" 11 | ], 12 | "overrides": [ 13 | { 14 | "files": [ 15 | "tests/*.ts" 16 | ], 17 | "rules":{ 18 | "@typescript-eslint/no-var-requires": "off" 19 | } 20 | } 21 | ] 22 | } -------------------------------------------------------------------------------- /src/swagger-generation/src/parser.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import fs from 'fs' 5 | import { parseStringPromise } from 'xml2js' 6 | import { CSDL } from './definitions/RawTypes' 7 | 8 | export const parseXML = async (metadataFilePath: string): Promise => { 9 | const xmlText = fs.readFileSync( 10 | `../../msgraph-metadata/${metadataFilePath}`, 11 | 'utf8' 12 | ); 13 | 14 | // To object 15 | const obj: Promise = parseStringPromise(xmlText); 16 | 17 | return obj; 18 | } 19 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Additional context** 17 | Add any other context or screenshots about the feature request here. -------------------------------------------------------------------------------- /src/autorest.bicep/src/utils.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | export interface SuccessResult { 4 | success: true, 5 | value: V, 6 | } 7 | 8 | export interface FailureResult { 9 | success: false, 10 | error: E, 11 | } 12 | 13 | export type Result = SuccessResult | FailureResult 14 | 15 | export function success(value: V): SuccessResult { 16 | return { success: true, value, }; 17 | } 18 | 19 | export function failure(error: E): FailureResult { 20 | return { success: false, error, }; 21 | } -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new_type_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: New Microsoft Graph Bicep type request 3 | about: Request a new Microsoft Graph Bicep type 4 | title: '' 5 | labels: new type, enhancement 6 | assignees: '' 7 | 8 | --- 9 | **Vote for this new type by clicking the thumbs-up.** 10 | 11 | **Suggestion** 12 | Which Microsoft Graph resource is this request for? 13 | 14 | **Value** 15 | How is the new Microsoft Graph Bicep type helpful? What scenarios would you use it for? 16 | 17 | **Microsoft Graph API REST reference** 18 | Link to existing Microsoft Graph REST API reference article for this resource 19 | -------------------------------------------------------------------------------- /src/generator/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "skipLibCheck": true, 4 | "module": "commonjs", 5 | "noEmitOnError": true, 6 | "noImplicitReturns": true, 7 | "sourceMap": true, 8 | "declarationMap": true, 9 | "strict": true, 10 | "declaration": true, 11 | "stripInternal": true, 12 | "noEmitHelpers": false, 13 | "target": "es2019", 14 | "types": ["node"], 15 | "esModuleInterop": true, 16 | "lib": ["es2020"], 17 | "newLine": "LF", 18 | "outDir": "dist", 19 | "rootDir": "." 20 | }, 21 | "exclude": ["dist", "node_modules"] 22 | } -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-with-logo/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Create client app with a logo", 5 | "description": "This template creates a client application including setting a logo, demonstrating how to set a stream property.", 6 | "summary": "This template creates a client application including setting the logo property.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-07-22", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /src/autorest.bicep/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "skipLibCheck": true, 4 | "module": "commonjs", 5 | "noEmitOnError": true, 6 | "noImplicitReturns": true, 7 | "sourceMap": true, 8 | "declarationMap": true, 9 | "strict": true, 10 | "declaration": true, 11 | "stripInternal": true, 12 | "noEmitHelpers": false, 13 | "target": "es2019", 14 | "types": ["node", "jest"], 15 | "esModuleInterop": true, 16 | "lib": ["es2020"], 17 | "newLine": "LF", 18 | "outDir": "dist", 19 | "rootDir": "." 20 | }, 21 | "include": ["src"], 22 | "exclude": ["dist", "node_modules", "**/*.d.ts"] 23 | } 24 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## How to file issues and get help 4 | 5 | This project uses GitHub Issues to track bugs and feature requests. 6 | Please search the existing issues before filing new issues to avoid duplicates. 7 | For new issues, file your bug or feature request as a new [Issue](https://github.com/microsoftgraph/msgraph-bicep-types/issues). 8 | 9 | 10 | For help and questions about using this project, please create a new [discussion](https://github.com/microsoftgraph/msgraph-bicep-types/discussions). 11 | 12 | ## Microsoft Support Policy 13 | 14 | Support for this **PROJECT or PRODUCT** is limited to the resources listed above. 15 | -------------------------------------------------------------------------------- /pipelines/common-templates/security-pre-checks.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | steps: 5 | # CredScan 6 | - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 7 | displayName: "Run CredScan - Src" 8 | inputs: 9 | toolMajorVersion: "V2" 10 | scanFolder: '$(Build.SourcesDirectory)/src' 11 | debugMode: false 12 | 13 | - task: PoliCheck@1 14 | displayName: 'Run PoliCheck "/src"' 15 | inputs: 16 | inputType: CmdLine 17 | cmdLineArgs: '/F:$(Build.SourcesDirectory)/src /T:9 /Sev:"1|2" /PE:2 /O:poli_result_src.xml' 18 | -------------------------------------------------------------------------------- /quickstart-templates/application-serviceprincipal-create-client-resource/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Create client and resource apps", 5 | "description": "This template creates a client application and a resource application, along with their service principals.", 6 | "summary": "This template creates a client application and a resource application, along with their service principals.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-sp-with-kv-cert/main.bicepparam: -------------------------------------------------------------------------------- 1 | using './main.bicep' 2 | 3 | param shortEnvironmentName = 'prod' 4 | param keyVaultNamePrefix = 'keyVault' 5 | param tags = { 6 | tag: shortEnvironmentName 7 | } 8 | param keysPermissions = [ 9 | 'list' 10 | ] 11 | param secretsPermissions = [ 12 | 'list' 13 | 'get' 14 | ] 15 | param identityName = 'managedIdentityForKV-${uniqueString(keyVaultNamePrefix)}' 16 | param certificatesPermissions = [ 17 | 'get' 18 | 'list' 19 | 'update' 20 | 'create' 21 | ] 22 | param certificateName = 'cert20240322-${uniqueString(keyVaultNamePrefix)}' 23 | param clientAppName = 'ClientAppKVCert' 24 | param subjectName = 'CN=contoso.com' 25 | -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/NavigationProperty.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { Property } from "./Property"; 5 | import { CollectionProperty } from "./CollectionProperty"; 6 | 7 | export class NavigationProperty extends Property { 8 | ContainsTarget?: boolean; 9 | Target?: string; 10 | 11 | constructor(name: string, type: string | CollectionProperty, description: string, nullable: boolean | undefined, readonly: boolean | undefined, containsTarget: boolean | undefined, target: string | undefined) { 12 | super(name, type, description, nullable, readonly); 13 | this.ContainsTarget = containsTarget; 14 | this.Target = target; 15 | } 16 | } -------------------------------------------------------------------------------- /quickstart-templates/resource-application-access-grant-to-client-application/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Grant a client app access to a resource app.", 5 | "description": "This template grants client app access to resource application by assigning the app role in the resource app to the client app.", 6 | "summary": "This template grants client app access to resource application by assigning the app role in the resource app to the client app.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/EnumType.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { Schemas } from "./Swagger"; 5 | 6 | export class EnumType { 7 | Name: string 8 | Member: Map 9 | 10 | constructor(name: string, member: Map) { 11 | this.Name = name; 12 | this.Member = member; 13 | } 14 | 15 | toSwaggerDefinition(): Schemas { 16 | const definition: Schemas = { 17 | type: "string", 18 | enum: [], 19 | }; 20 | 21 | this.Member.forEach((value: string, key: string) => { 22 | definition.enum.push(key); 23 | }); 24 | 25 | return definition; 26 | } 27 | } -------------------------------------------------------------------------------- /quickstart-templates-archive/security-group-assign-azure-role/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | @description('Specifies the Reader role definition ID used in the role assignment.') 4 | param readerRoleDefinitionID string = 'acdd72a7-3385-48ef-bd42-f606fba81ae7' 5 | 6 | resource group 'Microsoft.Graph/groups@v1.0' existing = { 7 | uniqueName: 'ExampleGroup' 8 | } 9 | 10 | var roleAssignmentName = guid('ExampleGroup', readerRoleDefinitionID, resourceGroup().id) 11 | resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { 12 | name: roleAssignmentName 13 | properties: { 14 | principalId: group.id 15 | roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', readerRoleDefinitionID) 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /src/Directory.Build.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | true 4 | 10.0 5 | enable 6 | true 7 | true 8 | true 9 | true 10 | true 11 | © Microsoft Corporation. All rights reserved. 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /src/swagger-generation/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es2019", /* Set the JavaScript language version for emitted JavaScript and include compatible library declarations. */ 4 | "module": "commonjs", /* Specify what module code is generated. */ 5 | "esModuleInterop": true, /* Emit additional JavaScript to ease support for importing CommonJS modules. This enables 'allowSyntheticDefaultImports' for type compatibility. */ 6 | "forceConsistentCasingInFileNames": true, /* Ensure that casing is correct in imports. */ 7 | "strict": true, /* Enable all strict type-checking options. */ 8 | "skipLibCheck": true /* Skip type checking all .d.ts files. */ 9 | }, 10 | "include": [ 11 | "src/**/*.ts", 12 | "tests/**/*.ts" 13 | ] 14 | } -------------------------------------------------------------------------------- /pipelines/common-templates/install-tools.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | steps: 5 | - task: UseDotNet@2 6 | displayName: "Use .NET 2" # needed for ESRP signing 7 | inputs: 8 | version: 2.x 9 | 10 | - task: UseDotNet@2 11 | displayName: "Use .NET 6" 12 | inputs: 13 | version: 6.x 14 | 15 | - task: UseDotNet@2 16 | displayName: "Use .NET 8" 17 | inputs: 18 | version: 8.x 19 | 20 | # Install the nuget tool. 21 | - task: NuGetToolInstaller@1 22 | displayName: "Use NuGet >=5.2.0" 23 | inputs: 24 | versionSpec: ">=5.2.0" 25 | checkLatest: true 26 | 27 | - task: NodeTool@0 28 | displayName: Install NodeJs 29 | inputs: 30 | versionSpec: "18.16.x" 31 | -------------------------------------------------------------------------------- /src/autorest.bicep/README.md: -------------------------------------------------------------------------------- 1 | # AutoRest extension configuration 2 | 3 | ```yaml 4 | modelerfour: 5 | # this runs a pre-namer step to clean up names 6 | prenamer: true 7 | # this will make the content-type parameter always specified 8 | always-create-content-type-parameter: true 9 | # enables parameter grouping via x-ms-parameter-grouping 10 | group-parameters: true 11 | # don't return errors for deduplication failures 12 | additional-checks: false 13 | lenient-model-deduplication: true 14 | 15 | pipeline: 16 | bicep: # <- name of plugin 17 | input: modelerfour/identity 18 | output-artifact: bicep-files 19 | 20 | bicep/emitter: 21 | input: bicep 22 | scope: bicep-scope/emitter 23 | 24 | bicep-scope/emitter: 25 | input-artifact: bicep-files 26 | 27 | output-artifact: bicep-files 28 | ``` -------------------------------------------------------------------------------- /quickstart-templates/security-group-create-with-owners-and-members/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Create an Entra security group with members and owners", 5 | "description": "This template allows you to create a security group with members and owners. Both \"members\" and \"owners\" use the MicrosoftGraphRelationship type. The resource service principal created previously in the \"application-serviceprincipal-create-client-resource\" quickstart is added to the owners. A managed identity is created and added to the members too.", 6 | "githubUsername": "dkershaw10", 7 | "docOwner": "dkershaw10", 8 | "dateUpdated": "2025-03-17", 9 | "validationType": "Manual", 10 | "languages": ["bicep"] 11 | } -------------------------------------------------------------------------------- /samples/deploy-template/grant-deployment-app-arm-and-graph-scopes/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Create an app to call Microsoft Graph and ARM APIs", 5 | "description": "This template configures an app with OAuth2.0 scopes to call Microsoft Graph and ARM APIs. It creates a client application and grants OAuth2.0 scopes to the client application. The deployer can select which Microsoft Graph OAuth2.0 scopes are used.", 6 | "summary": "This template configures an app with OAuth2.0 scopes to call Microsoft Graph and ARM APIs.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-07-24", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /src/Microsoft.Graph.Bicep.Types.UnitTests/Microsoft.Graph.Bicep.Types.UnitTests.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | net6.0 5 | false 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /pipelines/common-variables.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | variables: 5 | BuildPlatform: "Any CPU" 6 | BuildConfiguration: "Release" 7 | ArtifactName: "GeneratedFiles" 8 | ProductBinPath: '$(Build.SourcesDirectory)/src/Microsoft.Graph.Bicep.Types/bin/$(BuildConfiguration)' 9 | BuildSolution: '$(Build.SourcesDirectory)/Microsoft.Graph.Bicep.Types.sln' 10 | SwaggerFilePath: '$(Build.SourcesDirectory)/swagger/specification/microsoftgraph/resource-manager/microsoftgraph' 11 | AutoRestWorkingDir: "$(Build.SourcesDirectory)/src/autorest.bicep" 12 | BicepTypesWorkingDir: "$(Build.SourcesDirectory)/bicep-types/src/bicep-types" 13 | GeneratorWorkingdir: "$(Build.SourcesDirectory)/src/generator" 14 | SwaggerGenerationWorkingDir: "$(Build.SourcesDirectory)/src/swagger-generation" 15 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.1.7-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@beta": { 4 | "$ref": "types.json#/17" 5 | }, 6 | "Microsoft.Graph/applications@beta": { 7 | "$ref": "types.json#/70" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@beta": { 10 | "$ref": "types.json#/88" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@beta": { 13 | "$ref": "types.json#/93" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@beta": { 16 | "$ref": "types.json#/97" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@beta": { 19 | "$ref": "types.json#/101" 20 | } 21 | }, 22 | "resourceFunctions": {}, 23 | "settings": { 24 | "name": "MicrosoftGraphBeta", 25 | "version": "0.1.7-preview", 26 | "isSingleton": false 27 | } 28 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.1.7-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@v1.0": { 4 | "$ref": "types.json#/13" 5 | }, 6 | "Microsoft.Graph/applications@v1.0": { 7 | "$ref": "types.json#/70" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@v1.0": { 10 | "$ref": "types.json#/88" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@v1.0": { 13 | "$ref": "types.json#/93" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@v1.0": { 16 | "$ref": "types.json#/97" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@v1.0": { 19 | "$ref": "types.json#/101" 20 | } 21 | }, 22 | "resourceFunctions": {}, 23 | "settings": { 24 | "name": "MicrosoftGraphV1.0", 25 | "version": "0.1.7-preview", 26 | "isSingleton": false 27 | } 28 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.1.8-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@v1.0": { 4 | "$ref": "types.json#/13" 5 | }, 6 | "Microsoft.Graph/applications@v1.0": { 7 | "$ref": "types.json#/70" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@v1.0": { 10 | "$ref": "types.json#/88" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@v1.0": { 13 | "$ref": "types.json#/93" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@v1.0": { 16 | "$ref": "types.json#/97" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@v1.0": { 19 | "$ref": "types.json#/101" 20 | } 21 | }, 22 | "resourceFunctions": {}, 23 | "settings": { 24 | "name": "MicrosoftGraph", 25 | "version": "0.1.8-preview", 26 | "isSingleton": false 27 | } 28 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.1.8-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@beta": { 4 | "$ref": "types.json#/17" 5 | }, 6 | "Microsoft.Graph/applications@beta": { 7 | "$ref": "types.json#/73" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@beta": { 10 | "$ref": "types.json#/91" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@beta": { 13 | "$ref": "types.json#/96" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@beta": { 16 | "$ref": "types.json#/100" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@beta": { 19 | "$ref": "types.json#/104" 20 | } 21 | }, 22 | "resourceFunctions": {}, 23 | "settings": { 24 | "name": "MicrosoftGraphBeta", 25 | "version": "0.1.8-preview", 26 | "isSingleton": false 27 | } 28 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.1.7-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsv10) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsv10) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [v1.0](types.md#resource-microsoftgraphapproleassignedtov10) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [v1.0](types.md#resource-microsoftgraphgroupsv10) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [v1.0](types.md#resource-microsoftgraphoauth2permissiongrantsv10) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [v1.0](types.md#resource-microsoftgraphserviceprincipalsv10) 20 | 21 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.1.8-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsv10) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsv10) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [v1.0](types.md#resource-microsoftgraphapproleassignedtov10) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [v1.0](types.md#resource-microsoftgraphgroupsv10) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [v1.0](types.md#resource-microsoftgraphoauth2permissiongrantsv10) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [v1.0](types.md#resource-microsoftgraphserviceprincipalsv10) 20 | 21 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.1.7-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsbeta) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsbeta) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [beta](types.md#resource-microsoftgraphapproleassignedtobeta) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [beta](types.md#resource-microsoftgraphgroupsbeta) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [beta](types.md#resource-microsoftgraphoauth2permissiongrantsbeta) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [beta](types.md#resource-microsoftgraphserviceprincipalsbeta) 20 | 21 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.1.8-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsbeta) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsbeta) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [beta](types.md#resource-microsoftgraphapproleassignedtobeta) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [beta](types.md#resource-microsoftgraphgroupsbeta) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [beta](types.md#resource-microsoftgraphoauth2permissiongrantsbeta) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [beta](types.md#resource-microsoftgraphserviceprincipalsbeta) 20 | 21 | -------------------------------------------------------------------------------- /quickstart-templates/resource-application-access-grant-to-client-application/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | @description('Id of the application role to add to the resource app') 4 | param appRoleId string 5 | 6 | resource resourceApp 'Microsoft.Graph/applications@v1.0' existing = { 7 | uniqueName: 'ExampleResourceApp' 8 | } 9 | 10 | resource resourceSp 'Microsoft.Graph/servicePrincipals@v1.0' existing = { 11 | appId: resourceApp.appId 12 | } 13 | 14 | resource clientApp 'Microsoft.Graph/applications@v1.0' existing = { 15 | uniqueName: 'ExampleClientApp' 16 | } 17 | 18 | resource clientSp 'Microsoft.Graph/servicePrincipals@v1.0' existing = { 19 | appId: clientApp.appId 20 | } 21 | 22 | resource appRoleAssignment 'Microsoft.Graph/appRoleAssignedTo@v1.0' = { 23 | principalId: clientSp.id 24 | resourceId: resourceSp.id 25 | appRoleId: appRoleId 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Graph.Bicep.Types/MicrosoftGraphTypeLoader.