ARM templates offer a great way to define resources and deploy them. However, ARM templates didn’t have any support to invoke or run scripts. If we wanted to carry out some operations as part of the deployment (Azure AD app registrations, Certificate generations, copy data to/from another system etc.) we had to create pre or post deployment scripts (using Azure PowerShell or Azure CLI). Microsoft recently announced the preview of Deployment Scripts (new resource type
Microsoft.Resources/deploymentScripts) – which brings a way to run a script as part of ARM template deployment.
I have few web apps using Open ID connect for user authentication and they’re running as Azure App services. I always wanted to automate (preferably in a declarative and idempotent way) the required app registrations in Azure AD and deploy them together with the ARM templates of web apps.
Since we now have deployment script capability, I wanted to leverage it for Azure AD app registrations. In this article I will share my experience doing exactly that.
What are deployment scripts?
Deployment scripts allows running custom scripts (can be either Azure PowerShell or Azure CLI) as part of an ARM template deployment. It can be used to perform custom steps that can’t be done by ARM templates.
A simple deployment template that runs a bash command (echo) looks like below:
Microsoft described the benefits of deployment scripts as following:
– Easy to code, use, and debug. You can develop deployment scripts in your favorite development environments. The scripts can be embedded in templates or in external script files.
– You can specify the script language and platform. Currently, Azure PowerShell and Azure CLI deployment scripts on the Linux environment are supported.
– Allow specifying the identities that are used to execute the scripts. Currently, only Azure user-assigned managed identity is supported.
– Allow passing command-line arguments to the script.
Can specify script outputs and pass them back to the deployment.
Registering Azure AD app
We can write a small script (with Azure CLI) like above sample, that registers the Azure AD app – that’s quite straightforward. However, first we need to address the Identity aspect, what account would run the script and how app-registration permission can be granted to that account. The answer is using Managed Identity.
User Assigned Managed Identity
Managed identities for Azure resources provide Azure services with a managed identity in Azure Active Directory. We can use this identity to authenticate to services that support Azure AD authentication, without needing credentials in your code. There are two types of Managed Identity, System assigned and User Assigned.
Deployment Scripts currently supports User Assigned Identities only, hence, we need to create a User Assigned Managed Identity that would run the CLI script. This identity is used to execute deployment scripts. We would also grant Azure AD app registration permissions to this identity. Creating User Assigned Identity is straightforward and the steps are nicely described here.
Next to that, we will have to grant permissions to the identity. Following PowerShell script grants the required permissions to the Managed Identity.
We will now write the ARM template that will leverage the deployment scripts to register our app in Azure AD.
I wouldn’t explain each of the settings/config options in here. Most important part here is the
scriptContent property – which can have a string value of any scripts (PowerShell or Bash). You can also point to an external script file instead of embedded script.
Another important property is
cleanupPreference. It specifies the preference of cleaning up deployment resources when the script execution gets in a terminal state. Default setting is Always, which means deleting the resources despite the terminal state (Succeeded, Failed, Canceled).
You can find more details on each of the configuration properties for Deployment Script in this document.
I have used some variable references that are defined in the same template
Notice here the
cliArg variable. This would be the argument that we are passing as inputs to our CLI/bash script. The catch here is, the arguments need to be separated by white-spaces.
Finally, we would love to grab the newly registered
app id and configure an entry into the
App Settings in our web app – so the web app Open ID authentication can work right after the deployment.
At this point we will deploy the template and after the deployment completed, we will see the app has been registered in Azure AD:
Also, we can verify that the newly created App ID is nicely configured into the web app’s app-settings.
That’s all there is to it!
I haven’t defined any API permission scopes for the app registrations in this example, however, having the Azure CLI script in place, defining further API scopes are trivial.
How it worked?
If we login to the Azure Portal we will see the following:
We see a new resource of type Deployment Script besides our Web App (and it’s Service Plan) that is obvious. However, we also see Container Instance and a Storage Account. Where they came from?
Well, Azure RM deployment created them while deploying the Deployment scripts. The storage account and a container instance, are created in the same resource group for script execution and troubleshooting. These resources are usually deleted by the script service when the script execution gets in a terminal state. Important to know, we are billed for the resources until the resources are deleted.
The container instance runs a Docker image as a Sandbox for our Deployment Script. You can see the image name form the portal that Microsoft is using for execution. This can come handy to try out the script locally – for development purposes.
I have a mixed feeling about the deployment script in ARM templates. It obviously has some benefits. But this shouldn’t replace all pre or post deployment script. Because sometimes it might be cleaner and easier to create a pre- or post-script task in continuous delivery pipeline than composing all in ARM templates.
6 thoughts on “Azure AD App via ARM Template Deployment Scripts”
Hi Moim ,
Against which app should we provide permissions to the managed identity ? What is the graph app used in the example ?
Not sure, I fully understood the ask. But these scripts (inked below) are assigning the permissions to the MI to create/register applications in AAD,
Could you paste thelink to arm template?
I need app reg and user flow creation using ARM template can u help me
Hi Moim! I’m wondering is your deploy script is actually idempotent. To me it seems it would try to create the app registration every time. So if you run it against already existing resources then `az ad app create` would fail, no?
Hi Moim, thanks for writing this. One thing that is still unclear to me is if there is a way to automate the script where you are assigning required AD role to the managed idenity (New-AzureAdServiceAppRoleAssignment). Apprarently, this cannot be done from the deployment script as managed identity does not yet has required privileges to execute these powershell AD modules. What do you think?