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | using System; 4 | using System.IO; 5 | using System.IO.Compression; 6 | using Azure.Bicep.Types; 7 | 8 | namespace Microsoft.Graph.Bicep.Types 9 | { 10 | public class MicrosoftGraphTypeLoader : TypeLoader 11 | { 12 | protected override Stream GetContentStreamAtPath(string path) 13 | { 14 | var fileStream = typeof(MicrosoftGraphTypeLoader).Assembly.GetManifestResourceStream($"{path}.deflated"); 15 | if (fileStream is null) 16 | { 17 | throw new ArgumentException($"Unable to locate manifest resource at path {path}", nameof(path)); 18 | } 19 | 20 | return new DeflateStream(fileStream, CompressionMode.Decompress); 21 | } 22 | } 23 | } 24 | 25 | -------------------------------------------------------------------------------- /src/generator/.eslintrc.js: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | module.exports = { 4 | root: true, 5 | parser: "@typescript-eslint/parser", 6 | parserOptions: { 7 | ecmaVersion: 2020, 8 | sourceType: "module", 9 | }, 10 | plugins: ["header"], 11 | extends: ["eslint:recommended"], 12 | ignorePatterns: ["/out/**/*"], 13 | rules: { 14 | "header/header": [ 15 | 2, 16 | "line", 17 | [ 18 | " Copyright (c) Microsoft Corporation.", 19 | " Licensed under the MIT License.", 20 | ], 21 | ], 22 | }, 23 | overrides: [ 24 | { 25 | files: ["*.ts"], 26 | extends: [ 27 | "plugin:@typescript-eslint/recommended", 28 | ], 29 | rules: { 30 | }, 31 | }, 32 | { 33 | files: ["*.js"], 34 | env: { node: true }, 35 | }, 36 | ], 37 | }; 38 | -------------------------------------------------------------------------------- /quickstart-templates/security-group-add-user-members/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Configure a security group's user members.", 5 | "description": "This template creates a security group and adds users, referenced via their UPNs, as members. It demonstrates use of the read-only [`Microsoft.Graph/Users` bicep type][users-ref] which allows you to fetch `user` resources by their user principal name (UPN). The list of users to be added as members are in a txt file, with each user's UPN on a separate line.", 6 | "summary": "This template creates a security group and adds users, referenced via their UPNs, as members.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /quickstart-templates/security-group-assign-azure-role/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Configure client services' access, via a security group.", 5 | "description": "This template configures three regional user-assigned managed identities, that can be used to read from a Blob Storage account, via a security group. The user-assigned managed identities are added as members of the security group, and the security group is assigned an Azure Reader role to the Blob Storage account.", 6 | "summary": "This template configures client services that can be used to read from Blob storage, via a Microsoft Entra security group", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /quickstart-templates/msi-as-a-fic-secretless/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Configure a secret-less application to call Microsoft Graph.", 5 | "description": "This template demonstrates how to create a secret-less client application, using a user-assigned managed identity as the credential (configured as part of the application's federated identity credential). It also creates other resources, that enable you to test using the application to call Microsoft Graph, all without any application secret or certificate.", 6 | "summary": "This template creates a secret-less client application, using a user-assigned managed identity as the credential.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@v1.0": { 4 | "$ref": "types.json#/13" 5 | }, 6 | "Microsoft.Graph/applications@v1.0": { 7 | "$ref": "types.json#/70" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@v1.0": { 10 | "$ref": "types.json#/88" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@v1.0": { 13 | "$ref": "types.json#/93" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@v1.0": { 16 | "$ref": "types.json#/97" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@v1.0": { 19 | "$ref": "types.json#/101" 20 | }, 21 | "Microsoft.Graph/users@v1.0": { 22 | "$ref": "types.json#/106" 23 | } 24 | }, 25 | "resourceFunctions": {}, 26 | "settings": { 27 | "name": "MicrosoftGraph", 28 | "version": "0.1.9-preview", 29 | "isSingleton": false 30 | } 31 | } -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-with-logo/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | // TEMPLATE DESCRIPTION 4 | /* Simple template that demonstrates creating an Entra application 5 | with a logo. 6 | 7 | It reads back the logo CDN location from application.info.logoUrl. 8 | NOTE: there's a delay until the logo CDN location is set on the app 9 | so you may see the "Not yet set" response. 10 | */ 11 | 12 | param date string 13 | param displayName string? 14 | 15 | var app = 'myApp' 16 | 17 | var logoImage = loadFileAsBase64('./logoImageFile.png') 18 | 19 | resource clientApp 'Microsoft.Graph/applications@v1.0' = { 20 | displayName: displayName == null ? '${app}-${date}' :'${displayName}-${app}-${date}' 21 | uniqueName: uniqueString(app, date) 22 | logo: logoImage 23 | } 24 | 25 | output appName string = clientApp.displayName 26 | output logoUrl string = clientApp.info.logoUrl == null ? 'Not yet set' : clientApp.info.logoUrl 27 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.1.9-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@beta": { 4 | "$ref": "types.json#/18" 5 | }, 6 | "Microsoft.Graph/applications@beta": { 7 | "$ref": "types.json#/74" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@beta": { 10 | "$ref": "types.json#/92" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@beta": { 13 | "$ref": "types.json#/97" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@beta": { 16 | "$ref": "types.json#/101" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@beta": { 19 | "$ref": "types.json#/105" 20 | }, 21 | "Microsoft.Graph/users@beta": { 22 | "$ref": "types.json#/110" 23 | } 24 | }, 25 | "resourceFunctions": {}, 26 | "settings": { 27 | "name": "MicrosoftGraphBeta", 28 | "version": "0.1.9-preview", 29 | "isSingleton": false 30 | } 31 | } -------------------------------------------------------------------------------- /samples/deploy-template/deploy-template.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | net9.0 6 | DeployTemplate 7 | deploy-template 8 | enable 9 | enable 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | PreserveNewest 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/1.0.0/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsv10) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsv10) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [v1.0](types.md#resource-microsoftgraphapproleassignedtov10) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [v1.0](types.md#resource-microsoftgraphgroupsv10) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [v1.0](types.md#resource-microsoftgraphoauth2permissiongrantsv10) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [v1.0](types.md#resource-microsoftgraphserviceprincipalsv10) 20 | 21 | ### microsoft.graph/users 22 | * **Link**: [v1.0](types.md#resource-microsoftgraphusersv10) 23 | 24 | -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-sp-with-kv-cert/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Create an app with an X509 certificate using Key Vault.", 5 | "description": "This template creates a Key Vault, through which the authorized managed identity can add an X509 certificate (if it doesn't exist) and get the certificate's public key (base64 encoded), along with the thumbprint and other metadata. Finally, the template creates the client application resource using the certificate public key as its credential. followed by creation of the service principal", 6 | "summary": "This template creates a client app with an X509 certificate from Key Vault as the credential", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/1.0.0/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsbeta) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsbeta) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [beta](types.md#resource-microsoftgraphapproleassignedtobeta) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [beta](types.md#resource-microsoftgraphgroupsbeta) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [beta](types.md#resource-microsoftgraphoauth2permissiongrantsbeta) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [beta](types.md#resource-microsoftgraphserviceprincipalsbeta) 20 | 21 | ### microsoft.graph/users 22 | * **Link**: [beta](types.md#resource-microsoftgraphusersbeta) 23 | 24 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsv10) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsv10) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [v1.0](types.md#resource-microsoftgraphapproleassignedtov10) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [v1.0](types.md#resource-microsoftgraphgroupsv10) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [v1.0](types.md#resource-microsoftgraphoauth2permissiongrantsv10) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [v1.0](types.md#resource-microsoftgraphserviceprincipalsv10) 20 | 21 | ### microsoft.graph/users 22 | * **Link**: [v1.0](types.md#resource-microsoftgraphusersv10) 23 | 24 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.2.0-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsv10) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [v1.0](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsv10) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [v1.0](types.md#resource-microsoftgraphapproleassignedtov10) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [v1.0](types.md#resource-microsoftgraphgroupsv10) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [v1.0](types.md#resource-microsoftgraphoauth2permissiongrantsv10) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [v1.0](types.md#resource-microsoftgraphserviceprincipalsv10) 20 | 21 | ### microsoft.graph/users 22 | * **Link**: [v1.0](types.md#resource-microsoftgraphusersv10) 23 | 24 | -------------------------------------------------------------------------------- /quickstart-templates/apps-permissions-and-grants/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Configure an app with scopes to call Microsoft Graph", 5 | "description": "This template configures an app with OAuth2.0 scopes to call Microsoft Graph. It creates a client application and depending on the mode parameter, and either sets the required resource access on the client application definition, or grants OAuth2.0 scopes to the client application. In either case, the target resource used is Microsoft Graph, and the deployer can select which Microsoft Graph OAuth2.0 scopes are used.", 6 | "summary": "This template configures an app with OAuth2.0 scopes to call Microsoft Graph.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.1.9-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsbeta) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsbeta) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [beta](types.md#resource-microsoftgraphapproleassignedtobeta) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [beta](types.md#resource-microsoftgraphgroupsbeta) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [beta](types.md#resource-microsoftgraphoauth2permissiongrantsbeta) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [beta](types.md#resource-microsoftgraphserviceprincipalsbeta) 20 | 21 | ### microsoft.graph/users 22 | * **Link**: [beta](types.md#resource-microsoftgraphusersbeta) 23 | 24 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.2.0-preview/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsbeta) 5 | 6 | ### microsoft.graph/applications/federatedidentitycredentials 7 | * **Link**: [beta](types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsbeta) 8 | 9 | ### microsoft.graph/approleassignedto 10 | * **Link**: [beta](types.md#resource-microsoftgraphapproleassignedtobeta) 11 | 12 | ### microsoft.graph/groups 13 | * **Link**: [beta](types.md#resource-microsoftgraphgroupsbeta) 14 | 15 | ### microsoft.graph/oauth2permissiongrants 16 | * **Link**: [beta](types.md#resource-microsoftgraphoauth2permissiongrantsbeta) 17 | 18 | ### microsoft.graph/serviceprincipals 19 | * **Link**: [beta](types.md#resource-microsoftgraphserviceprincipalsbeta) 20 | 21 | ### microsoft.graph/users 22 | * **Link**: [beta](types.md#resource-microsoftgraphusersbeta) 23 | 24 | -------------------------------------------------------------------------------- /quickstart-templates-archive/security-group-assign-azure-role/README.md: -------------------------------------------------------------------------------- 1 | # Assign an Azure role to a security group 2 | 3 | > **Note1**: Minimum Bicep version required to deploy this quickstart template is [v0.30.3](https://github.com/Azure/bicep/releases/tag/v0.30.3). 4 | 5 | > **Note2**: This template depends on a successful deployment of [security-group-create-with-owners-and-members](../security-group-create-with-owners-and-members) 6 | 7 | This template allows you to assign an Azure Reader role to an existing security group. 8 | 9 | * The Reader role definition ID is set as parameter in the template. You can find other Azure built-in roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) 10 | 11 | You can deploy the template with the following Azure CLI command (replace `` with the name of your resource group): 12 | 13 | ```sh 14 | az deployment group create --resource-group --template-file main.bicep 15 | ``` 16 | -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/1.0.0/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@v1.0": { 4 | "$ref": "types.json#/16" 5 | }, 6 | "Microsoft.Graph/applications@v1.0": { 7 | "$ref": "types.json#/74" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@v1.0": { 10 | "$ref": "types.json#/92" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@v1.0": { 13 | "$ref": "types.json#/97" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@v1.0": { 16 | "$ref": "types.json#/101" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@v1.0": { 19 | "$ref": "types.json#/105" 20 | }, 21 | "Microsoft.Graph/users@v1.0": { 22 | "$ref": "types.json#/110" 23 | } 24 | }, 25 | "resourceFunctions": {}, 26 | "settings": { 27 | "name": "MicrosoftGraph", 28 | "version": "1.0.0", 29 | "isSingleton": false, 30 | "configurationType": { 31 | "$ref": "types.json#/111" 32 | } 33 | } 34 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/1.0.0/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@beta": { 4 | "$ref": "types.json#/21" 5 | }, 6 | "Microsoft.Graph/applications@beta": { 7 | "$ref": "types.json#/77" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@beta": { 10 | "$ref": "types.json#/95" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@beta": { 13 | "$ref": "types.json#/101" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@beta": { 16 | "$ref": "types.json#/105" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@beta": { 19 | "$ref": "types.json#/109" 20 | }, 21 | "Microsoft.Graph/users@beta": { 22 | "$ref": "types.json#/114" 23 | } 24 | }, 25 | "resourceFunctions": {}, 26 | "settings": { 27 | "name": "MicrosoftGraphBeta", 28 | "version": "1.0.0", 29 | "isSingleton": false, 30 | "configurationType": { 31 | "$ref": "types.json#/115" 32 | } 33 | } 34 | } -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/v1.0/0.2.0-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@v1.0": { 4 | "$ref": "types.json#/16" 5 | }, 6 | "Microsoft.Graph/applications@v1.0": { 7 | "$ref": "types.json#/74" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@v1.0": { 10 | "$ref": "types.json#/92" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@v1.0": { 13 | "$ref": "types.json#/97" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@v1.0": { 16 | "$ref": "types.json#/101" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@v1.0": { 19 | "$ref": "types.json#/105" 20 | }, 21 | "Microsoft.Graph/users@v1.0": { 22 | "$ref": "types.json#/110" 23 | } 24 | }, 25 | "resourceFunctions": {}, 26 | "settings": { 27 | "name": "MicrosoftGraph", 28 | "version": "0.2.0-preview", 29 | "isSingleton": false, 30 | "configurationType": { 31 | "$ref": "types.json#/111" 32 | } 33 | } 34 | } -------------------------------------------------------------------------------- /src/swagger-generation/tests/definitions/EnumType.test.ts: -------------------------------------------------------------------------------- 1 | import { EnumType } from "../../src/definitions/EnumType"; 2 | 3 | describe('EnumType', () => { 4 | it('should create an instance with the correct properties', () => { 5 | const name = 'TestEnumType'; 6 | const member = new Map([ 7 | ['Member1', 'Value1'], 8 | ['Member2', 'Value2'], 9 | ]); 10 | 11 | const enumType = new EnumType(name, member); 12 | 13 | expect(enumType.Name).toBe(name); 14 | expect(enumType.Member).toEqual(member); 15 | }); 16 | 17 | it('should convert to a Swagger definition', () => { 18 | const name = 'TestEnumType'; 19 | const member = new Map([ 20 | ['Member1', 'Value1'], 21 | ['Member2', 'Value2'], 22 | ]); 23 | const enumType = new EnumType(name, member); 24 | 25 | const definition = enumType.toSwaggerDefinition(); 26 | 27 | expect(definition.type).toBe('string'); 28 | expect(definition.enum).toEqual(['Member1', 'Member2']); 29 | }); 30 | }); -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/beta/0.2.0-preview/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@beta": { 4 | "$ref": "types.json#/21" 5 | }, 6 | "Microsoft.Graph/applications@beta": { 7 | "$ref": "types.json#/77" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@beta": { 10 | "$ref": "types.json#/95" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@beta": { 13 | "$ref": "types.json#/101" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@beta": { 16 | "$ref": "types.json#/105" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@beta": { 19 | "$ref": "types.json#/109" 20 | }, 21 | "Microsoft.Graph/users@beta": { 22 | "$ref": "types.json#/114" 23 | } 24 | }, 25 | "resourceFunctions": {}, 26 | "settings": { 27 | "name": "MicrosoftGraphBeta", 28 | "version": "0.2.0-preview", 29 | "isSingleton": false, 30 | "configurationType": { 31 | "$ref": "types.json#/115" 32 | } 33 | } 34 | } -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Bicep version** 11 | Run `bicep --version` via the Bicep CLI, `az bicep version` via the AZ CLI 12 | 13 | **Resource and API version** 14 | Which Microsoft.Graph resource and API version has the issue? 15 | 16 | **Auth flow** 17 | Is the deployment interactive (e.g. with a signed in user) or automated (e.g. with an application)? 18 | 19 | **Deployment details** 20 | If it's related to deployment failures, please provide the deployment correlation id, Microsoft Graph client request id, and deployment timestamp if applicable. 21 | 22 | **Describe the bug** 23 | A clear and concise description of what the bug is vs what you expected to happen 24 | 25 | **To Reproduce** 26 | Steps to reproduce the behavior: 27 | 28 | **Additional context** 29 | Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue? 30 | -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/DefinitionMap.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { EntityType } from "./EntityType"; 5 | import { EnumType } from "./EnumType"; 6 | import { EntityTypeConfig } from "../config"; 7 | 8 | export interface EntityMap extends Map{} 9 | 10 | export interface EnumMap extends Map{} 11 | 12 | export interface EntityTypeConfigMap extends Map{} 13 | 14 | export interface AliasMap extends Map{} 15 | 16 | export class DefinitionMap{ 17 | 18 | EntityMap: EntityMap; 19 | EnumMap: EnumMap; 20 | AliasMap: AliasMap; 21 | 22 | constructor() { 23 | const entityMap: EntityMap = new Map() 24 | const enumMap: EnumMap = new Map() 25 | const aliasMap: AliasMap = new Map() 26 | this.EntityMap = entityMap; 27 | this.EnumMap = enumMap; 28 | this.AliasMap = aliasMap; 29 | } 30 | 31 | } -------------------------------------------------------------------------------- /pipelines/ci-build.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | name: $(BuildDefinitionName)_$(SourceBranchName)_BUILD_$(Date:yyyyMMdd)$(Rev:.r) 5 | 6 | trigger: none 7 | pr: 8 | branches: 9 | include: 10 | - main 11 | paths: 12 | include: 13 | - src/* 14 | schedules: 15 | - cron: "0 21 * * *" 16 | displayName: Daily Build 17 | branches: 18 | include: 19 | - main 20 | always: false 21 | 22 | pool: 23 | name: Azure Pipelines 24 | vmImage: windows-latest 25 | demands: 26 | - msbuild 27 | - vstest 28 | 29 | variables: 30 | - template: ./common-variables.yml 31 | 32 | jobs: 33 | - job: MsGraphBicepTypesBuild 34 | displayName: Microsoft Graph Bicep Types Build 35 | steps: 36 | - template: ./common-templates/install-tools.yml 37 | 38 | - template: ./common-templates/security-pre-checks.yml 39 | 40 | - template: ./common-templates/generate-types.yml 41 | 42 | - template: ./common-templates/security-post-checks.yml 43 | -------------------------------------------------------------------------------- /samples/deploy-template/sample-template.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | // TEMPLATE DESCRIPTION 4 | /* Simple template that creates an Entra application and an Entra group. 5 | This is used as an sample template to test template deployment of Microsoft Graph resources 6 | via a dotnet console application. 7 | */ 8 | 9 | param date string = '2025-07-28' 10 | param appDisplayName string = 'sampleApp' 11 | param groupDisplayName string = 'sampleGroup' 12 | param app string= 'sampleApp' 13 | param group string = 'sampleGroup' 14 | 15 | // create basic Entra application 16 | resource myApp 'Microsoft.Graph/applications@v1.0' = { 17 | displayName: appDisplayName == null ? '${app}-${date}' :'${appDisplayName}-${date}' 18 | uniqueName: uniqueString(app, date) 19 | } 20 | 21 | // create basic Entra group 22 | resource myGroup 'Microsoft.Graph/groups@v1.0' = { 23 | displayName: groupDisplayName == null ? '${group}-${date}' :'${groupDisplayName}-${date}' 24 | uniqueName: uniqueString(group, date) 25 | mailNickname: uniqueString(group, date) 26 | mailEnabled: false 27 | securityEnabled: true 28 | } 29 | -------------------------------------------------------------------------------- /src/autorest.bicep/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@autorest/bicep", 3 | "version": "1.0.0", 4 | "private": true, 5 | "scripts": { 6 | "build": "tsc -p .", 7 | "test": "jest", 8 | "start": "node ./dist/src/main.js", 9 | "lint": "eslint src --ext ts", 10 | "lint:fix": "eslint src --ext ts --fix" 11 | }, 12 | "dependencies": { 13 | "@autorest/codemodel": "^4.19.3", 14 | "@autorest/extension-base": "^3.5.1", 15 | "@types/lodash": "^4.14.194", 16 | "autorest": "^3.6.3", 17 | "bicep-types": "file:../../bicep-types/src/bicep-types", 18 | "lodash": "^4.17.21" 19 | }, 20 | "devDependencies": { 21 | "@types/jest": "^27.4.1", 22 | "@types/node": "^18.16.0", 23 | "@typescript-eslint/eslint-plugin": "^5.59.0", 24 | "@typescript-eslint/parser": "^5.59.0", 25 | "colors": "^1.4.0", 26 | "dir-compare": "^4.0.0", 27 | "eslint": "^8.39.0", 28 | "eslint-plugin-header": "^3.1.1", 29 | "eslint-plugin-jest": "^27.2.1", 30 | "jest": "^27.5.1", 31 | "ts-jest": "^27.1.4", 32 | "ts-node": "^10.9.1", 33 | "typescript": "^4.9.5" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/extensionConfig/package-lock.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "extensionconfig", 3 | "version": "1.0.0", 4 | "lockfileVersion": 3, 5 | "requires": true, 6 | "packages": { 7 | "": { 8 | "name": "extensionconfig", 9 | "version": "1.0.0", 10 | "license": "ISC", 11 | "devDependencies": { 12 | "@types/node": "^22.5.1" 13 | } 14 | }, 15 | "node_modules/@types/node": { 16 | "version": "22.5.1", 17 | "resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.1.tgz", 18 | "integrity": "sha512-KkHsxej0j9IW1KKOOAA/XBA0z08UFSrRQHErzEfA3Vgq57eXIMYboIlHJuYIfd+lwCQjtKqUu3UnmKbtUc9yRw==", 19 | "dev": true, 20 | "license": "MIT", 21 | "dependencies": { 22 | "undici-types": "~6.19.2" 23 | } 24 | }, 25 | "node_modules/undici-types": { 26 | "version": "6.19.8", 27 | "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz", 28 | "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==", 29 | "dev": true, 30 | "license": "MIT" 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/swagger-generation/src/util/propertyTypeResolver.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { CollectionProperty } from "../definitions/CollectionProperty"; 5 | import { PrimitiveSwaggerTypeStruct } from "../definitions/PrimitiveSwaggerType"; 6 | import { Property } from "../definitions/Property"; 7 | 8 | export const resolvePropertyTypeToReference = (property: Property): string | undefined => { 9 | let propertyType: CollectionProperty | PrimitiveSwaggerTypeStruct | string = property.Type; 10 | 11 | if (propertyType instanceof CollectionProperty) { 12 | // Is collection 13 | propertyType = propertyType as CollectionProperty; 14 | propertyType = propertyType.Type as PrimitiveSwaggerTypeStruct | string; // Unwrap collection 15 | } else { 16 | // Not collection 17 | propertyType = propertyType as PrimitiveSwaggerTypeStruct | string; 18 | } 19 | 20 | if (propertyType instanceof PrimitiveSwaggerTypeStruct || typeof propertyType !== "string") { 21 | // If type is primitive or any other object, can't resolve 22 | return undefined 23 | } 24 | 25 | return propertyType; 26 | } -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/Property.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { CollectionProperty } from "./CollectionProperty"; 5 | import { PrimitiveSwaggerTypeStruct } from "./PrimitiveSwaggerType"; 6 | 7 | export class Property extends Object{ 8 | Name: string; 9 | Type: PrimitiveSwaggerTypeStruct | CollectionProperty | string; 10 | Description: string; 11 | Nullable?: boolean; 12 | ReadOnly?: boolean; 13 | 14 | constructor(name: string, type: PrimitiveSwaggerTypeStruct | CollectionProperty| string, description: string, nullable: boolean | undefined, readonly: boolean | undefined){ 15 | super(); 16 | this.Name = name; 17 | if(type instanceof PrimitiveSwaggerTypeStruct){ 18 | this.Type = type as PrimitiveSwaggerTypeStruct; 19 | } else if(type instanceof CollectionProperty){ 20 | this.Type = type as CollectionProperty; 21 | } else { 22 | this.Type = type.toString(); 23 | } 24 | 25 | this.Description = description; 26 | this.Nullable = nullable; 27 | this.ReadOnly = readonly; 28 | } 29 | } -------------------------------------------------------------------------------- /src/autorest.bicep/.eslintrc.js: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | module.exports = { 4 | root: true, 5 | parser: "@typescript-eslint/parser", 6 | parserOptions: { 7 | ecmaVersion: 2020, 8 | sourceType: "module", 9 | project: './tsconfig.json', 10 | }, 11 | plugins: ["header"], 12 | extends: ["eslint:recommended"], 13 | ignorePatterns: ["/out/**/*"], 14 | rules: { 15 | "header/header": [ 16 | 2, 17 | "line", 18 | [ 19 | " Copyright (c) Microsoft Corporation.", 20 | " Licensed under the MIT License.", 21 | ], 22 | ], 23 | }, 24 | overrides: [ 25 | { 26 | files: ["*.ts"], 27 | extends: [ 28 | "plugin:@typescript-eslint/recommended", 29 | "plugin:jest/all", 30 | ], 31 | rules: { 32 | "jest/no-hooks": "off", 33 | "jest/prefer-expect-assertions": "off", 34 | "jest/expect-expect": [ 35 | "error", 36 | { 37 | assertFunctionNames: ["expect*"], 38 | }, 39 | ], 40 | }, 41 | }, 42 | { 43 | files: ["*.js"], 44 | env: { node: true }, 45 | }, 46 | ], 47 | }; 48 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /quickstart-templates/security-group-create-with-owners-and-members/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | @description('location of the resource group') 4 | param location string = resourceGroup().location 5 | 6 | resource resourceApp 'Microsoft.Graph/applications@v1.0' existing = { 7 | uniqueName: 'ExampleResourceApp' 8 | } 9 | 10 | resource resourceSp 'Microsoft.Graph/servicePrincipals@v1.0' existing = { 11 | appId: resourceApp.appId 12 | } 13 | 14 | resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { 15 | name: 'ExampleManagedIdentity' 16 | location: location 17 | } 18 | 19 | resource group 'Microsoft.Graph/groups@v1.0' = { 20 | uniqueName: 'ExampleGroup' 21 | displayName: 'Example Group' 22 | mailEnabled: false 23 | mailNickname: 'exampleGroup' 24 | securityEnabled: true 25 | owners: { 26 | // defaults with append semantics 27 | // for replace semantics add: "relationshipSemantics: 'replace'" 28 | relationships: [resourceSp.id] 29 | } 30 | members: { 31 | // defaults with append semantics 32 | // for replace semantics add: "relationshipSemantics: 'replace'" 33 | relationships: [managedIdentity.properties.principalId] 34 | } 35 | } -------------------------------------------------------------------------------- /samples/deploy-template/deploy-template.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 12.00 2 | # Visual Studio Version 17 3 | VisualStudioVersion = 17.5.2.0 4 | MinimumVisualStudioVersion = 10.0.40219.1 5 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "deploy-template", "deploy-template.csproj", "{FEA91663-7214-B722-A16E-B69FFDC74FA0}" 6 | EndProject 7 | Global 8 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 9 | Debug|Any CPU = Debug|Any CPU 10 | Release|Any CPU = Release|Any CPU 11 | EndGlobalSection 12 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 13 | {FEA91663-7214-B722-A16E-B69FFDC74FA0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 14 | {FEA91663-7214-B722-A16E-B69FFDC74FA0}.Debug|Any CPU.Build.0 = Debug|Any CPU 15 | {FEA91663-7214-B722-A16E-B69FFDC74FA0}.Release|Any CPU.ActiveCfg = Release|Any CPU 16 | {FEA91663-7214-B722-A16E-B69FFDC74FA0}.Release|Any CPU.Build.0 = Release|Any CPU 17 | EndGlobalSection 18 | GlobalSection(SolutionProperties) = preSolution 19 | HideSolutionNode = FALSE 20 | EndGlobalSection 21 | GlobalSection(ExtensibilityGlobals) = postSolution 22 | SolutionGuid = {0E574A79-B2A9-4557-BE4B-EFB2C9A7ACAB} 23 | EndGlobalSection 24 | EndGlobal 25 | -------------------------------------------------------------------------------- /quickstart-templates/create-fic-for-github-actions/metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", 3 | "type": "QuickStart", 4 | "itemDisplayName": "Configure a federated identity credential for GitHub Actions", 5 | "description": "This template configures a federated identity credential for GitHub Actions, without using any secrets. It enables a GitHub Actions workflow to exchange a GitHub access token for a Microsoft Entra ID access token, so that the GitHub Actions workflow can access Azure resources. To enable this, the template creates an application (to represent the GitHub Action) and configures it with a federated identity credential. When the GitHub Actions workflow requests to exchange a GitHub access token for an access token, from the Microsoft identity platform, the values in the federated identity credential are checked against the provided GitHub token's \"issuer\" and \"subject\" claim values.", 6 | "summary": "This template configures a federated identity credential for GitHub Actions, without using any secrets.", 7 | "githubUsername": "dkershaw10", 8 | "docOwner": "dkershaw10", 9 | "dateUpdated": "2025-03-17", 10 | "validationType": "Manual", 11 | "languages": ["bicep"] 12 | } -------------------------------------------------------------------------------- /src/swagger-generation/tests/testUtilities.ts: -------------------------------------------------------------------------------- 1 | import { RawRecord } from "../src/definitions/RawTypes"; 2 | 3 | export const constructAlternateKeyRecord = (keyName: string, term: string): RawRecord => { 4 | return { 5 | $: { 6 | Type: `${term}.AlternateKey`, 7 | }, 8 | PropertyValue: [ 9 | { 10 | $: { 11 | Property: 'Key', 12 | }, 13 | Collection: [ 14 | { 15 | Record: [ 16 | { 17 | $: { 18 | Type: `${term}.PropertyRef`, 19 | }, 20 | PropertyValue: [ 21 | { 22 | $: { 23 | Property: 'Name', 24 | PropertyPath: keyName, 25 | }, 26 | }, 27 | ], 28 | }, 29 | ], 30 | }, 31 | ], 32 | }, 33 | ], 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /quickstart-templates/application-serviceprincipal-create-client-resource/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | @description('ID of the application role to add to the resource app. Must be a GUID.') 4 | param appRoleId string? 5 | 6 | @secure() 7 | @description('Value of the key credential.') 8 | param certKey string? 9 | 10 | resource resourceApp 'Microsoft.Graph/applications@v1.0' = { 11 | uniqueName: 'ExampleResourceApp' 12 | displayName: 'Example Resource Application' 13 | appRoles: (!empty(appRoleId)) ? [ 14 | { 15 | id: appRoleId 16 | allowedMemberTypes: [ 'User', 'Application' ] 17 | description: 'Read access to resource app data' 18 | displayName: 'ResourceAppData.Read.All' 19 | value: 'ResourceAppData.Read.All' 20 | isEnabled: true 21 | } 22 | ] : [] 23 | } 24 | 25 | resource resourceSp 'Microsoft.Graph/servicePrincipals@v1.0' = { 26 | appId: resourceApp.appId 27 | } 28 | 29 | resource clientApp 'Microsoft.Graph/applications@v1.0' = { 30 | uniqueName: 'ExampleClientApp' 31 | displayName: 'Example Client Application' 32 | keyCredentials: (!empty(certKey)) ? [ 33 | { 34 | displayName: 'Example Client App Key Credential' 35 | usage: 'Verify' 36 | type: 'AsymmetricX509Cert' 37 | key: certKey 38 | } 39 | ] : [] 40 | } 41 | 42 | resource clientSp 'Microsoft.Graph/servicePrincipals@v1.0' = { 43 | appId: clientApp.appId 44 | } 45 | -------------------------------------------------------------------------------- /src/swagger-generation/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "swagger-generation", 3 | "version": "0.0.0", 4 | "description": "The MSGraph swagger specification auto-generation tool using CSDL", 5 | "scripts": { 6 | "start": "ts-node src/index.ts", 7 | "test": "jest --verbose", 8 | "lint": "eslint . --ext .ts" 9 | }, 10 | "repository": { 11 | "type": "git", 12 | "url": "git+https://github.com/microsoftgraph/msgraph-bicep-types.git" 13 | }, 14 | "readme": "https://github.com/microsoftgraph/msgraph-bicep-types/blob/main/README.md", 15 | "keywords": [ 16 | "swagger", 17 | "bicep", 18 | "arm", 19 | "msgraph" 20 | ], 21 | "author": "Microsoft Corporation", 22 | "license": "MIT", 23 | "bugs": { 24 | "url": "https://github.com/microsoftgraph/msgraph-bicep-types/issues" 25 | }, 26 | "homepage": "https://github.com/microsoftgraph/msgraph-bicep-types#readme", 27 | "dependencies": { 28 | "ts-node": "^10.9.1", 29 | "typescript": "^5.1.6", 30 | "xml2js": "^0.6.1", 31 | "yaml": "^2.3.1", 32 | "yargs": "^17.7.2" 33 | }, 34 | "devDependencies": { 35 | "@types/jest": "^29.5.3", 36 | "@types/xml2js": "^0.4.11", 37 | "@typescript-eslint/eslint-plugin": "^6.3.0", 38 | "@typescript-eslint/parser": "^6.3.0", 39 | "eslint": "^8.47.0", 40 | "jest": "^29.6.2", 41 | "ts-jest": "^29.1.1", 42 | "extensionConfig": "file:../extensionConfig" 43 | } 44 | } -------------------------------------------------------------------------------- /swagger/specification/microsoftgraph/resource-manager/readme.md: -------------------------------------------------------------------------------- 1 | # MicrosoftGraph 2 | 3 | > see https://aka.ms/autorest 4 | 5 | ## Getting Started 6 | 7 | To build the SDK for MicrosoftGraph, simply [Install AutoRest](https://aka.ms/autorest/install) and in this folder, run: 8 | 9 | > `autorest` 10 | 11 | To see additional help and options, run: 12 | 13 | > `autorest --help` 14 | 15 | --- 16 | 17 | ## Configuration 18 | 19 | ### Basic Information 20 | 21 | These are the global settings for the MicrosoftGraph API. 22 | 23 | ``` yaml 24 | title: MicrosoftGraph 25 | description: MicrosoftGraph 26 | openapi-type: arm 27 | ``` 28 | 29 | ### Tag: microsoftgraph-preview 30 | 31 | These settings apply only when `--tag=microsoftgraph-preview` is specified on the command line. 32 | 33 | ```yaml $(tag) == 'microsoftgraph-beta' 34 | input-file: 35 | - microsoftgraph/preview/beta/0.1.7-preview.json 36 | - microsoftgraph/preview/beta/0.1.8-preview.json 37 | - microsoftgraph/preview/beta/0.1.9-preview.json 38 | - microsoftgraph/preview/beta/0.2.0-preview.json 39 | - microsoftgraph/official/beta/1.0.0.json 40 | ``` 41 | 42 | ```yaml $(tag) == 'microsoftgraph-v1.0' 43 | input-file: 44 | - microsoftgraph/preview/v1.0/0.1.7-preview.json 45 | - microsoftgraph/preview/v1.0/0.1.8-preview.json 46 | - microsoftgraph/preview/v1.0/0.1.9-preview.json 47 | - microsoftgraph/preview/v1.0/0.2.0-preview.json 48 | - microsoftgraph/official/v1.0/1.0.0.json 49 | ``` 50 | -------------------------------------------------------------------------------- /quickstart-templates/create-fic-for-github-actions/publish.yml: -------------------------------------------------------------------------------- 1 | name: Publish 2 | 3 | on: workflow_dispatch 4 | 5 | permissions: 6 | id-token: write 7 | contents: read 8 | 9 | env: 10 | AZURE_WEBAPP_NAME: 'secdemoapp1024' # set this to your application's name 11 | AZURE_WEBAPP_PACKAGE_PATH: './app' # set this to the path to your web app project, defaults to the repository root 12 | DOTNET_VERSION: '8.0.x' # set this to the dot net version to use 13 | 14 | jobs: 15 | build: 16 | runs-on: ubuntu-latest 17 | 18 | steps: 19 | # Checkout the repo 20 | - uses: actions/checkout@main 21 | - uses: azure/login@v2 22 | with: 23 | client-id: ${{ secrets.AZURE_CLIENT_ID }} 24 | tenant-id: ${{ secrets.AZURE_TENANT_ID }} 25 | subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 26 | 27 | 28 | # Setup .NET Core SDK 29 | - name: Setup .NET Core 30 | uses: actions/setup-dotnet@v3 31 | with: 32 | dotnet-version: ${{ env.DOTNET_VERSION }} 33 | 34 | # Deploy to Azure Web apps 35 | - name: 'Run Azure webapp deploy action using publish profile credentials' 36 | uses: azure/webapps-deploy@v3 37 | with: 38 | app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name 39 | package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}' 40 | 41 | - name: logout 42 | run: | 43 | az logout -------------------------------------------------------------------------------- /generated/microsoftgraph/microsoft.graph/log.out: -------------------------------------------------------------------------------- 1 | AutoRest code generation utility [cli version: 3.6.3; node: v20.11.1] 2 | (C) 2018 Microsoft Corporation. 3 | https://aka.ms/autorest 4 | warning | SkippedSemanticValidation | Semantic validation was skipped. 5 | warning | PreCheck/CheckDuplicateSchemas | Checking for duplicate schemas, this could take a (long) while. Run with --verbose for more detail. 6 | warning | SkippedSemanticValidation | Semantic validation was skipped. 7 | warning | PreCheck/CheckDuplicateSchemas | Checking for duplicate schemas, this could take a (long) while. Run with --verbose for more detail. 8 | warning | Unrecognized property type: any-object. Returning 'any'. 9 | AutoRest code generation utility [cli version: 3.6.3; node: v20.11.1] 10 | (C) 2018 Microsoft Corporation. 11 | https://aka.ms/autorest 12 | warning | SkippedSemanticValidation | Semantic validation was skipped. 13 | warning | PreCheck/CheckDuplicateSchemas | Checking for duplicate schemas, this could take a (long) while. Run with --verbose for more detail. 14 | warning | SkippedSemanticValidation | Semantic validation was skipped. 15 | warning | PreCheck/CheckDuplicateSchemas | Checking for duplicate schemas, this could take a (long) while. Run with --verbose for more detail. 16 | warning | Unrecognized property type: any-object. Returning 'any'. 17 | AutoRest code generation utility [cli version: 3.6.3; node: v20.11.1] 18 | (C) 2018 Microsoft Corporation. 19 | https://aka.ms/autorest 20 | Clearing 10 autorest temp data folders... 21 | -------------------------------------------------------------------------------- /pipelines/common-templates/esrp/codesign-nuget.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | steps: 5 | - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 6 | displayName: "ESRP CodeSigning Nuget Packages" 7 | inputs: 8 | ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection" 9 | AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8" 10 | AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2" 11 | AuthAKVName: "akv-prod-eastus" 12 | AuthCertName: "ReferenceLibraryPrivateCert" 13 | AuthSignCertName: "ReferencePackagePublisherCertificate" 14 | FolderPath: "$(Build.ArtifactStagingDirectory)" 15 | Pattern: "*.nupkg" 16 | signConfigType: inlineSignParams 17 | inlineOperation: | 18 | [ 19 | { 20 | "keyCode": "CP-401405", 21 | "operationSetCode": "NuGetSign", 22 | "parameters": [ ], 23 | "toolName": "sign", 24 | "toolVersion": "1.0" 25 | }, 26 | { 27 | "keyCode": "CP-401405", 28 | "operationSetCode": "NuGetVerify", 29 | "parameters": [ ], 30 | "toolName": "sign", 31 | "toolVersion": "1.0" 32 | } 33 | ] 34 | SessionTimeout: 20 35 | MaxConcurrency: 50 36 | MaxRetryAttempts: 5 37 | PendingAnalysisWaitTimeoutMinutes: 5 38 | -------------------------------------------------------------------------------- /quickstart-templates/msi-as-a-fic-secretless/secretless-graph-request.ps1: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | <# 3 | Perform a 2-legged flow to acquire an access token with a managed 4 | identity as the credential and then use it to call Microsoft Graph. 5 | 6 | PRE-REQUISITES: 7 | 1. An app registered with a user-assigned managed identity as a 8 | federated identity credential (FIC). 9 | 2. There's a service principal for the app. 10 | 3. The service principal is is granted access to Microsoft Graph. 11 | 12 | SCRIPT STEPS 13 | 1. Acquire a token for a user-assigned managed identity 14 | 2. Run PS as an app, using the token from step 1 as the credential 15 | 3. Call Microsoft Graph 16 | #> 17 | ####################################################################### 18 | 19 | param 20 | ( 21 | [Parameter(Mandatory=$true)] 22 | $managedIdentityPrincipalId, 23 | $applicationClientId, 24 | $tenantId 25 | $ficIssuerAudience 26 | ) 27 | 28 | # Step 1: Acquire token for the managed identity 29 | Connect-AzAccount -Identity -AccountId $managedIdentityPrincipalId 30 | $token = Get-AzAccessToken -ResourceUrl $ficIssuerAudience 31 | 32 | 33 | # Step 2: Sign in to Azure PowerShell (as the app with the FIC configuration) 34 | Connect-AzAccount -ApplicationId $applicationClientId -FederatedToken $token.Token -Tenant $tenantId 35 | 36 | # Step 3: Get all Entra groups in the tenant (assumes app has Group.Read.All permission) 37 | Invoke-AzRestMethod -Method GET -Uri https://graph.microsoft.com/v1.0/groups 38 | -------------------------------------------------------------------------------- /src/generator/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@autorest/bicep", 3 | "version": "0.0.0", 4 | "description": "The Azure Bicep extension for classic generators in AutoRest.", 5 | "scripts": { 6 | "build": "tsc -p .", 7 | "generate": "ts-node src/cmd/generate", 8 | "lint": "eslint src --ext ts", 9 | "lint:fix": "eslint src --ext ts --fix" 10 | }, 11 | "repository": { 12 | "type": "git", 13 | "url": "https://github.com/Azure/bicep-types-az" 14 | }, 15 | "readme": "https://github.com/Azure/bicep-types-az/readme.md", 16 | "keywords": [ 17 | "autorest", 18 | "bicep" 19 | ], 20 | "author": "Microsoft Corporation", 21 | "license": "MIT", 22 | "bugs": { 23 | "url": "https://github.com/Azure/bicep-types-az/issues" 24 | }, 25 | "homepage": "https://github.com/Azure/bicep-types-az/blob/main/README.md", 26 | "devDependencies": { 27 | "@autorest/core": "3.9.5", 28 | "@autorest/modelerfour": "^4.26.1", 29 | "@ts-common/commonmark-to-markdown": "^2.0.2", 30 | "@types/async": "^3.2.19", 31 | "@types/js-yaml": "^4.0.5", 32 | "@types/node": "^18.16.0", 33 | "@types/yargs": "^17.0.24", 34 | "@typescript-eslint/eslint-plugin": "^5.59.0", 35 | "@typescript-eslint/parser": "^5.59.0", 36 | "async": "^3.2.4", 37 | "autorest": "^3.6.3", 38 | "bicep-types": "file:../../bicep-types/src/bicep-types", 39 | "colors": "^1.4.0", 40 | "eslint": "^8.39.0", 41 | "eslint-plugin-header": "^3.1.1", 42 | "js-yaml": "^4.1.1", 43 | "ts-node": "^10.9.1", 44 | "typescript": "^5.0.4", 45 | "yargs": "^17.7.1", 46 | "extensionConfig": "file:../extensionConfig", 47 | "swagger-generation": "file:../swagger-generation" 48 | } 49 | } -------------------------------------------------------------------------------- /src/autorest.bicep/src/main.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { AutoRestExtension, AutorestExtensionHost, startSession } from "@autorest/extension-base"; 5 | import { generateTypes } from "./type-generator"; 6 | import { CodeModel, codeModelSchema } from "@autorest/codemodel"; 7 | import { writeTypesJson, writeMarkdown } from "bicep-types"; 8 | import { getProviderDefinitions } from "./resources"; 9 | 10 | export async function processRequest(host: AutorestExtensionHost) { 11 | try { 12 | const session = await startSession( 13 | host, 14 | undefined, 15 | codeModelSchema 16 | ); 17 | const start = Date.now(); 18 | 19 | for (const definition of getProviderDefinitions(session.model, host)) { 20 | const { namespace, apiVersion } = definition; 21 | const types = generateTypes(host, definition); 22 | 23 | const outFolder = `${namespace}/${apiVersion}`.toLowerCase(); 24 | 25 | // write types.json 26 | host.writeFile({ filename: `${outFolder}/types.json`, content: writeTypesJson(types) }); 27 | 28 | // writer types.md 29 | host.writeFile({ filename: `${outFolder}/types.md`, content: writeMarkdown(types, `${namespace} @ ${apiVersion}`) }); 30 | } 31 | 32 | session.info(`autorest.bicep took ${Date.now() - start}ms`); 33 | } catch (err) { 34 | console.error("An error was encountered while handling a request:", err); 35 | throw err; 36 | } 37 | } 38 | 39 | async function main() { 40 | const pluginHost = new AutoRestExtension(); 41 | pluginHost.add("bicep", processRequest); 42 | await pluginHost.run(); 43 | } 44 | 45 | // eslint-disable-next-line jest/require-hook 46 | main(); 47 | -------------------------------------------------------------------------------- /scripts/UpdateGeneratedTypes.ps1: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | <# 5 | .Synopsis 6 | Update the generated Bicep types and Swagger spec. 7 | .Description 8 | Update the generated Bicep types and Swagger spec by updating the latest msgraph metadata 9 | and running the generation scripts. 10 | #> 11 | 12 | $SwaggerGenerationPrefix = "./src/swagger-generation" 13 | $GeneratorPrefix = "./src/generator" 14 | $AutorestPrefix = "./src/autorest.bicep" 15 | 16 | # Uncomment the block below to build bicep-types 17 | <# Write-Host "Building bicep-types" 18 | Push-Location bicep-types/src/bicep-types 19 | npm ci 20 | npm audit fix 21 | npm run build 22 | Pop-Location 23 | Write-Host "bicep-types successfully built" #> 24 | 25 | # Update msgraph-metadata submodule 26 | Write-Host "Updating msgraph-metadata submodule" 27 | git submodule update --recursive --remote msgraph-metadata 28 | Write-Host "msgraph-metadata submodule successfully updated" 29 | 30 | # Build autorest 31 | Write-Host "Building Autorest" 32 | npm ci --prefix $AutorestPrefix 33 | npm audit fix 34 | npm run --prefix $AutorestPrefix build 35 | Write-Host "Autorest successfully built" 36 | 37 | # Generate Swagger spec 38 | Write-Host "Generating Swagger spec" 39 | npm ci --prefix $SwaggerGenerationPrefix 40 | npm audit fix 41 | npm run --prefix $SwaggerGenerationPrefix start "--" --output=C:\Git\msgraph-bicep-types\swagger\specification\microsoftgraph\resource-manager\microsoftgraph 42 | Write-Host "Swagger spec successfully generated" 43 | 44 | # Generate Bicep types 45 | Write-Host "Generating Bicep types" 46 | npm ci --prefix $GeneratorPrefix 47 | npm audit fix 48 | npm run --prefix $GeneratorPrefix generate "--" --specs-dir ..\..\swagger\ --single-path microsoftgraph 49 | write-Host "Bicep types successfully generated" -------------------------------------------------------------------------------- /docs/DEVELOPMENT.md: -------------------------------------------------------------------------------- 1 | This document describes the steps to setup development tools and run Bicep types generation locally. 2 | 3 | ## Directory Structure 4 | 5 | `generated`: Generated artifacts, including types and index. See [/generated/index.md](../generated/index.md) for a searchable list of all the available types. You can view individual type definitions by clicking on api versions. 6 | 7 | `src`: Source code for autorest, type generation script, and the type loader 8 | 9 | `swagger/specification`: Swagger API Specification for Microsoft Graph resources 10 | 11 | `msgraph-metadata`: A submodule that links to the microsoftgraph/msgraph-metadata repo, which contains all the latest sanitized versions of the metadata (including descriptions, annotations and errors) 12 | 13 | 14 | ## Running Generation Locally 15 | 16 | ### Pre-requisites 17 | 18 | 1. NPM version 11.0 or later 19 | 1. Node version 22.0 or later 20 | 21 | ### Initial Setup 22 | 23 | 1. Clone this repo 24 | 1. Check out submodules: 25 | 26 | ```sh 27 | git submodule update --init --recursive 28 | ``` 29 | 30 | ### Configuration setup 31 | 32 | #### Update the YML config files, if necessary 33 | 34 | If you are adding new types or changing property annotations like `readOnly` or `required`, you'll need to update the yml config that controls what is generated. 35 | 36 | ```sh 37 | cd ../swagger-generation/configs 38 | ``` 39 | 40 | Create new yml files (following the existing naming convention and a new semantic version) under the `beta` and `v1.0` folders. 41 | Edit the new yml files, with new types, properties and/or property annotation changes. 42 | 43 | 44 | ### Generate the new types 45 | 46 | From the root folder `/msgraph-bicep-types` run the following PowerShell script to generate types for the latest version 47 | 48 | ```sh 49 | .\scripts\UpdateGeneratedTypes.ps1 50 | ``` 51 | 52 | After running the scripts the new types will be available in [/generated](./generated) folder. 53 | -------------------------------------------------------------------------------- /pipelines/common-templates/generate-types.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | steps: 5 | - script: git submodule update --init --recursive 6 | displayName: "Initialize Submodules" 7 | 8 | - task: NPM@1 9 | displayName: "Install bicep-types" 10 | inputs: 11 | command: "ci" 12 | workingDir: "$(BicepTypesWorkingDir)" 13 | 14 | - task: NPM@1 15 | displayName: "Build bicep-types" 16 | inputs: 17 | command: "custom" 18 | workingDir: "$(BicepTypesWorkingDir)" 19 | customCommand: "run build" 20 | 21 | - task: NPM@1 22 | displayName: "Install swagger-generation" 23 | inputs: 24 | command: "ci" 25 | workingDir: "$(SwaggerGenerationWorkingDir)" 26 | 27 | - task: NPM@1 28 | displayName: "Test swagger-generation" 29 | inputs: 30 | command: "custom" 31 | workingDir: "$(SwaggerGenerationWorkingDir)" 32 | customCommand: "test" 33 | 34 | - task: NPM@1 35 | displayName: "Generate Swagger File" 36 | inputs: 37 | command: "custom" 38 | workingDir: "$(SwaggerGenerationWorkingDir)" 39 | customCommand: "run start -- --output $(SwaggerFilePath)" 40 | 41 | - task: NPM@1 42 | displayName: "Install autorest.bicep" 43 | inputs: 44 | command: "ci" 45 | workingDir: "$(AutoRestWorkingDir)" 46 | 47 | - task: NPM@1 48 | displayName: "Build autorest.bicep" 49 | inputs: 50 | command: "custom" 51 | workingDir: "$(AutoRestWorkingDir)" 52 | customCommand: "run build" 53 | 54 | - task: NPM@1 55 | displayName: "Install generator" 56 | inputs: 57 | command: "ci" 58 | workingDir: "$(GeneratorWorkingdir)" 59 | 60 | - task: NPM@1 61 | displayName: "Generate Bicep Files" 62 | inputs: 63 | command: "custom" 64 | workingDir: "$(GeneratorWorkingdir)" 65 | customCommand: "run generate -- --specs-dir ../../swagger/ --single-path microsoftgraph" 66 | -------------------------------------------------------------------------------- /pipelines/productionBuild.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | name: $(BuildDefinitionName)_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) 5 | 6 | # Create a production build artifact from the HEAD of the master branch. 7 | trigger: none 8 | pr: none 9 | 10 | pool: 11 | name: Azure Pipelines 12 | vmImage: windows-latest 13 | demands: 14 | - msbuild 15 | - vstest 16 | 17 | variables: 18 | - template: ./common-variables.yml 19 | 20 | stages: 21 | - stage: build 22 | jobs: 23 | - job: build 24 | steps: 25 | - template: ./common-templates/install-tools.yml 26 | 27 | - template: ./common-templates/security-pre-checks.yml 28 | 29 | - template: ./common-templates/common-steps.yml 30 | parameters: 31 | Official: true 32 | 33 | - template: ./common-templates/security-post-checks.yml 34 | 35 | - stage: deploy 36 | condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) 37 | dependsOn: build 38 | jobs: 39 | - deployment: deploy 40 | environment: microsoftgraph-bicep-nuget-org 41 | strategy: 42 | runOnce: 43 | deploy: 44 | pool: 45 | vmImage: ubuntu-latest 46 | steps: 47 | - task: DownloadPipelineArtifact@2 48 | displayName: Download nupkg from artifacts 49 | inputs: 50 | artifact: "$(ArtifactName)" 51 | source: current 52 | - task: NuGetCommand@2 53 | displayName: "NuGet push" 54 | inputs: 55 | command: push 56 | packagesToPush: "$(Pipeline.Workspace)/$(ArtifactName)/Microsoft.Graph.Bicep.Types.*.nupkg" 57 | nuGetFeedType: external 58 | publishFeedCredentials: "microsoftgraph NuGet connection" 59 | -------------------------------------------------------------------------------- /src/swagger-generation/src/util/orchestrationTypeResolver.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | import { CollectionProperty } from "../definitions/CollectionProperty"; 5 | import { PrimitiveSwaggerTypeStruct, SwaggerMetaFormat } from "../definitions/PrimitiveSwaggerType"; 6 | import { Property } from "../definitions/Property"; 7 | import { OrchestrationType } from "../definitions/Metadata"; 8 | 9 | export const determineOrchestrationType = (property: Property): OrchestrationType => { 10 | // If it's a stream property 11 | if (property.Type instanceof PrimitiveSwaggerTypeStruct && 12 | property.Type.type === "string" && 13 | property.Type.format === SwaggerMetaFormat.Binary) { 14 | return OrchestrationType.BinaryStream; 15 | } 16 | 17 | // If it's a collection 18 | if (property.Type instanceof CollectionProperty) { 19 | const collectionType = property.Type.Type; 20 | if (collectionType === "microsoft.graph.certificate") { 21 | return OrchestrationType.CertificateCollection; 22 | } 23 | // Treat other collections as custom metadata 24 | return OrchestrationType.CustomMetadata; 25 | } 26 | 27 | // If it's a complex object (not primitive) 28 | if (typeof property.Type === "string" && !property.Type.startsWith("Edm.")) { 29 | if (property.Name.toLowerCase().includes("behavior")) { 30 | return OrchestrationType.BehaviorSettings; 31 | } 32 | if (property.Name.toLowerCase().includes("internal")) { 33 | return OrchestrationType.InternalSettings; 34 | } 35 | if (property.Name.toLowerCase().includes("metadata")) { 36 | return OrchestrationType.CustomMetadata; 37 | } 38 | // Treat other complex objects as custom metadata 39 | return OrchestrationType.CustomMetadata; 40 | } 41 | 42 | // Default to custom metadata for simple types 43 | return OrchestrationType.CustomMetadata; 44 | } -------------------------------------------------------------------------------- /quickstart-templates/security-group-assign-azure-role/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | param location string = resourceGroup().location 4 | 5 | // 3 client services per region 6 | param clientServiceList array = ['service1', 'service2', 'service3'] 7 | 8 | param resourceName string = 'resourceServiceName' 9 | var groupName = 'storageBlobReaders-${uniqueString(resourceName, location)}' 10 | var storageName = 'graphbicepstorage${location}' 11 | 12 | // create a managed identities for each service 13 | resource managedIdentities 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [ 14 | for clientService in clientServiceList: { 15 | name: 'mi-${uniqueString(clientService, location)}' 16 | location: location 17 | } 18 | ] 19 | 20 | // Storage resource that the client services need access to 21 | resource storage 'Microsoft.Storage/storageAccounts@2023-05-01' existing = { 22 | name: storageName 23 | } 24 | 25 | // Create resource group and add MI as members 26 | resource storageBlobReadersGroup 'Microsoft.Graph/groups@v1.0' = { 27 | displayName: groupName 28 | mailEnabled: false 29 | mailNickname: uniqueString(groupName) 30 | securityEnabled: true 31 | uniqueName: groupName 32 | members: { 33 | relationshipSemantics: 'replace' 34 | relationships: [for (mi, i) in clientServiceList: managedIdentities[i].properties.principalId] 35 | } 36 | } 37 | 38 | @description('Specify the storage blob reader role definition ID') 39 | param storageBlobReaderRoleDefinitionId string = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' 40 | 41 | var roleAssignmentName = guid(resourceGroup().id, groupName, storageName) 42 | 43 | // Assign the group as a storage blob reader role 44 | resource storageBlobReadersRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { 45 | name: roleAssignmentName 46 | scope: storage 47 | properties: { 48 | principalId: storageBlobReadersGroup.id 49 | roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', storageBlobReaderRoleDefinitionId) 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /Microsoft.Graph.Bicep.Types.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.0.31903.59 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{ED00A98B-AA9C-49AF-8772-3EC7C58EB11A}" 7 | EndProject 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Graph.Bicep.Types", "src\Microsoft.Graph.Bicep.Types\Microsoft.Graph.Bicep.Types.csproj", "{BD103F96-A10D-41BB-BDB2-D5A84C63CF17}" 9 | EndProject 10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Graph.Bicep.Types.UnitTests", "src\Microsoft.Graph.Bicep.Types.UnitTests\Microsoft.Graph.Bicep.Types.UnitTests.csproj", "{577299BE-ECA9-4D9A-A2D5-213F851560FA}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|Any CPU = Debug|Any CPU 15 | Release|Any CPU = Release|Any CPU 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 21 | {BD103F96-A10D-41BB-BDB2-D5A84C63CF17}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 22 | {BD103F96-A10D-41BB-BDB2-D5A84C63CF17}.Debug|Any CPU.Build.0 = Debug|Any CPU 23 | {BD103F96-A10D-41BB-BDB2-D5A84C63CF17}.Release|Any CPU.ActiveCfg = Release|Any CPU 24 | {BD103F96-A10D-41BB-BDB2-D5A84C63CF17}.Release|Any CPU.Build.0 = Release|Any CPU 25 | {577299BE-ECA9-4D9A-A2D5-213F851560FA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 26 | {577299BE-ECA9-4D9A-A2D5-213F851560FA}.Debug|Any CPU.Build.0 = Debug|Any CPU 27 | {577299BE-ECA9-4D9A-A2D5-213F851560FA}.Release|Any CPU.ActiveCfg = Release|Any CPU 28 | {577299BE-ECA9-4D9A-A2D5-213F851560FA}.Release|Any CPU.Build.0 = Release|Any CPU 29 | EndGlobalSection 30 | GlobalSection(NestedProjects) = preSolution 31 | {BD103F96-A10D-41BB-BDB2-D5A84C63CF17} = {ED00A98B-AA9C-49AF-8772-3EC7C58EB11A} 32 | {577299BE-ECA9-4D9A-A2D5-213F851560FA} = {ED00A98B-AA9C-49AF-8772-3EC7C58EB11A} 33 | EndGlobalSection 34 | EndGlobal 35 | -------------------------------------------------------------------------------- /quickstart-templates-archive/create-fic-for-github-actions/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | @description('Subject of the GitHub Actions workflow\'s federated identity credentials (FIC) that is checked before issuing an Entra ID access token to access Azure resources. GitHub Actions subject examples can be found in https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims') 4 | param githubActionsFicSubject string 5 | 6 | @description('Role definition ID to be assigned') 7 | param roleDefinitionId string = 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor 8 | 9 | var githubOIDCProvider = 'https://token.actions.githubusercontent.com' 10 | var microsoftEntraAudience = 'api://AzureADTokenExchange' 11 | 12 | resource githubActionsApp 'Microsoft.Graph/applications@v1.0' = { 13 | uniqueName: 'githubActionsApp' 14 | displayName: 'Github Actions App' 15 | 16 | resource githubFic 'federatedIdentityCredentials' = { 17 | name: '${githubActionsApp.uniqueName}/githubFic' 18 | audiences: [microsoftEntraAudience] 19 | description: 'FIC for Github Actions to access Entra protected resources' 20 | issuer: githubOIDCProvider 21 | subject: githubActionsFicSubject 22 | } 23 | } 24 | 25 | resource githubActionsSp 'Microsoft.Graph/servicePrincipals@v1.0' = { 26 | appId: githubActionsApp.appId 27 | } 28 | 29 | // The service principal needs to be assigned the necessary role to access the resources 30 | // In this example, it is assigned with the `Contributor` role to the resource group 31 | // which will allow GitHub actions to access Azure resources in the resource group via Az PS/CLI 32 | var roleAssignmentName = guid('githubActions', roleDefinitionId, resourceGroup().id) 33 | resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { 34 | name: roleAssignmentName 35 | properties: { 36 | principalId: githubActionsSp.id 37 | principalType: 'ServicePrincipal' 38 | roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/swagger-generation/tests/util/propertyTypeResolver.test.ts: -------------------------------------------------------------------------------- 1 | import { CollectionProperty } from "../../src/definitions/CollectionProperty"; 2 | import { PrimitiveSwaggerType } from "../../src/definitions/PrimitiveSwaggerType"; 3 | import { Property } from "../../src/definitions/Property"; 4 | import { resolvePropertyTypeToReference } from "../../src/util/propertyTypeResolver"; 5 | 6 | describe('resolvePropertyTypeToReference', () => { 7 | const propertyDescription = 'Property description'; 8 | 9 | it('should return undefined for primitive types', () => { 10 | const property = new Property('TestProperty', PrimitiveSwaggerType.Instance.Byte, propertyDescription, true, false); 11 | 12 | const result = resolvePropertyTypeToReference(property); 13 | 14 | expect(result).toBeUndefined(); 15 | }); 16 | 17 | it('should return undefined for primitive collection types', () => { 18 | const collectionProperty = new CollectionProperty(PrimitiveSwaggerType.Instance.Date); 19 | 20 | const property = new Property('TestProperty', collectionProperty, propertyDescription, true, false); 21 | 22 | const result = resolvePropertyTypeToReference(property); 23 | 24 | expect(result).toBeUndefined(); 25 | }); 26 | 27 | it('should return the type for reference types', () => { 28 | const entityName = 'namespace.one.EntityType1'; 29 | const property = new Property('TestProperty', entityName, propertyDescription, true, false); 30 | 31 | const result = resolvePropertyTypeToReference(property); 32 | 33 | expect(result).toBe(entityName); 34 | }); 35 | 36 | it('should return the type for reference collection types', () => { 37 | const entityName = 'namespace.one.EntityType1'; 38 | 39 | const collectionProperty = new CollectionProperty(entityName); 40 | 41 | const property = new Property('TestProperty', collectionProperty, propertyDescription, true, false); 42 | 43 | const result = resolvePropertyTypeToReference(property); 44 | 45 | expect(result).toBe(entityName); 46 | }); 47 | }); 48 | -------------------------------------------------------------------------------- /generated/index.md: -------------------------------------------------------------------------------- 1 | # Bicep Types 2 | ## microsoft.graph 3 | ### microsoft.graph/applications 4 | * **Link**: [beta](microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.md#resource-microsoftgraphapplicationsbeta) 5 | * **Link**: [v1.0](microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.md#resource-microsoftgraphapplicationsv10) 6 | 7 | ### microsoft.graph/applications/federatedidentitycredentials 8 | * **Link**: [beta](microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsbeta) 9 | * **Link**: [v1.0](microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.md#resource-microsoftgraphapplicationsfederatedidentitycredentialsv10) 10 | 11 | ### microsoft.graph/approleassignedto 12 | * **Link**: [beta](microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.md#resource-microsoftgraphapproleassignedtobeta) 13 | * **Link**: [v1.0](microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.md#resource-microsoftgraphapproleassignedtov10) 14 | 15 | ### microsoft.graph/groups 16 | * **Link**: [beta](microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.md#resource-microsoftgraphgroupsbeta) 17 | * **Link**: [v1.0](microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.md#resource-microsoftgraphgroupsv10) 18 | 19 | ### microsoft.graph/oauth2permissiongrants 20 | * **Link**: [beta](microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.md#resource-microsoftgraphoauth2permissiongrantsbeta) 21 | * **Link**: [v1.0](microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.md#resource-microsoftgraphoauth2permissiongrantsv10) 22 | 23 | ### microsoft.graph/serviceprincipals 24 | * **Link**: [beta](microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.md#resource-microsoftgraphserviceprincipalsbeta) 25 | * **Link**: [v1.0](microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.md#resource-microsoftgraphserviceprincipalsv10) 26 | 27 | ### microsoft.graph/users 28 | * **Link**: [beta](microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.md#resource-microsoftgraphusersbeta) 29 | * **Link**: [v1.0](microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.md#resource-microsoftgraphusersv10) 30 | 31 | -------------------------------------------------------------------------------- /generated/index.json: -------------------------------------------------------------------------------- 1 | { 2 | "resources": { 3 | "Microsoft.Graph/groups@beta": { 4 | "$ref": "microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.json#/18" 5 | }, 6 | "Microsoft.Graph/applications@beta": { 7 | "$ref": "microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.json#/74" 8 | }, 9 | "Microsoft.Graph/servicePrincipals@beta": { 10 | "$ref": "microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.json#/92" 11 | }, 12 | "Microsoft.Graph/applications/federatedIdentityCredentials@beta": { 13 | "$ref": "microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.json#/97" 14 | }, 15 | "Microsoft.Graph/oauth2PermissionGrants@beta": { 16 | "$ref": "microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.json#/101" 17 | }, 18 | "Microsoft.Graph/appRoleAssignedTo@beta": { 19 | "$ref": "microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.json#/105" 20 | }, 21 | "Microsoft.Graph/users@beta": { 22 | "$ref": "microsoftgraph/microsoft.graph/beta/0.1.9-preview/types.json#/110" 23 | }, 24 | "Microsoft.Graph/groups@v1.0": { 25 | "$ref": "microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.json#/13" 26 | }, 27 | "Microsoft.Graph/applications@v1.0": { 28 | "$ref": "microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.json#/70" 29 | }, 30 | "Microsoft.Graph/servicePrincipals@v1.0": { 31 | "$ref": "microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.json#/88" 32 | }, 33 | "Microsoft.Graph/applications/federatedIdentityCredentials@v1.0": { 34 | "$ref": "microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.json#/93" 35 | }, 36 | "Microsoft.Graph/oauth2PermissionGrants@v1.0": { 37 | "$ref": "microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.json#/97" 38 | }, 39 | "Microsoft.Graph/appRoleAssignedTo@v1.0": { 40 | "$ref": "microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.json#/101" 41 | }, 42 | "Microsoft.Graph/users@v1.0": { 43 | "$ref": "microsoftgraph/microsoft.graph/v1.0/0.1.9-preview/types.json#/106" 44 | } 45 | }, 46 | "resourceFunctions": {} 47 | } -------------------------------------------------------------------------------- /samples/deploy-template/sample-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "languageVersion": "2.1-experimental", 4 | "contentVersion": "1.0.0.0", 5 | "metadata": { 6 | "_generator": { 7 | "name": "bicep", 8 | "version": "0.36.177.2456", 9 | "templateHash": "4754332622177909620" 10 | } 11 | }, 12 | "parameters": { 13 | "date": { 14 | "type": "string", 15 | "defaultValue": "2025-07-28" 16 | }, 17 | "appDisplayName": { 18 | "type": "string", 19 | "defaultValue": "sampleApp" 20 | }, 21 | "groupDisplayName": { 22 | "type": "string", 23 | "defaultValue": "sampleGroup" 24 | }, 25 | "app": { 26 | "type": "string", 27 | "defaultValue": "sampleApp" 28 | }, 29 | "group": { 30 | "type": "string", 31 | "defaultValue": "sampleGroup" 32 | } 33 | }, 34 | "imports": { 35 | "microsoftGraphV1": { 36 | "provider": "MicrosoftGraph", 37 | "version": "1.0.0" 38 | } 39 | }, 40 | "resources": { 41 | "myApp": { 42 | "import": "microsoftGraphV1", 43 | "type": "Microsoft.Graph/applications@v1.0", 44 | "properties": { 45 | "displayName": "[if(equals(parameters('appDisplayName'), null()), format('{0}-{1}', parameters('app'), parameters('date')), format('{0}-{1}', parameters('appDisplayName'), parameters('date')))]", 46 | "uniqueName": "[uniqueString(parameters('app'), parameters('date'))]" 47 | } 48 | }, 49 | "myGroup": { 50 | "import": "microsoftGraphV1", 51 | "type": "Microsoft.Graph/groups@v1.0", 52 | "properties": { 53 | "displayName": "[if(equals(parameters('groupDisplayName'), null()), format('{0}-{1}', parameters('group'), parameters('date')), format('{0}-{1}', parameters('groupDisplayName'), parameters('date')))]", 54 | "uniqueName": "[uniqueString(parameters('group'), parameters('date'))]", 55 | "mailNickname": "[uniqueString(parameters('group'), parameters('date'))]", 56 | "mailEnabled": false, 57 | "securityEnabled": true 58 | } 59 | } 60 | } 61 | } -------------------------------------------------------------------------------- /scripts/ValidateProjectVersionUpdated.ps1: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | <# 5 | .Synopsis 6 | Validates that the package version has been updated 7 | .Description 8 | Validates that the package version has been updated by comparing the version 9 | specified in the project file with the latest package version published on 10 | NuGet. If the version has not been updated, the script will fail and indicate 11 | that the project version neeeds to be updated. 12 | #> 13 | Install-Module SemVerPS -Scope CurrentUser -Force 14 | $packageName = "Microsoft.Graph.Bicep.Types" 15 | $csprojPath = Join-Path $PSScriptRoot "..\src\Microsoft.Graph.Bicep.Types\Microsoft.Graph.Bicep.Types.csproj" 16 | 17 | [XML]$csprojFile = Get-Content $csprojPath 18 | $versionPrefix = $csprojFile.Project.PropertyGroup.VersionPrefix 19 | $versionSuffix = $csprojFile.Project.PropertyGroup.VersionSuffix 20 | $projectVersion = "$versionPrefix-$versionSuffix" 21 | 22 | # Cast the project version string to System.Version 23 | $currentProjectVersion = ConvertTo-SemVer -Version $projectVersion 24 | 25 | # API is case-sensitive 26 | $packageName = $packageName.ToLower() 27 | $url = "https://api.nuget.org/v3/registration5-gz-semver2/$packageName/index.json" 28 | 29 | # Call the NuGet API for the package and get the current published version. 30 | $nugetIndex = Invoke-RestMethod -Uri $url -Method Get 31 | $publishedVersionString = $nugetIndex.items[0].upper 32 | 33 | # Cast the published version string to System.Version 34 | $currentPublishedVersion = ConvertTo-SemVer -Version $publishedVersionString 35 | 36 | # Validate that the version number has been updated. 37 | if ($currentProjectVersion -le $currentPublishedVersion) { 38 | Write-Error "The project version in versioning.props file ($projectVersion) ` 39 | has not been bumped up. The current published version is $publishedVersionString. ` 40 | Please increment the current project version." 41 | } 42 | else { 43 | Write-Host "Validated that the version has been updated from $publishedVersionString to $currentProjectVersion" -ForegroundColor Green 44 | } 45 | -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/Metadata.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | export enum OrchestrationType { 5 | CustomMetadata = "customMetadata", 6 | BinaryStream = "binaryStream", 7 | CertificateCollection = "certificateCollection", 8 | BehaviorSettings = "behaviorSettings", 9 | InternalSettings = "internalSettings", 10 | } 11 | 12 | export interface RelationshipMetadata { 13 | needsBatch?: boolean, 14 | bulkLimit?: number, 15 | properties: RelationshipPropertyMetadata[], 16 | } 17 | 18 | export interface RelationshipPropertyMetadata { 19 | name: string, 20 | type: string, 21 | } 22 | 23 | export interface ExtensionVersionMetadata { 24 | [extensionVersion: string]: Metadata 25 | } 26 | 27 | export interface Metadata { 28 | [entityName: string]: EntityAPIMetadata 29 | } 30 | 31 | export interface EntityAPIMetadata { 32 | [apiVersion: string]: EntityMetadata 33 | } 34 | 35 | export interface StreamPropertyMetadata { 36 | name: string, 37 | urlPattern: string, 38 | httpMethod: string 39 | } 40 | 41 | export interface ResourceKey { 42 | name: string, 43 | omitInPayload?: boolean 44 | } 45 | 46 | export interface OrchestrationProperty { 47 | name: string, 48 | orchestrationType: OrchestrationType, 49 | urlPattern?: string, 50 | httpMethod?: string 51 | } 52 | 53 | export interface OrchestrationProperties { 54 | save?: OrchestrationProperty[], 55 | get?: OrchestrationProperty[] 56 | } 57 | 58 | export interface EntityMetadata { 59 | entitySetPath?: string, 60 | isIdempotent: boolean, 61 | updatable: boolean, 62 | isContainment: boolean, 63 | isReadonly?: boolean, 64 | alternateKey?: string, 65 | navigationProperties?: string[], 66 | containerEntitySet?: string, 67 | keyProperty?: string, 68 | temporaryFilterKeys?: string[], 69 | compositeKeyProperties?: string[], 70 | relationshipMetadata?: RelationshipMetadata, 71 | resourceKey?: ResourceKey, 72 | orchestrationProperties?: OrchestrationProperties, 73 | isSingleton?: boolean, 74 | pathSegmentName?: string 75 | } 76 | -------------------------------------------------------------------------------- /quickstart-templates/security-group-add-user-members/main.bicep: -------------------------------------------------------------------------------- 1 | // Setting replace semantics for all relationships in this template unless overridden 2 | extension microsoftGraphV1 with { 3 | relationshipSemantics: 'replace' 4 | } 5 | 6 | 7 | // TEMPLATE OVERVIEW: 8 | // Creates a security group and adds the referenced users as members. 9 | // The user list are in a txt file, with each user's UPN on a separate line. 10 | // Replace example userlist.txt file values with user UPNs from your tenant. 11 | // The group members are added using replace semantics overwriting any 12 | // existing group members. 13 | 14 | @description('Today\'s date used to configure a unique daily app name') 15 | param date string 16 | 17 | // File name/path must be a compile time constant, so this cannot be a param 18 | var userListFilename = 'userlist.txt' 19 | 20 | // Load a text file with a list of users separated by newlines 21 | var upnListFromFile = loadTextContent(userListFilename) 22 | var upnList = split(upnListFromFile,'\r\n') 23 | var upnListLength = length(upnList) 24 | 25 | var groupName = 'sg-${date}-${uniqueString(deployer().objectId, 'group')}' 26 | 27 | // create a users object list, looking up by the list of UPNs 28 | // Referencing a user resource that doesn't exist results in a "NotFound" error and deployment failure. 29 | // Check the name and scope of the resource you're trying to reference. 30 | // See https://learn.microsoft.com/azure/azure-resource-manager/bicep/existing-resource 31 | resource userList 'Microsoft.Graph/users@v1.0' existing = [for upn in upnList: { 32 | userPrincipalName: upn 33 | }] 34 | 35 | // create security group and add user list as members 36 | resource group 'Microsoft.Graph/groups@v1.0' = { 37 | displayName: groupName 38 | mailEnabled: false 39 | mailNickname: uniqueString(groupName) 40 | securityEnabled: true 41 | uniqueName: groupName 42 | members: { 43 | relationships: [for i in range(0, upnListLength): userList[i].id] 44 | } 45 | } 46 | 47 | // outputs 48 | output addedUserList array = upnList 49 | output groupName string = group.displayName 50 | output groupId string = group.id 51 | output groupMembers array = group.members.relationships 52 | -------------------------------------------------------------------------------- /quickstart-templates/apps-permissions-and-grants/appRequiredResourceAccess.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | // TEMPLATE DESCRIPTION 4 | /* Set the required resource access on a client application definition. 5 | The target resource used is Microsoft Graph, and the deployer can select which 6 | Microsoft Graph OAuth2.0 scopes are configured on the client app. The template also 7 | assigns an owner to the application. 8 | 9 | NOTE: requiredResourceAccess configures which permissions the client application 10 | requires and this drives the user consent experience where permissions are granted. 11 | requiredResourceAccess itself does NOT grant any permissions to the client application. 12 | */ 13 | 14 | param date string 15 | param displayName string? 16 | param filteredScopes array 17 | param userUPN string? 18 | 19 | var app = 'myApp' 20 | var graphAppId = '00000003-0000-0000-c000-000000000000' 21 | 22 | // fetch the user's ID based on their UPN 23 | resource userOwner 'Microsoft.Graph/users@v1.0' existing = if (!empty(userUPN)) { 24 | userPrincipalName: userUPN! 25 | } 26 | 27 | // create an application with the requiredResourceAccess property 28 | // creates a resourceAccess scope for each Microsoft Graph scope in filteredScopes 29 | resource myApp 'Microsoft.Graph/applications@v1.0' = { 30 | displayName: displayName == null ? '${app}-${date}' :'${displayName}-${app}-${date}' 31 | uniqueName: uniqueString(app, date) 32 | owners: { 33 | relationships: (!empty(userUPN)) ? [userOwner.id] : [] 34 | } 35 | requiredResourceAccess: [ 36 | { 37 | resourceAppId: graphAppId 38 | resourceAccess: [ for (scope, i) in filteredScopes: { 39 | id: filteredScopes[i].id 40 | type: 'Scope' 41 | } 42 | ] 43 | } 44 | ] 45 | } 46 | 47 | // output information 48 | output appName string = myApp.displayName 49 | output appObjectID string = myApp.id 50 | output appID string = myApp.appId 51 | output appOwners array = myApp.owners.relationships 52 | output scopes array = [for (scopeItem,i) in filteredScopes: filteredScopes[i].value] 53 | output clientAppResourceAccessList array = myApp.requiredResourceAccess[0].resourceAccess 54 | -------------------------------------------------------------------------------- /quickstart-templates/create-fic-for-github-actions/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | @description('The owner of the Github orgniazation that is assigned to a workload identity') 4 | param gitHubOwner string = '' 5 | 6 | @description('The GitHub repository that is assigned to a workload identity') 7 | param gitHubRepo string = '' 8 | 9 | @description('Contributor role definition ID') 10 | param contributorRoleDefinitionId string = 'b24988ac-6180-42a0-ab88-20f7382dd24c' 11 | 12 | @description('Subject of the Github Action workflow\'s federated identity credentials') 13 | var gitHubActionsFederatedIDentitySubject = 'repo:${gitHubOwner}/${gitHubRepo}:ref:refs/heads/main' 14 | 15 | var applicationDisplayName = 'GitHub Actions App' 16 | var applicationName = 'githubActionsApp' 17 | var githubOIDCProvider = 'https://token.actions.githubusercontent.com' 18 | var microsoftEntraAudience = 'api://AzureADTokenExchange' 19 | 20 | resource identityGithubActionsApplications 'Microsoft.Graph/applications@v1.0' = { 21 | displayName: applicationDisplayName 22 | uniqueName: applicationName 23 | 24 | resource githubFederatedIdentityCredential 'federatedIdentityCredentials@v1.0' = { 25 | name: '${identityGithubActionsApplications.uniqueName}/githubFederatedIdentityCredential' 26 | audiences: [ 27 | microsoftEntraAudience 28 | ] 29 | issuer: githubOIDCProvider 30 | subject: gitHubActionsFederatedIDentitySubject 31 | } 32 | } 33 | 34 | resource githubActionsSp 'Microsoft.Graph/servicePrincipals@v1.0' = { 35 | appId: identityGithubActionsApplications.appId 36 | } 37 | 38 | var roleAssignmentName = guid(resourceGroup().id, 'githubactions', contributorRoleDefinitionId) 39 | 40 | // Assign the GitHub action service principal the Azure contributor role scoped to a resource group 41 | resource contributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { 42 | name: roleAssignmentName 43 | scope: resourceGroup() 44 | properties: { 45 | principalId: githubActionsSp.id 46 | roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', contributorRoleDefinitionId) 47 | } 48 | } 49 | 50 | output githubActionsSpId string = identityGithubActionsApplications.appId 51 | -------------------------------------------------------------------------------- /quickstart-templates/resource-application-access-grant-to-client-application/README.md: -------------------------------------------------------------------------------- 1 | # Grant a client app access to a resource app 2 | 3 | This template allows you to grant client app access to resource application by assigning the app role (defined in the resource app) to the client app. 4 | 5 | ## Details 6 | 7 | The id for the app role must be passed in as a parameter. It needs to be the same as the app role id deployed in the [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/) example. 8 | 9 | ### Prerequisites 10 | 11 | - This template depends on a successful deployment of [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/) 12 | - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. 13 | - An **Azure resource group** that you own under a valid Azure subscription, or [deploy without an Azure subscription][no-azure-sub]. 14 | - [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 15 | - Permissions to grant app roles. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions) as long as you created the client app. If not, you need to be assigned at least the [Application Administrator](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-administrator) role. 16 | 17 | ### Deploy the Bicep template 18 | 19 | You can deploy the template with the following commands (replace ``, `` with the necessary values for your deployment): 20 | 21 | #### Az CLI 22 | 23 | ```sh 24 | az deployment group create --resource-group --template-file main.bicep --parameters appRoleId='' 25 | ``` 26 | 27 | #### Az PowerShell 28 | 29 | ```powershell 30 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep -appRoleId "" 31 | ``` 32 | -------------------------------------------------------------------------------- /pipelines/common-templates/esrp/codesign.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | steps: 5 | - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 6 | displayName: "ESRP CodeSigning" 7 | inputs: 8 | ConnectedServiceName: "Federated DevX ESRP Managed Identity Connection" 9 | AppRegistrationClientId: "65035b7f-7357-4f29-bf25-c5ee5c3949f8" 10 | AppRegistrationTenantId: "cdc5aeea-15c5-4db6-b079-fcadd2505dc2" 11 | AuthAKVName: "akv-prod-eastus" 12 | AuthCertName: "ReferenceLibraryPrivateCert" 13 | AuthSignCertName: "ReferencePackagePublisherCertificate" 14 | FolderPath: src 15 | signConfigType: inlineSignParams 16 | inlineOperation: | 17 | [ 18 | { 19 | "keyCode": "CP-230012", 20 | "operationSetCode": "SigntoolSign", 21 | "parameters": [ 22 | { 23 | "parameterName": "OpusName", 24 | "parameterValue": "Microsoft" 25 | }, 26 | { 27 | "parameterName": "OpusInfo", 28 | "parameterValue": "http://www.microsoft.com" 29 | }, 30 | { 31 | "parameterName": "FileDigest", 32 | "parameterValue": "/fd \"SHA256\"" 33 | }, 34 | { 35 | "parameterName": "PageHash", 36 | "parameterValue": "/NPH" 37 | }, 38 | { 39 | "parameterName": "TimeStamp", 40 | "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" 41 | } 42 | ], 43 | "toolName": "sign", 44 | "toolVersion": "1.0" 45 | }, 46 | { 47 | "keyCode": "CP-230012", 48 | "operationSetCode": "SigntoolVerify", 49 | "parameters": [ ], 50 | "toolName": "sign", 51 | "toolVersion": "1.0" 52 | } 53 | ] 54 | SessionTimeout: 20 55 | MaxConcurrency: 50 56 | MaxRetryAttempts: 5 57 | PendingAnalysisWaitTimeoutMinutes: 5 58 | -------------------------------------------------------------------------------- /samples/deploy-template/grant-deployment-app-arm-and-graph-scopes/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | // TEMPLATE DESCRIPTION 4 | /* Create a public client application and grant OAuth2.0 scopes to the application 5 | In thus case the permissions granted are for Microsoft Graph and ARM to enable the 6 | client app to deploy templates containing Microsoft Graph resources. 7 | 8 | */ 9 | 10 | @description('Supply today\'s date to deploy the template') 11 | param date string 12 | 13 | @description('Provide a friendly display name for the app') 14 | param displayName string? 15 | 16 | @description('Provide an array of Microsoft Graph scopes like "User.Read"') 17 | param appScopes array = ['Group.ReadWrite.All','Application.ReadWrite.All'] 18 | 19 | var graphAppId = '00000003-0000-0000-c000-000000000000' 20 | var armAppId = '797f4846-ba00-4fd7-ba43-dac1f8f63013' 21 | 22 | // Get the Microsoft Graph service principal so that the scope names 23 | // can be looked up and mapped to a permission ID 24 | resource msGraphSP 'Microsoft.Graph/servicePrincipals@v1.0' existing = { 25 | appId: graphAppId 26 | } 27 | 28 | // Get the ARM service principal so that the scope names 29 | // can be looked up and mapped to a permission ID 30 | resource armSP 'Microsoft.Graph/servicePrincipals@v1.0' existing = { 31 | appId: armAppId 32 | } 33 | 34 | var graphScopes = msGraphSP.oauth2PermissionScopes 35 | var filteredScopes = filter(graphScopes, scope => contains(appScopes, scope.value)) 36 | 37 | module appCreateGrantScopesModule './appGrantScopes.bicep' = { 38 | name: 'appScopeGrantDeploy' 39 | params: { 40 | filteredScopes: filteredScopes 41 | date: date 42 | displayName: displayName 43 | graphSpId: msGraphSP.id 44 | armSpId: armSP.id 45 | } 46 | } 47 | 48 | // outputs 49 | output appName string = appCreateGrantScopesModule.outputs.appName 50 | output appObjectID string = appCreateGrantScopesModule.outputs.appObjectID 51 | output appID string = appCreateGrantScopesModule.outputs.appID 52 | output tenantId string = subscription().tenantId 53 | output foundInputScopes array = appCreateGrantScopesModule.outputs.scopes 54 | output grantedGraphScopes string = appCreateGrantScopesModule.outputs.grantedGraphScopes 55 | output grantedArmScopes string = appCreateGrantScopesModule.outputs.grantedArmScopes 56 | -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-with-logo/README.md: -------------------------------------------------------------------------------- 1 | # Create client app with a logo 2 | 3 | This template creates a client Entra application with a PNG logo. 4 | 5 | ## Details 6 | 7 | The client application is created with a logo. The logo is read from a PNG file in the same folder as the main.bicep file using the loadFileAsBase64() Bicep function. 8 | 9 | ### Prerequisites 10 | 11 | - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin or [deploy without an Azure subscription][no-azure-sub]. 12 | - An **Azure resource group** that you own under a valid Azure subscription. 13 | - [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 14 | - Have the requisite **Microsoft Entra roles** to deploy this template: 15 | - Permissions to create applications. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer) role. 16 | 17 | ### Deploy the template 18 | 19 | You can deploy the template with the following Azure CLI or PS command (replace `` and the optional `` with the necessary values for your deployment). The template loads a sample logo file which can also be replaced: 20 | 21 | #### Az CLI 22 | 23 | ```sh 24 | az deployment group create --resource-group --template-file main.bicep --parameters date='' displayName='' 25 | ``` 26 | 27 | #### Az PowerShell 28 | 29 | ```powershell 30 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep -displayName="" -displayName="" 31 | ``` 32 | 33 | [no-azure-sub]:https://learn.microsoft.com/graph/templates/how-to-deploy-without-azure-sub?view=graph-bicep-1.0&tabs=CLI 34 | -------------------------------------------------------------------------------- /quickstart-templates/apps-permissions-and-grants/appGrantScopes.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | // TEMPLATE DESCRIPTION 4 | /* Grant OAuth2.0 scopes to a client application definition, 5 | where the target resource used is Microsoft Graph, and the deployer can select which 6 | Microsoft Graph OAuth2.0 scopes are granted on the client app. The template also 7 | assigns an owner to the application and service principal. 8 | 9 | NOTE: Setting requiredResourceAccess on a client application is NOT required 10 | to grant OAuth2.0 permissions to the client application. 11 | */ 12 | 13 | param date string 14 | param displayName string? 15 | param filteredScopes array 16 | param graphSpId string 17 | param userUPN string? 18 | 19 | var app = 'myApp' 20 | 21 | // convert scopes array into space separate scopes string 22 | var scopeArray = [for (scopeItem,i) in filteredScopes: filteredScopes[i].value] 23 | var scopeString = join(scopeArray, ' ') 24 | 25 | // fetch the user's ID based on their UPN 26 | resource userOwner 'Microsoft.Graph/users@v1.0' existing = if (!empty(userUPN)) { 27 | userPrincipalName: userUPN! 28 | } 29 | 30 | // create basic app 31 | resource myApp 'Microsoft.Graph/applications@v1.0' = { 32 | displayName: displayName == null ? '${app}-${date}' :'${displayName}-${app}-${date}' 33 | uniqueName: uniqueString(app, date) 34 | owners: { 35 | relationships: (!empty(userUPN)) ? [userOwner.id] : [] 36 | } 37 | } 38 | 39 | // Create service principal for the basic app 40 | resource mySP 'Microsoft.Graph/servicePrincipals@v1.0' = { 41 | appId: myApp.appId 42 | owners: { 43 | relationships: (!empty(userUPN)) ? [userOwner.id] : [] 44 | } 45 | } 46 | 47 | // Grant the OAuth2.0 scopes (requested in parameters) to the basic app, 48 | // for all users in the tenant 49 | resource graphScopesAssignment 'Microsoft.Graph/oauth2PermissionGrants@v1.0' = { 50 | clientId: mySP.id 51 | resourceId: graphSpId 52 | consentType: 'AllPrincipals' 53 | scope: scopeString 54 | } 55 | 56 | // output information 57 | output appName string = myApp.displayName 58 | output appObjectID string = myApp.id 59 | output appID string = myApp.appId 60 | output appOwners array = myApp.owners.relationships 61 | output scopes array = scopeArray 62 | output grantedScopes string = graphScopesAssignment.scope 63 | -------------------------------------------------------------------------------- /src/Directory.Build.targets: -------------------------------------------------------------------------------- 1 | 2 | 3 | 9 | 10 | true 11 | true 12 | true 13 | 14 | $(DefineConstants);LINUX_BUILD 15 | $(DefineConstants);OSX_BUILD 16 | $(DefineConstants);WINDOWS_BUILD 17 | 18 | 19 | 20 | 21 | $(MSBuildThisFileDirectory)\..\out 22 | Microsoft 23 | 24 | 25 | false 26 | © Microsoft Corporation. All rights reserved. 27 | MicrosoftGraph;Bicep;Types 28 | 29 | 30 | true 31 | snupkg 32 | 33 | 34 | git 35 | 36 | -------------------------------------------------------------------------------- /quickstart-templates/security-group-create-with-owners-and-members/README.md: -------------------------------------------------------------------------------- 1 | # Create a group with members and owners 2 | 3 | This template allows you to create a security group with members and owners. 4 | 5 | ## Details 6 | 7 | Both `members` and `owners` take a [MicrosoftGraphRelationship](../../generated/microsoftgraph/microsoft.graph/v1.0/0.2.0-preview/types.md#microsoftgraphrelationship) type. 8 | 9 | - The resource service principal created in [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/) is added to the owners 10 | - A managed identity is created and added to the members 11 | 12 | > NOTE: Due to replication delays, deploying the template may fail when trying to add the newly created managed identity as a member. Simply wait a few minutes and try running the deployment again. 13 | 14 | ### Prerequisites 15 | 16 | - This template depends on a successful deployment of [application-serviceprincipal-create-client-resource](../application-serviceprincipal-create-client-resource/) 17 | - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. 18 | - An **Azure resource group** that you own under the valid Azure subscription. 19 | - [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 20 | - Have the requisite **Microsoft Entra roles** to deploy this template: 21 | - A **Microsoft Entra role** that assigns you permissions to create security groups. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Groups Administrator](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#groups-administrator) role. 22 | 23 | ### Deploy the template 24 | 25 | #### Az CLI 26 | 27 | ```sh 28 | az deployment group create --resource-group --template-file main.bicep 29 | ``` 30 | 31 | #### Az PowerShell 32 | 33 | ```powershell 34 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep 35 | ``` 36 | -------------------------------------------------------------------------------- /samples/deploy-template/grant-deployment-app-arm-and-graph-scopes/appGrantScopes.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | // TEMPLATE DESCRIPTION 4 | /* Grant OAuth2.0 scopes to a public client application definition, 5 | where the target resource used is Microsoft Graph, and the deployer can select which 6 | Microsoft Graph OAuth2.0 scopes are granted on the client app. It also grants the ARM 7 | resource user_impersonation scope to the client app. 8 | 9 | NOTE: Setting requiredResourceAccess on a client application is NOT required 10 | to grant OAuth2.0 permissions to the client application. 11 | */ 12 | 13 | param date string 14 | param displayName string? 15 | param filteredScopes array 16 | param graphSpId string 17 | param armSpId string 18 | 19 | var app = 'myApp' 20 | 21 | // convert scopes array into space separate scopes string 22 | var scopeArray = [for (scopeItem,i) in filteredScopes: filteredScopes[i].value] 23 | var scopeString = join(scopeArray, ' ') 24 | 25 | // create basic public client application 26 | resource myApp 'Microsoft.Graph/applications@v1.0' = { 27 | displayName: displayName == null ? '${app}-${date}' :'${displayName}-${app}-${date}' 28 | uniqueName: uniqueString(app, date) 29 | publicClient: { 30 | redirectUris: [ 31 | 'http://localhost' 32 | ] 33 | } 34 | isFallbackPublicClient: true 35 | signInAudience: 'AzureADMyOrg' 36 | } 37 | 38 | // Create service principal for the basic app 39 | resource mySP 'Microsoft.Graph/servicePrincipals@v1.0' = { 40 | appId: myApp.appId 41 | } 42 | 43 | // Grant the OAuth2.0 scopes (requested in parameters) to the basic app, 44 | // for all users in the tenant to Microsoft Graph 45 | resource graphScopesAssignment 'Microsoft.Graph/oauth2PermissionGrants@v1.0' = { 46 | clientId: mySP.id 47 | resourceId: graphSpId 48 | consentType: 'AllPrincipals' 49 | scope: scopeString 50 | } 51 | 52 | // Also grant the user_impersonation scope (for the ARM resource) to the client app 53 | resource armScopeAssignment 'Microsoft.Graph/oauth2PermissionGrants@v1.0' = { 54 | clientId: mySP.id 55 | resourceId: armSpId 56 | consentType: 'AllPrincipals' 57 | scope: 'user_impersonation' 58 | } 59 | 60 | // output information 61 | output appName string = myApp.displayName 62 | output appObjectID string = myApp.id 63 | output appID string = myApp.appId 64 | output scopes array = scopeArray 65 | output grantedGraphScopes string = graphScopesAssignment.scope 66 | output grantedArmScopes string = armScopeAssignment.scope 67 | -------------------------------------------------------------------------------- /quickstart-templates/security-group-assign-azure-role/README.md: -------------------------------------------------------------------------------- 1 | # Enable client services to read from Blob storage, using a Microsoft Entra security group 2 | 3 | This video shows how the Bicep file is created, deployed and then run to demonstrate an app service reading from the Blob Storage account. 4 | 5 | https://github.com/user-attachments/assets/b9d47f68-c94b-4e8e-8e0e-4e5716a7fcc8 6 | 7 | ## Details 8 | 9 | ![Configuring an app service to read from a Blob Storage account via a security group.](../../docs/media/client-apps-read-from-blob-storage-via-sg.jpg) 10 | 11 | This Bicep template configures three regional user-assigned managed identities, that can be used to read from a Blob Storage account, via a security group. The user-assigned managed identities are added as members of the security group, and the security group is assigned an Azure Reader role to the Blob Storage account. You can find other Azure built-in roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles). 12 | 13 | ### Prerequisites 14 | 15 | * Ownership of a GitHub repo. 16 | * Have a valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. 17 | * [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 18 | * Have a **Microsoft Entra role** that assigns you permissions to create security groups. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Groups Administrator](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#groups-administrator) role. 19 | 20 | ### Deploy the Bicep template 21 | 22 | You can deploy the template with the following Azure CLI command (replace `` with the name of your resource group): 23 | 24 | ```sh 25 | az deployment group create --resource-group --template-file main.bicep 26 | ``` 27 | 28 | To deploy the same template using Az Powershell, use: 29 | 30 | ```powershell 31 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep 32 | ``` 33 | -------------------------------------------------------------------------------- /.github/policies/msgraph-bicep-types-branch-protection.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. 2 | # Licensed under the MIT License. 3 | 4 | # File initially created using https://github.com/MIchaelMainer/policyservicetoolkit/blob/main/branch_protection_export.ps1. 5 | 6 | name: msgraph-bicep-types-branch-protection 7 | description: Branch protection policy for the msgraph-bicep-types repository 8 | resource: repository 9 | configuration: 10 | branchProtectionRules: 11 | - branchNamePattern: main 12 | # This branch pattern applies to the following branches as of approximately 09/01/2023 15:46:10: 13 | # main 14 | 15 | # Specifies whether this branch can be deleted. boolean 16 | allowsDeletions: false 17 | # Specifies whether forced pushes are allowed on this branch. boolean 18 | allowsForcePushes: false 19 | # Specifies whether new commits pushed to the matching branches dismiss pull request review approvals. boolean 20 | dismissStaleReviews: true 21 | # Specifies whether admins can overwrite branch protection. boolean 22 | isAdminEnforced: false 23 | # Indicates whether "Require a pull request before merging" is enabled. boolean 24 | requiresPullRequestBeforeMerging: true 25 | # Specifies the number of pull request reviews before merging. int (0-6). Should be null/empty if PRs are not required 26 | requiredApprovingReviewsCount: 1 27 | # Require review from Code Owners. Requires requiredApprovingReviewsCount. boolean 28 | requireCodeOwnersReview: true 29 | # Are commits required to be signed. boolean. TODO: all contributors must have commit signing on local machines. 30 | requiresCommitSignatures: false 31 | # Are conversations required to be resolved before merging? boolean 32 | requiresConversationResolution: true 33 | # Are merge commits prohibited from being pushed to this branch. boolean 34 | requiresLinearHistory: false 35 | # Required status checks to pass before merging. Values can be any string, but if the value does not correspond to any existing status check, the status check will be stuck on pending for status since nothing exists to push an actual status 36 | requiredStatusChecks: 37 | - CodeQL 38 | # Require branches to be up to date before merging. Requires requiredStatusChecks. boolean 39 | requiresStrictStatusChecks: true 40 | # Indicates whether there are restrictions on who can push. boolean. Should be set with whoCanPush. 41 | restrictsPushes: false 42 | # Restrict who can dismiss pull request reviews. boolean 43 | restrictsReviewDismissals: false 44 | -------------------------------------------------------------------------------- /quickstart-templates-archive/create-fic-for-github-actions/README.md: -------------------------------------------------------------------------------- 1 | # Configure federated identity credential for GitHub Actions 2 | 3 | > **Note1**: Minimum Bicep version required to deploy this quickstart template is [v0.30.3](https://github.com/Azure/bicep/releases/tag/v0.30.3). 4 | 5 | > **Note2**: This template sample **only** configures the Microsoft Entra ID portion (to enable workload identity federation). Additional configuration steps are also required on the GitHub side, to ensure that the federation works end-to-end. See [Use GitHub Actions to connect to Azure](https://learn.microsoft.com/azure/developer/github/connect-from-azure?tabs=azure-cli%2Cwindows#use-the-azure-login-action-with-openid-connect), but skip the sections on "Create a Microsoft Entra application and service principal" and "Add federated credentials", as the following Bicep template replaces those sections. 6 | 7 | This template enables a GitHub Actions workflow to exchange a GitHub access token for a Microsoft Entra ID access token, so that the GitHub Actions workflow can access Azure resources. To enable this, the template creates an application (to represent the GitHub Action) and configures it with a federated identity credential. When the GitHub Actions workflow requests to exchange a GitHub access token for an access token, from the Microsoft identity platform, the values in the federated identity credential are checked against the provided GitHub token's `issuer` and `subject` claim values. 8 | 9 | * `subject` identifies the GitHub organization, repo, branch, and environment for your GitHub Actions workflow. Refer to [example subject claims](https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims) which describes the `subject` value options for different scenarios. 10 | 11 | For limitations on federated identity credentials, please refer to [Federated identity credentials considerations and limitations](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-considerations). 12 | 13 | You can deploy the template with the following Azure CLI command (replace `` with name of your resource group, and `` with the `subject` based on your scenario.): 14 | 15 | ```sh 16 | az deployment group create --resource-group --template-file main.bicep --parameter githubActionsFicSubject='' 17 | ``` 18 | 19 | To deploy the same template using Az Powershell, use: 20 | 21 | ```powershell 22 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep -githubActionsFicSubject '' 23 | ``` -------------------------------------------------------------------------------- /quickstart-templates/create-client-app-sp-with-kv-cert/README.md: -------------------------------------------------------------------------------- 1 | # Create a client app with an X509 certificate from Key Vault as the credential 2 | 3 | This template creates a client app with a key credential, created and sourced from a Key Vault. 4 | 5 | ## Details 6 | 7 | The template creates a Key Vault, through which the authorized managed identity can add an X509 certificate (if it doesn't exist) and get the certificate's public key (base64 encoded), along with the thumbprint and other metadata. These Key Vault operations are not currently supported in Bicep, so the template file makes use of a deployment script. 8 | 9 | Finally the template creates the client application resource using the certificate public key as its credential, followed 10 | by creation of the service principal. 11 | 12 | ### Prerequisites 13 | 14 | - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. 15 | - An **Azure resource group** that you own under the valid Azure subscription. 16 | - [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 17 | - Have the requisite **Microsoft Entra roles** to deploy this template: 18 | - Permissions to create applications. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer) role. 19 | 20 | ### Deploy the template 21 | 22 | #### Az CLI 23 | 24 | You can deploy the template with the following Azure CLI command (replace `` with the necessary values for your deployment). This deployment uses a parameter file, main.bicepparam, where default values may also be changed. Since the parameter file references the Bicep template file, there's no need 25 | to use the `--template-file` switch. 26 | 27 | ```sh 28 | az deployment group create --resource-group --parameter main.bicepparam --verbose 29 | ``` 30 | 31 | #### Az Powershell 32 | 33 | ```powershell 34 | New-AzResourceGroupDeployment -ResourceGroupName bicep-deployments -TemplateFile .\main.bicep -TemplateParameterFile .\main.bicepparam -Verbose 35 | ``` 36 | 37 | [no-azure-sub]:https://learn.microsoft.com/graph/templates/how-to-deploy-without-azure-sub?view=graph-bicep-1.0&tabs=CLI -------------------------------------------------------------------------------- /src/swagger-generation/tests/definitions/Property.test.ts: -------------------------------------------------------------------------------- 1 | import { CollectionProperty } from "../../src/definitions/CollectionProperty"; 2 | import { PrimitiveSwaggerType, PrimitiveSwaggerTypeStruct } from "../../src/definitions/PrimitiveSwaggerType"; 3 | import { Property } from "../../src/definitions/Property"; 4 | 5 | 6 | describe('Property', () => { 7 | const propertyDescription = 'Property description'; 8 | 9 | it('should construct a Property with a primitive Swagger type', () => { 10 | const propertyName = 'TestProperty'; 11 | const propertyType = PrimitiveSwaggerType.Instance.Byte; 12 | 13 | const property = new Property(propertyName, propertyType, propertyDescription, true, false); 14 | 15 | expect(property.Name).toBe(propertyName); 16 | expect(property.Type).toBeInstanceOf(PrimitiveSwaggerTypeStruct); 17 | expect(property.Type).toBe(propertyType); 18 | expect(property.Description).toBe(propertyDescription); 19 | }); 20 | 21 | it('should construct a Property with a primitive collection Swagger type', () => { 22 | const propertyName = 'TestProperty'; 23 | const propertyType = new CollectionProperty(PrimitiveSwaggerType.Instance.Date); 24 | 25 | const property = new Property(propertyName, propertyType, propertyDescription, true, false); 26 | 27 | expect(property.Name).toBe(propertyName); 28 | expect(property.Type).toBeInstanceOf(CollectionProperty); 29 | expect(property.Description).toBe(propertyDescription); 30 | expect((property.Type as CollectionProperty).Type).toBeInstanceOf(PrimitiveSwaggerTypeStruct); 31 | expect((property.Type as CollectionProperty).Type).toBe(PrimitiveSwaggerType.Instance.Date); 32 | }); 33 | 34 | it('should construct a Property with a reference Swagger type', () => { 35 | const propertyName = 'TestProperty'; 36 | const propertyType = 'namespace.one.EntityType1'; 37 | 38 | const property = new Property(propertyName, propertyType, propertyDescription, true, false); 39 | 40 | expect(property.Name).toBe(propertyName); 41 | expect(property.Type).toBe(propertyType); 42 | expect(property.Description).toBe(propertyDescription); 43 | }); 44 | 45 | it('should construct a Property with a reference collection Swagger type', () => { 46 | const propertyName = 'TestProperty'; 47 | const innerPropertyType = 'namespace.one.EntityType2'; 48 | const propertyType = new CollectionProperty(innerPropertyType); 49 | 50 | const property = new Property(propertyName, propertyType, propertyDescription, true, false); 51 | 52 | expect(property.Name).toBe(propertyName); 53 | expect(property.Type).toBeInstanceOf(CollectionProperty); 54 | expect(property.Description).toBe(propertyDescription); 55 | expect((property.Type as CollectionProperty).Type).toBe(innerPropertyType); 56 | }); 57 | }); 58 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /quickstart-templates/security-group-add-user-members/README.md: -------------------------------------------------------------------------------- 1 | # Configure a security group's user members, referencing users by UPN 2 | 3 | This sample demonstrates use of the read-only [`Microsoft.Graph/Users` bicep type][users-ref] which allows you to 4 | fetch `user` resources by their user principal name (UPN). 5 | 6 | This quickstart creates a security group and adds users, referenced via their UPNs, as members. 7 | The list of users to be added as members are in a txt file, with each user's UPN on a separate line. 8 | Replace the UPN values in the example "userlist.txt" file with user UPN values from your tenant, before deployment. 9 | 10 | ## Details 11 | 12 | This template sample: 13 | 14 | 1. Creates a user UPN list from a txt file. 15 | 2. Creates/updates a security group with its members set based on the user UPN list 16 | 17 | ### Prerequisites 18 | 19 | - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. 20 | - An **Azure resource group** that you own under a valid Azure subscription, or [deploy without an Azure subscription][no-azure-sub]. 21 | - [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 22 | - Have the requisite **Microsoft Entra roles** to deploy this template: 23 | 24 | - Permissions to create security groups. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Groups Administrator](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#groups-administrator) role. 25 | 26 | ### Deploy the Bicep template 27 | 28 | Before deploying the template, you **must** replace the UPN values in the example "userlist.txt" file with user UPN values from your tenant. 29 | 30 | ##### Az CLI 31 | 32 | ```sh 33 | az deployment group create --resource-group --template-file main.bicep --parameters date='2025-01-24' 34 | ``` 35 | 36 | ##### Az Powershell 37 | 38 | ```powershell 39 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep -date "2025-01-24" 40 | ``` 41 | 42 | [update-only]:https://learn.microsoft.com/graph/templates/known-issues-graph-bicep#deployment-behavior-group-members-and-owners-are-append-only 43 | [20-members]:https://learn.microsoft.com/graph/templates/limitations#no-more-than-20-members-andor-owners-can-be-declared-for-a-groups-resource 44 | [no-azure-sub]:https://learn.microsoft.com/graph/templates/how-to-deploy-without-azure-sub?view=graph-bicep-1.0&tabs=CLI 45 | [users-ref]:https://learn.microsoft.com/graph/templates/reference/users?view=graph-bicep-1.0 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Graph Bicep extension 2 | 3 | The **Microsoft Graph Bicep extension** enables customers to manage a limited set of Identity/Graph resources (Microsoft Entra ID, formerly known as Azure AD) in Bicep templates (alongside Azure resources) through native Microsoft Graph APIs. 4 | This unblocks Infrastructure-as-Code/DevOps outcomes for Azure customers and will close a long-standing platform gap and pain-point. 5 | 6 | Customers can then use [Azure CLI](https://learn.microsoft.com/cli/azure/) or [Azure PowerShell](https://learn.microsoft.com/powershell/azure/) to [deploy Bicep templates](https://learn.microsoft.com/azure/azure-resource-manager/bicep/deploy-cli) and their set of Microsoft Azure and/or Microsoft Entra ID resources. 7 | 8 | The [releases page](https://github.com/microsoftgraph/msgraph-bicep-types/releases) provides details on the supported Microsoft Graph Bicep types and limitations. 9 | 10 | To get going with Microsoft Graph Bicep extension, start with the [Bicep templates for Microsoft Graph resources public documentation](https://aka.ms/graphbicep). 11 | 12 | ## Contributing 13 | 14 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 15 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 16 | the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. 17 | 18 | When you submit a pull request, a CLA bot will automatically determine whether you need to provide 19 | a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions 20 | provided by the bot. You will only need to do this once across all repos using our CLA. 21 | 22 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 23 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 24 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 25 | 26 | See [Contributing to Microsoft Graph Bicep extension](./CONTRIBUTING.md) for information on contributing (or fixing) examples, new types requests, feature suggestions, or bug reports on functionality or existing quickstart samples. 27 | > Note: Contribution to new Bicep types is limited to feature requests via GitHub Issues at this point. We encourage you to utilize the issue type designated for requesting new Graph Bicep types. Your input is valuable and helps us prioritize updates with the API service teams to enhance Bicep support. 28 | 29 | ## Trademarks 30 | 31 | This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 32 | trademarks or logos is subject to and must follow 33 | [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). 34 | Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. 35 | Any use of third-party trademarks or logos are subject to those third-party's policies. 36 | -------------------------------------------------------------------------------- /src/Microsoft.Graph.Bicep.Types/Microsoft.Graph.Bicep.Types.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | Bicep types for Microsoft Graph 4 | Microsoft 5 | © Microsoft Corporation. All rights reserved. 6 | netstandard2.0 7 | true 8 | Microsoft.Graph.Bicep.Types 9 | Microsoft.Graph.Bicep.Types 10 | LICENSE 11 | https://developer.microsoft.com/graph 12 | https://github.com/microsoftgraph/msgraph-bicep-types 13 | true 14 | true 15 | 35MSSharedLib1024.snk 16 | true 17 | 0.1.8 18 | preview 19 | 20 | 21 | 22 | True 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | $(IntermediateOutputPath)/generated/%(RecursiveDir)%(Filename)%(Extension).deflated 32 | $([System.String]::new('%(RecursiveDir)%(Filename)%(Extension).deflated').Replace('\', '/').ToLowerInvariant()) 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /src/autorest.bicep/test/integration/integration.test.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | import os from 'os'; 4 | import path from 'path'; 5 | import { rm, mkdir } from 'fs/promises'; 6 | import { compare } from 'dir-compare'; 7 | import { defaultLogger, executeCmd, ILogger } from './utils'; 8 | 9 | const extensionDir = path.resolve(`${__dirname}/../../`); 10 | const autorestBinary = os.platform() === 'win32' ? 'autorest.cmd' : 'autorest'; 11 | const outputBaseDir = `${__dirname}/generated`; 12 | 13 | async function generateSchema(logger: ILogger, readme: string, outputBaseDir: string, verbose: boolean, waitForDebugger: boolean) { 14 | let autoRestParams = [ 15 | `--use=@autorest/modelerfour`, 16 | `--use=${extensionDir}`, 17 | '--bicep', 18 | `--output-folder=${outputBaseDir}`, 19 | `--multiapi`, 20 | '--title=none', 21 | // This is necessary to avoid failures such as "ERROR: Semantic violation: Discriminator must be a required property." blocking type generation. 22 | // In an ideal world, we'd raise issues in https://github.com/Azure/azure-rest-api-specs and force RP teams to fix them, but this isn't very practical 23 | // as new validations are added continuously, and there's often quite a lag before teams will fix them - we don't want to be blocked by this in generating types. 24 | `--skip-semantics-validation`, 25 | readme, 26 | ]; 27 | 28 | if (verbose) { 29 | autoRestParams = autoRestParams.concat([ 30 | `--debug`, 31 | `--verbose`, 32 | ]); 33 | } 34 | 35 | if (waitForDebugger) { 36 | autoRestParams = autoRestParams.concat([ 37 | `--bicep.debugger`, 38 | ]); 39 | } 40 | 41 | return await executeCmd(logger, verbose, __dirname, autorestBinary, autoRestParams); 42 | } 43 | 44 | describe('integration tests', () => { 45 | // add any new spec paths under ./specs to this list 46 | const specs = [ 47 | `basic`, 48 | ] 49 | 50 | // set to true to overwrite baselines 51 | const record = false; 52 | 53 | // bump timeout - autorest can take a while to run 54 | jest.setTimeout(60000); 55 | 56 | for (const spec of specs) { 57 | it(spec, async () => { 58 | const readmePath = path.join(__dirname, `specs/${spec}/resource-manager/README.md`); 59 | const outputDir = `${outputBaseDir}/${spec}`; 60 | 61 | if (record) { 62 | await rm(outputDir, { recursive: true, force: true, }); 63 | await generateSchema(defaultLogger, readmePath, outputDir, false, false); 64 | } else { 65 | const stagingOutputDir = `${__dirname}/temp/${spec}`; 66 | await rm(stagingOutputDir, { recursive: true, force: true, }); 67 | 68 | await generateSchema(defaultLogger, readmePath, stagingOutputDir, false, false); 69 | 70 | const compareResult = await compare(stagingOutputDir, outputDir, { compareContent: true }); 71 | 72 | // Assert that the generated files match the baseline files which have been checked in. 73 | // Set 'record' to true to run the tests in record mode and overwrite baselines. 74 | expect(compareResult.differences).toBe(0); 75 | } 76 | }); 77 | } 78 | }); -------------------------------------------------------------------------------- /src/swagger-generation/src/definitions/PrimitiveSwaggerType.ts: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft Corporation. 2 | // Licensed under the MIT License. 3 | 4 | export enum SwaggerMetaType { 5 | Integer = "integer", 6 | Number = "number", 7 | String = "string", 8 | Boolean = "boolean", 9 | } 10 | 11 | export enum SwaggerMetaFormat { 12 | Int32 = "int32", 13 | Int64 = "int64", 14 | Float = "float", 15 | Double = "double", 16 | Byte = "byte", 17 | Binary = "base64url", 18 | Boolean = "boolean", 19 | Date = "date", 20 | DateTime = "date-time", 21 | Password = "password", 22 | Uuid = "uuid", 23 | Base64Url = "base64url", 24 | } 25 | 26 | export class PrimitiveSwaggerTypeStruct { 27 | type: SwaggerMetaType 28 | format?: SwaggerMetaFormat 29 | 30 | constructor(type: SwaggerMetaType, format: SwaggerMetaFormat | undefined) { 31 | this.type = type 32 | if (format) 33 | this.format = format 34 | } 35 | } 36 | 37 | 38 | export class PrimitiveSwaggerType { 39 | 40 | private static _instance: PrimitiveSwaggerType 41 | 42 | Integer: PrimitiveSwaggerTypeStruct 43 | Long: PrimitiveSwaggerTypeStruct 44 | Float: PrimitiveSwaggerTypeStruct 45 | Double: PrimitiveSwaggerTypeStruct 46 | String: PrimitiveSwaggerTypeStruct 47 | Byte: PrimitiveSwaggerTypeStruct 48 | Binary: PrimitiveSwaggerTypeStruct 49 | Boolean: PrimitiveSwaggerTypeStruct 50 | Date: PrimitiveSwaggerTypeStruct 51 | DateTime: PrimitiveSwaggerTypeStruct 52 | Password: PrimitiveSwaggerTypeStruct 53 | Stream: PrimitiveSwaggerTypeStruct 54 | Uuid: PrimitiveSwaggerTypeStruct 55 | 56 | private constructor() { 57 | this.Integer = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.Integer, SwaggerMetaFormat.Int32) 58 | this.Long = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.Integer, SwaggerMetaFormat.Int64) 59 | this.Float = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.Number, SwaggerMetaFormat.Float) 60 | this.Double = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.Number, SwaggerMetaFormat.Double) 61 | this.String = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, undefined) 62 | this.Byte = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, SwaggerMetaFormat.Byte) 63 | this.Binary = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, SwaggerMetaFormat.Binary) 64 | this.Boolean = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.Boolean, undefined) 65 | this.Date = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, SwaggerMetaFormat.Date) 66 | this.DateTime = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, SwaggerMetaFormat.DateTime) 67 | this.Password = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, SwaggerMetaFormat.Password) 68 | this.Stream = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, SwaggerMetaFormat.Base64Url) 69 | this.Uuid = new PrimitiveSwaggerTypeStruct(SwaggerMetaType.String, SwaggerMetaFormat.Uuid) 70 | } 71 | 72 | public static get Instance(): PrimitiveSwaggerType { 73 | return this._instance || (this._instance = new this()) 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to the Microsoft Graph Bicep Extension 2 | Thanks for considering making a contribution! We are happy to accept community contributions to the Microsoft Graph Bicep extension. There are a few different recommended paths to make contributions. 3 | 4 | ## File Issues 5 | The best way to get started with a contribution is to start a dialog with us. Sometimes features will be under development or out of scope for this project and it's best to check before starting work on contribution, especially for large work items. 6 | 7 | ### New Microsoft Graph Bicep Type Requests 8 | 9 | * Please first search existing "new type" requests [here](https://github.com/microsoftgraph/msgraph-bicep-types/labels/new%20type) before opening an issue, to see if the new type has already been requested. If it has already been requested, please indicate your interest by adding a "thumbs-up" to the item. This will be used to help prioritize the request. Also feel free to leave any further clarifying comments. 10 | * Ensure you have included the scenarios that the new Microsoft Graph Bicep type is used for. 11 | * Use the "New Microsoft Graph Bicep type request" issue template [here](https://github.com/microsoftgraph/msgraph-bicep-types/issues/new/choose) to submit your request. 12 | 13 | ### Feature Suggestions 14 | 15 | * Please first search [Open Issues](https://github.com/microsoftgraph/msgraph-bicep-types/issues) before opening an issue to check whether your feature has already been suggested. If it has, feel free to add your own comments to the existing issue. 16 | * Ensure you have included a "What?" - what your feature entails, being as specific as possible, and giving mocked-up syntax examples where possible. 17 | * Ensure you have included a "Why?" - what the benefit of including this feature will be. 18 | * Use the "Feature Request" issue template [here](https://github.com/microsoftgraph/msgraph-bicep-types/issues/new/choose) to submit your request. 19 | 20 | ### Bug Reports 21 | 22 | * Please first search [Open Issues](https://github.com/microsoftgraph/msgraph-bicep-types/issues) before opening an issue, to see if it has already been reported. 23 | * Try to be as specific as possible, including the version of the Bicep CLI used to reproduce the issue, and any example files or snippets of Bicep code needed to reproduce it. 24 | * Include deployment correlation id, Microsoft Graph client request id, and deployment timestamp if it's related to deployment failures. 25 | * Use the "Bug Report" issue template [here](https://github.com/microsoftgraph/msgraph-bicep-types/issues/new/choose) to submit your request. 26 | 27 | ## Add Quickstart Examples 28 | 29 | All quickstart template examples containing Microsoft Graph Bicep types are under [./quickstart-templates](./quickstart-templates). If you would like to contribute to the collection of quickstart examples: 30 | 31 | * Fork this repo and checkout locally. 32 | * Create a new folder for your templates under [./quickstart-templates](./quickstart-templates). The folder name should summarize the scenario. 33 | * Add a `README.md` file to describe the scenario and provide instructions to deploy the template. 34 | * Submit a PR against the `main` branch of this repo for review -------------------------------------------------------------------------------- /pipelines/common-templates/common-steps.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) Microsoft Corporation. All rights reserved. 2 | # Licensed under the MIT License. 3 | 4 | parameters: 5 | - name: Official 6 | displayName: "Official Release" 7 | type: boolean 8 | default: false 9 | 10 | steps: 11 | # Official release takes existing generated types 12 | - ${{ if eq(parameters.Official, false) }}: 13 | - template: ./generate-types.yml 14 | 15 | # Build the solution 16 | - task: DotNetCoreCLI@2 17 | displayName: "Build Typeloader" 18 | inputs: 19 | projects: "$(BuildSolution)" 20 | arguments: "--configuration $(BuildConfiguration) --no-incremental" 21 | 22 | # Run unit tests 23 | - task: DotNetCoreCLI@2 24 | displayName: "Test Typeloader" 25 | inputs: 26 | command: "test" 27 | projects: "$(BuildSolution)" 28 | arguments: "--configuration $(BuildConfiguration) --no-build" 29 | 30 | - task: BinSkim@3 31 | displayName: "Run BinSkim - Product Binaries" 32 | inputs: 33 | InputType: Basic 34 | AnalyzeTarget: "$(ProductBinPath)/**/Microsoft.Graph.Bicep.Types.dll" 35 | AnalyzeSymPath: "$(ProductBinPath)" 36 | AnalyzeVerbose: true 37 | AnalyzeHashes: true 38 | AnalyzeEnvironment: true 39 | 40 | - ${{ if eq(parameters.Official, true) }}: 41 | - template: ./esrp/codesign.yml 42 | 43 | - task: DotNetCoreCLI@2 44 | displayName: "Pack Typeloader" 45 | inputs: 46 | command: pack 47 | projects: src/Microsoft.Graph.Bicep.Types/Microsoft.Graph.Bicep.Types.csproj 48 | arguments: "-o $(Build.ArtifactStagingDirectory) --configuration $(BuildConfiguration) --no-build --include-symbols --include-source /p:SymbolPackageFormat=snupkg" 49 | 50 | - task: PowerShell@2 51 | displayName: "Validate project version has been incremented" 52 | condition: and(contains(variables['build.sourceBranch'], 'refs/heads/main'), succeeded()) 53 | enabled: ${{ parameters.Official }} 54 | inputs: 55 | targetType: "filePath" 56 | filePath: $(System.DefaultWorkingDirectory)/scripts/ValidateProjectVersionUpdated.ps1 57 | pwsh: true 58 | 59 | - ${{ if eq(parameters.Official, true) }}: 60 | - template: ./esrp/codesign-nuget.yml 61 | 62 | - task: CopyFiles@2 63 | displayName: "Copy Product Binaries" 64 | inputs: 65 | SourceFolder: "$(ProductBinPath)" 66 | Contents: "**/Microsoft.Graph.Bicep.Types.dll" 67 | TargetFolder: "$(Build.ArtifactStagingDirectory)/ProductBinaries" 68 | 69 | - task: CopyFiles@2 70 | displayName: "Copy Swagger Dir" 71 | inputs: 72 | SourceFolder: "$(Build.SourcesDirectory)/swagger" 73 | Contents: "**" 74 | TargetFolder: "$(Build.ArtifactStagingDirectory)/swagger" 75 | 76 | - task: CopyFiles@2 77 | displayName: "Copy generated Dir" 78 | inputs: 79 | SourceFolder: "$(Build.SourcesDirectory)/generated" 80 | Contents: "**" 81 | TargetFolder: "$(Build.ArtifactStagingDirectory)/generated" 82 | 83 | - task: PublishBuildArtifacts@1 84 | displayName: "Publish Files: $(ArtifactName)" 85 | inputs: 86 | ArtifactName: "$(ArtifactName)" 87 | PathtoPublish: "$(Build.ArtifactStagingDirectory)" 88 | -------------------------------------------------------------------------------- /quickstart-templates/apps-permissions-and-grants/main.bicep: -------------------------------------------------------------------------------- 1 | extension microsoftGraphV1 2 | 3 | // TEMPLATE DESCRIPTION 4 | /* Create a client application and depending on the mode parameter, either: 5 | 1. Sets required resource access on the client application definition OR 6 | 2. Grants OAuth2.0 scopes to the client application 7 | 8 | In either case, the target resource used is Microsoft Graph, and the deployer 9 | can select which Microsoft Graph OAuth2.0 scopes are used. 10 | 11 | This bicep file utilizes two modules (one for each mode). 12 | */ 13 | 14 | @description('Supply today\'s date to deploy the template') 15 | param date string 16 | 17 | @description('Provide a friendly display name for the app') 18 | param displayName string? 19 | 20 | @description('Provide an array of Microsoft Graph scopes like "User.Read"') 21 | param appScopes array = ['profile','User.Read'] 22 | 23 | @description('Configure is setting required resource access or granting scopes') 24 | @allowed(['set-required-scopes','grant-scopes']) 25 | param mode string = 'set-required-scopes' 26 | 27 | @description('Owner UPN for the client application') 28 | param userUPN string? 29 | 30 | 31 | var graphAppId = '00000003-0000-0000-c000-000000000000' 32 | 33 | // Get the Microsoft Graph service principal so that the scope names 34 | // can be looked up and mapped to a permission ID 35 | resource msGraphSP 'Microsoft.Graph/servicePrincipals@v1.0' existing = { 36 | appId: graphAppId 37 | } 38 | 39 | var graphScopes = msGraphSP.oauth2PermissionScopes 40 | var filteredScopes = filter(graphScopes, scope => contains(appScopes, scope.value)) 41 | 42 | 43 | module appCreateRraModule './appRequiredResourceAccess.bicep' = if(mode == 'set-required-scopes'){ 44 | name: 'appRraDeploy' 45 | params: { 46 | filteredScopes: filteredScopes 47 | date: date 48 | displayName: displayName 49 | } 50 | } 51 | 52 | module appCreateGrantScopesModule './appGrantScopes.bicep' = if (mode == 'grant-scopes') { 53 | name: 'appScopeGrantDeploy' 54 | params: { 55 | filteredScopes: filteredScopes 56 | date: date 57 | displayName: displayName 58 | graphSpId: msGraphSP.id 59 | userUPN: userUPN 60 | } 61 | } 62 | 63 | // outputs 64 | output appName string = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appName : appCreateGrantScopesModule.outputs.appName) 65 | output appObjectID string = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appObjectID : appCreateGrantScopesModule.outputs.appObjectID) 66 | output appID string = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appID : appCreateGrantScopesModule.outputs.appID) 67 | output appOwners array = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.appOwners : appCreateGrantScopesModule.outputs.appOwners) 68 | output foundInputScopes array = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.scopes: appCreateGrantScopesModule.outputs.scopes) 69 | output clientAppResourceAccessList array = ((mode == 'set-required-scopes') ? appCreateRraModule.outputs.clientAppResourceAccessList : ['Not set']) 70 | output grantedScopes string = ((mode == 'grant-scopes') ? appCreateGrantScopesModule.outputs.grantedScopes : 'Not set') 71 | -------------------------------------------------------------------------------- /src/swagger-generation/README.md: -------------------------------------------------------------------------------- 1 | # Swagger Types Auto Generation Tool 2 | 3 | ## Description 4 | 5 | This tool is used to generate a swagger file that contains types extracted from the Microsoft Graph public metadata CSDL. This tool is written in TypeScript. 6 | 7 | ## Usage 8 | 9 | ### Prerequisites 10 | 11 | - [Node.js](https://nodejs.org/en/) version 18 or higher. 12 | - [npm](https://www.npmjs.com/) version 9 or higher. 13 | 14 | ### Installation 15 | 16 | 1. Clone the repository. 17 | 2. Switch to the `swagger-generation` directory. 18 | 3. Run `npm install`. 19 | 20 | ### Running the tool 21 | 22 | 1. Switch to the `swagger-generation` directory. 23 | 2. Open `config.yml` and change the settings as needed. 24 | 2. Run `npm run start`. 25 | 26 | ### Configuration 27 | 28 | The configuration file is `config-.yml`. The following settings are available: 29 | 30 | - `MetadataFilePath` (required): The path of the Microsoft Graph metadata CSDL. 31 | - `EntityTypes` (required): A list of entity types to be included in the swagger file. The value of each item is the namespaced name of the entity type. All complex type explorations will be done using these entity types as root. 32 | - `RootUri` (optional): The root URI of the entity type. This value is used to generate the `basePath` of the swagger file. If missing, entities won't be exposed. 33 | - `AvailableProperty` (optional): A list of properties which will become available in the generated types. If missing, all properties will be available. 34 | - `IgnoredProperties` (optional): A list of properties which will be ignored in the generated types. This list is ignored if `AvailableProperty` list is also provided for the same entity. 35 | - `NavigationPropertiesMode` (optional): Accepts two modes: Allow and Ignore. If set to Allow, navigation properties listed will be the ones generated; if the list is empty or doesn't exist, no Navigation Properties will be generated. If set to Ignore, navigation properties listed will be the only ones not generated; if the list is empty or doesn't exist, all navigation properties will be generated. The default behavior of this option is Allow. 36 | - `NavigationProperties` (optional): A list of navigation properties which will follow the behavior specified above. All values must be valid navigation properties of the entity type. 37 | - `RequiredOnWrite` (optional): A list of properties that are required when writing the entity type. All values must be valid properties of the entity type. 38 | - `ReadOnly` (optional): A list of properties that are read-only. All values must be valid properties of the entity type. 39 | 40 | ### Output 41 | 42 | The output of the tool is a swagger file named `microsoftgraph-beta.json` in the `output` directory. The file is formatted and indented for readability. 43 | 44 | ## Development 45 | 46 | For the following instructions its assumed that you already configured your environment as described in the [Installation](#installation) section. 47 | 48 | ### Debugging and testing 49 | 50 | 1. Switch to the `swagger-generation` directory. 51 | 2. Run `npm test` 52 | 53 | To run a single test suite: 54 | `npm test -- --testNamePattern=""` 55 | 56 | ### Analyzing test coverage 57 | 58 | 1. Switch to the `swagger-generation` directory. 59 | 2. Run `npm test -- --coverage` 60 | 61 | ### Linting 62 | 63 | 1. Switch to the `swagger-generation` directory. 64 | 2. Run `npm run lint` 65 | -------------------------------------------------------------------------------- /.github/policies/resourceManagement.yml: -------------------------------------------------------------------------------- 1 | id: 2 | name: GitOps.PullRequestIssueManagement 3 | description: GitOps.PullRequestIssueManagement primitive 4 | owner: 5 | resource: repository 6 | disabled: false 7 | where: 8 | configuration: 9 | resourceManagementConfiguration: 10 | scheduledSearches: 11 | - description: 12 | frequencies: 13 | - hourly: 14 | hour: 1 15 | filters: 16 | - isIssue 17 | - isOpen 18 | - hasLabel: 19 | label: 'Needs: Author Feedback' 20 | - hasLabel: 21 | label: no-recent-activity 22 | - noActivitySince: 23 | days: 3 24 | - isNotLabeledWith: 25 | label: service bug 26 | actions: 27 | - closeIssue 28 | - description: 29 | frequencies: 30 | - hourly: 31 | hour: 1 32 | filters: 33 | - isIssue 34 | - isOpen 35 | - hasLabel: 36 | label: 'Needs: Author Feedback' 37 | - noActivitySince: 38 | days: 4 39 | - isNotLabeledWith: 40 | label: no-recent-activity 41 | actions: 42 | - addLabel: 43 | label: no-recent-activity 44 | - addReply: 45 | reply: This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **4 days**. It will be closed if no further activity occurs **within 3 days of this comment**. 46 | - description: 47 | frequencies: 48 | - hourly: 49 | hour: 1 50 | filters: 51 | - isIssue 52 | - isOpen 53 | - hasLabel: 54 | label: 'Resolution: Duplicate' 55 | - noActivitySince: 56 | days: 1 57 | actions: 58 | - addReply: 59 | reply: This issue has been marked as duplicate and has not had any activity for **1 day**. It will be closed for housekeeping purposes. 60 | - closeIssue 61 | eventResponderTasks: 62 | - if: 63 | - payloadType: Issue_Comment 64 | - isAction: 65 | action: Created 66 | - isActivitySender: 67 | issueAuthor: True 68 | - hasLabel: 69 | label: 'Needs: Author Feedback' 70 | then: 71 | - addLabel: 72 | label: 'Needs: Attention :wave:' 73 | - removeLabel: 74 | label: 'Needs: Author Feedback' 75 | description: 76 | - if: 77 | - payloadType: Issues 78 | - not: 79 | isAction: 80 | action: Closed 81 | - hasLabel: 82 | label: no-recent-activity 83 | then: 84 | - removeLabel: 85 | label: no-recent-activity 86 | description: 87 | - if: 88 | - payloadType: Issues 89 | - labelAdded: 90 | label: service bug 91 | then: [] 92 | description: 93 | - if: 94 | - payloadType: Issue_Comment 95 | - activitySenderHasAssociation: 96 | association: Contributor 97 | - bodyContains: 98 | pattern: '?' 99 | isRegex: False 100 | - bodyContains: 101 | pattern: '@' 102 | isRegex: False 103 | then: 104 | - addLabel: 105 | label: 'Needs: Author Feedback' 106 | description: 107 | - if: 108 | - payloadType: Pull_Request 109 | - isAction: 110 | action: Opened 111 | then: 112 | - addCodeFlowLink 113 | description: 114 | onFailure: 115 | onSuccess: 116 | -------------------------------------------------------------------------------- /quickstart-templates/application-serviceprincipal-create-client-resource/README.md: -------------------------------------------------------------------------------- 1 | # Create client and resource apps 2 | 3 | This template allows you to create a client application and a resource application, along with their service principals. 4 | 5 | ## Details 6 | 7 | The client application is created with an optional key credential. The key can be passed in as a parameter. [Get The Certificate Key](https://learn.microsoft.com/en-us/graph/applications-how-to-add-certificate?tabs=http#get-the-certificate-key) mentions the steps to get the certificate key for a self-signed certificate. Here's a basic PowerShell script to create a self-signed certificate for use in the template file: 8 | 9 | ```powershell 10 | $certname = "AppRegTestCert" 11 | $cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 12 | Export-Certificate -Cert $cert -FilePath "$certname.cer" // Exports PUBLIC cert 13 | [convert]::ToBase64String((Get-Content "$certname.cer" -Encoding byte)) | Out-File -FilePath "20231004.$certname.txt" 14 | ``` 15 | 16 | The resource application is created optionally with an app role, if an `appRoleId` (in the form of a GUID) is passed in as a parameter. 17 | 18 | > NOTE: There are two other related quickstarts: You can [create a client app with an X509 certificate from Key Vault as the credential](../create-client-app-sp-with-kv-cert/README.md) or you can [configure a secretless client app using federated identity credentials](../msi-as-a-fic-secretless/README.md) . 19 | 20 | ### Prerequisites 21 | 22 | - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin or [deploy without an Azure subscription][no-azure-sub]. 23 | - An **Azure resource group** that you own under a valid Azure subscription. 24 | - [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 25 | - Have the requisite **Microsoft Entra roles** to deploy this template: 26 | - Permissions to create applications. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer) role. 27 | 28 | ### Deploy the template 29 | 30 | You can deploy the template with the following Azure CLI command (replace ``, `` and `` with the necessary values for your deployment): 31 | 32 | #### Az CLI 33 | 34 | ```sh 35 | az deployment group create --resource-group --template-file main.bicep --parameters appRoleId='' certKey='' 36 | ``` 37 | 38 | #### Az PowerShell 39 | 40 | ```powershell 41 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep -appRoleId="" -certKey="" 42 | ``` 43 | 44 | [no-azure-sub]:https://learn.microsoft.com/graph/templates/how-to-deploy-without-azure-sub?view=graph-bicep-1.0&tabs=CLI 45 | -------------------------------------------------------------------------------- /samples/deploy-template/grant-deployment-app-arm-and-graph-scopes/README.md: -------------------------------------------------------------------------------- 1 | # Create an app with OAuth2.0 scopes to call Microsoft Graph and ARM APIs 2 | 3 | This template sample automates the process of creating an application that can be used to deploy ARM templates including Microsoft Graph resources. The template also grants OAuth2.0 scopes that the application needs to deploy the resources declared in templates. 4 | 5 | ## Details 6 | 7 | - The sample creates a basic client application, creates a service principal from the application, and finally grants the desired Microsoft Graph OAuth2.0 scopes to the service principal (using the `Microsoft.Graph/oauth2PermissionGrants` bicep type) as well as the ARM API#s _user_impersonation_ scope (which enables both ARM deployment capability as well as being able to deploy any ARM resource as the signed-in user, as long as the signed-in user has the requisite role(s)). 8 | 9 | The `appScopes` array parameter allows the deployer to select the Microsoft Graph Oauth2.0 scopes to grant to the client application. The sample validates the set of provided scopes in the array parameter against [Microsoft Graph delegated permission scopes][graph-permissions]. Any invalid scopes provided are ignored. `appScopes` should contain a list of scope names (for example *User.Read.All* and *Group.ReadWrite.All*). 10 | 11 | ### Prerequisites 12 | 13 | - A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. 14 | - An **Azure resource group** that you own under a valid Azure subscription, or [deploy without an Azure subscription][no-azure-sub]. 15 | - [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.36.1](https://github.com/Azure/bicep/releases/tag/v0.36.1). 16 | - Have the requisite **Microsoft Entra roles** to deploy this template: 17 | 18 | - Permissions to create applications. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Application Developer](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#application-developer) role. 19 | - **Additionally**, you'll also need the privileges to grant Microsoft Graph permission scopes to the application. This requires the [Privileged Role Administrator][priv-role-admin] 20 | 21 | ### Deploy the Bicep template 22 | 23 | #### Az CLI 24 | 25 | ```sh 26 | az deployment group create --resource-group --template-file main.bicep --parameters date='2025-07-24' appScopes="['User.Read','Application.ReadWrite.All','Group.ReadWrite.All']" 27 | ``` 28 | 29 | #### Az Powershell 30 | 31 | ```powershell 32 | New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile .\main.bicep -date "2025-07-24" -appScopes @('User.Read','Application.Read.All','Group.ReadWrite.All') 33 | ``` 34 | 35 | [priv-role-admin]:https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator 36 | [graph-permissions]:https://learn.microsoft.com/graph/permissions-reference 37 | [no-azure-sub]:https://learn.microsoft.com/graph/templates/how-to-deploy-without-azure-sub?view=graph-bicep-1.0&tabs=CLI 38 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yml: -------------------------------------------------------------------------------- 1 | # For most projects, this workflow file will not need changing; you simply need 2 | # to commit it to your repository. 3 | # 4 | # You may wish to alter this file to override the set of languages analyzed, 5 | # or to provide custom queries or build logic. 6 | # 7 | # ******** NOTE ******** 8 | # We have attempted to detect the languages in your repository. Please check 9 | # the `language` matrix defined below to confirm you have the correct set of 10 | # supported CodeQL languages. 11 | # 12 | name: "CodeQL" 13 | 14 | on: 15 | push: 16 | branches: [ "main" ] 17 | pull_request: 18 | # The branches below must be a subset of the branches above 19 | branches: [ "main" ] 20 | schedule: 21 | - cron: '1 * * * 1' 22 | 23 | jobs: 24 | analyze: 25 | name: Analyze 26 | # Runner size impacts CodeQL analysis time. To learn more, please see: 27 | # - https://gh.io/recommended-hardware-resources-for-running-codeql 28 | # - https://gh.io/supported-runners-and-hardware-resources 29 | # - https://gh.io/using-larger-runners 30 | # Consider using larger runners for possible analysis time improvements. 31 | runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} 32 | timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} 33 | permissions: 34 | actions: read 35 | contents: read 36 | security-events: write 37 | 38 | strategy: 39 | fail-fast: false 40 | matrix: 41 | language: [ 'csharp', 'javascript' ] 42 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] 43 | # Use only 'java' to analyze code written in Java, Kotlin or both 44 | # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both 45 | # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support 46 | 47 | steps: 48 | - name: Checkout repository 49 | uses: actions/checkout@v3 50 | 51 | # Initializes the CodeQL tools for scanning. 52 | - name: Initialize CodeQL 53 | uses: github/codeql-action/init@v2 54 | with: 55 | languages: ${{ matrix.language }} 56 | # If you wish to specify custom queries, you can do so here or in a config file. 57 | # By default, queries listed here will override any specified in a config file. 58 | # Prefix the list here with "+" to use these queries and those in the config file. 59 | 60 | # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs 61 | # queries: security-extended,security-and-quality 62 | 63 | 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). 65 | # If this step fails, then you should remove it and run the build manually (see below) 66 | - name: Autobuild 67 | uses: github/codeql-action/autobuild@v2 68 | 69 | # ℹ️ Command-line programs to run using the OS shell. 70 | # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun 71 | 72 | # If the Autobuild fails above, remove it and uncomment the following three lines. 73 | # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. 74 | 75 | # - run: | 76 | # echo "Run, Build Application using script" 77 | # ./location_of_script_within_repo/buildscript.sh 78 | 79 | - name: Perform CodeQL Analysis 80 | uses: github/codeql-action/analyze@v2 81 | with: 82 | category: "/language:${{matrix.language}}" 83 | -------------------------------------------------------------------------------- /src/swagger-generation/configs/v1.0/0.1.7-preview.yml: -------------------------------------------------------------------------------- 1 | MetadataFilePath: clean_v10_metadata/cleanMetadataWithDescriptionsAndAnnotationsv1.0.xml 2 | ExtensionVersion: 0.1.7-preview 3 | EntityTypes: 4 | - Name: microsoft.graph.group 5 | RootUri: /groups 6 | Upsertable: true 7 | IgnoredProperties: 8 | - allowExternalSenders 9 | - assignedLabels 10 | - assignedLicenses 11 | - autoSubscribeNewMembers 12 | - hasMembersWithLicenseErrors 13 | - hideFromAddressLists 14 | - hideFromOutlookClients 15 | - isArchived 16 | - isSubscribedByMail 17 | - licenseProcessingState 18 | - unseenCount 19 | NavigationProperty: 20 | - members 21 | - owners 22 | RequiredOnWrite: 23 | - displayName 24 | - mailEnabled 25 | - mailNickname 26 | - securityEnabled 27 | - uniqueName 28 | ReadOnly: 29 | - createdDateTime 30 | - expirationDateTime 31 | - mail 32 | - onPremisesDomainName 33 | - onPremisesLastSyncDateTime 34 | - onPremisesNetBiosName 35 | - onPremisesProvisioningErrors 36 | - onPremisesSamAccountName 37 | - onPremisesSecurityIdentifier 38 | - onPremisesSyncEnabled 39 | - proxyAddresses 40 | - renewedDateTime 41 | - securityIdentifier 42 | - Name: microsoft.graph.application 43 | RootUri: /applications 44 | Upsertable: true 45 | IgnoredProperties: 46 | - oauth2RequirePostResponse 47 | RequiredOnWrite: 48 | - displayName 49 | - uniqueName 50 | ReadOnly: 51 | - appId 52 | - applicationTemplateId 53 | - certification 54 | - createdDateTime 55 | - publisherDomain 56 | - Name: microsoft.graph.servicePrincipal 57 | RootUri: /servicePrincipals 58 | Upsertable: true 59 | RequiredOnWrite: 60 | - appId 61 | ReadOnly: 62 | - applicationTemplateId 63 | - appOwnerOrganizationId 64 | - resourceSpecificApplicationPermissions 65 | - signInAudience 66 | - Name: microsoft.graph.federatedIdentityCredential 67 | RootUri: /applications/federatedIdentityCredentials 68 | Upsertable: true 69 | ContainerEntitySet: applications 70 | RequiredOnWrite: 71 | - audiences 72 | - issuer 73 | - name 74 | - subject 75 | - Name: microsoft.graph.oAuth2PermissionGrant 76 | RootUri: /oauth2PermissionGrants 77 | Upsertable: false 78 | Updatable: true 79 | RequiredOnWrite: 80 | - clientId 81 | - consentType 82 | - resourceId 83 | FilterProperty: 84 | - clientId 85 | - consentType 86 | - resourceId 87 | CompositeKey: 88 | - clientId 89 | - consentType 90 | - resourceId 91 | - Name: microsoft.graph.appRoleAssignment 92 | RootUri: /appRoleAssignedTo 93 | Upsertable: false 94 | Updatable: false 95 | ContainerEntitySet: servicePrincipals 96 | ContainerKeyProperty: resourceId 97 | RequiredOnWrite: 98 | - appRoleId 99 | - principalId 100 | - resourceId 101 | ReadOnly: 102 | - createdDateTime 103 | - principalDisplayName 104 | - principalType 105 | CompositeKey: 106 | - appRoleId 107 | - principalId 108 | - Name: microsoft.graph.appRole 109 | ReadOnly: 110 | - origin 111 | - Name: microsoft.graph.informationalUrl 112 | ReadOnly: 113 | - logoUrl 114 | - Name: microsoft.graph.passwordCredential 115 | IgnoredProperties: 116 | - customKeyIdentifier 117 | ReadOnly: 118 | - hint 119 | - secretText 120 | - Name: microsoft.graph.permissionScope 121 | IgnoredProperties: 122 | - origin 123 | - Name: microsoft.graph.directoryObject 124 | ReadOnly: 125 | - deletedDateTime 126 | - Name: microsoft.graph.entity 127 | ReadOnly: 128 | - id 129 | -------------------------------------------------------------------------------- /src/swagger-generation/configs/v1.0/0.1.8-preview.yml: -------------------------------------------------------------------------------- 1 | MetadataFilePath: clean_v10_metadata/cleanMetadataWithDescriptionsAndAnnotationsv1.0.xml 2 | ExtensionVersion: 0.1.7-preview 3 | EntityTypes: 4 | - Name: microsoft.graph.group 5 | RootUri: /groups 6 | Upsertable: true 7 | IgnoredProperties: 8 | - allowExternalSenders 9 | - assignedLabels 10 | - assignedLicenses 11 | - autoSubscribeNewMembers 12 | - hasMembersWithLicenseErrors 13 | - hideFromAddressLists 14 | - hideFromOutlookClients 15 | - isArchived 16 | - isSubscribedByMail 17 | - licenseProcessingState 18 | - unseenCount 19 | NavigationProperty: 20 | - members 21 | - owners 22 | RequiredOnWrite: 23 | - displayName 24 | - mailEnabled 25 | - mailNickname 26 | - securityEnabled 27 | - uniqueName 28 | ReadOnly: 29 | - createdDateTime 30 | - expirationDateTime 31 | - mail 32 | - onPremisesDomainName 33 | - onPremisesLastSyncDateTime 34 | - onPremisesNetBiosName 35 | - onPremisesProvisioningErrors 36 | - onPremisesSamAccountName 37 | - onPremisesSecurityIdentifier 38 | - onPremisesSyncEnabled 39 | - proxyAddresses 40 | - renewedDateTime 41 | - securityIdentifier 42 | - Name: microsoft.graph.application 43 | RootUri: /applications 44 | Upsertable: true 45 | IgnoredProperties: 46 | - oauth2RequirePostResponse 47 | RequiredOnWrite: 48 | - displayName 49 | - uniqueName 50 | ReadOnly: 51 | - appId 52 | - applicationTemplateId 53 | - certification 54 | - createdDateTime 55 | - publisherDomain 56 | - Name: microsoft.graph.servicePrincipal 57 | RootUri: /servicePrincipals 58 | Upsertable: true 59 | RequiredOnWrite: 60 | - appId 61 | ReadOnly: 62 | - applicationTemplateId 63 | - appOwnerOrganizationId 64 | - resourceSpecificApplicationPermissions 65 | - signInAudience 66 | - Name: microsoft.graph.federatedIdentityCredential 67 | RootUri: /applications/federatedIdentityCredentials 68 | Upsertable: true 69 | ContainerEntitySet: applications 70 | RequiredOnWrite: 71 | - audiences 72 | - issuer 73 | - name 74 | - subject 75 | - Name: microsoft.graph.oAuth2PermissionGrant 76 | RootUri: /oauth2PermissionGrants 77 | Upsertable: false 78 | Updatable: true 79 | RequiredOnWrite: 80 | - clientId 81 | - consentType 82 | - resourceId 83 | FilterProperty: 84 | - clientId 85 | - consentType 86 | - resourceId 87 | CompositeKey: 88 | - clientId 89 | - consentType 90 | - resourceId 91 | - Name: microsoft.graph.appRoleAssignment 92 | RootUri: /appRoleAssignedTo 93 | Upsertable: false 94 | Updatable: false 95 | ContainerEntitySet: servicePrincipals 96 | ContainerKeyProperty: resourceId 97 | RequiredOnWrite: 98 | - appRoleId 99 | - principalId 100 | - resourceId 101 | ReadOnly: 102 | - createdDateTime 103 | - principalDisplayName 104 | - principalType 105 | CompositeKey: 106 | - appRoleId 107 | - principalId 108 | - Name: microsoft.graph.appRole 109 | ReadOnly: 110 | - origin 111 | - Name: microsoft.graph.informationalUrl 112 | ReadOnly: 113 | - logoUrl 114 | - Name: microsoft.graph.passwordCredential 115 | IgnoredProperties: 116 | - customKeyIdentifier 117 | ReadOnly: 118 | - hint 119 | - secretText 120 | - Name: microsoft.graph.permissionScope 121 | IgnoredProperties: 122 | - origin 123 | - Name: microsoft.graph.directoryObject 124 | ReadOnly: 125 | - deletedDateTime 126 | - Name: microsoft.graph.entity 127 | ReadOnly: 128 | - id 129 | --------------------------------------------------------------------------------