Blog Post

Azure Governance and Management Blog
3 MIN READ

Announcing GA of Bicep templates support for Microsoft Entra ID resources

Dan_Kershaw's avatar
Dan_Kershaw
Icon for Microsoft rankMicrosoft
Jul 29, 2025

We're thrilled to announce that Bicep templates for Microsoft Entra ID resources is generally available from July 29th, 2025. Bicep templates bring declarative infrastructure as code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.

Bicep templates for Microsoft Entra resources allow you to define the tenant infrastructure you want to deploy, such as groups or applications, in a file, then use the file throughout the development lifecycle to repeatedly deploy your infrastructure. The file uses the Bicep language, a domain-specific language (DSL), that uses declarative syntax to deploy resources typically used in DevOps and infrastructure as code solutions.

What problems does this solve?

Azure Resource Manager and Bicep templates allow you to declare Microsoft Azure resources in files and deploy those resources into your infrastructure. Configuring and managing your Azure services and infrastructure often includes managing Microsoft Entra ID resources, like applications and groups. Until now, you had to orchestrate your deployments between two mechanisms using Azure Resource Manager or Bicep template files for Azure resources and Microsoft Graph PowerShell for Microsoft Entra ID resources.

With the Microsoft Graph Bicep GA release, you can declare the Microsoft Entra ID resources in the same Bicep files as your Azure resources, making configurations easier to define, and deployments more reliable and repeatable.

Let's look at how this works and then we'll run through an example.

The Microsoft Graph Bicep extension

To provide support for Bicep templates for Microsoft Graph resources, we have released the new Microsoft Graph Bicep extension that allows you to author, deploy, and manage supported Microsoft Graph resources (initially Microsoft Entra ID resources) in Bicep template files either on their own, or alongside Azure resources.

Authoring experience

You get the same first-class authoring experience of the Bicep Extension for VS Code when you use it to create your Microsoft Graph resource types in Bicep files. The editor provides rich type-safety, IntelliSense, and syntax validation.

Editing a Bicep file containing Microsoft Graph resources

Deploying Bicep files

Once you have authored your Bicep file, you can deploy it using familiar tools such as Azure PowerShell and Azure CLI. When the deployment request is made to the Resource Manager, the deployments engine orchestrates the deployment of interdependent resources so they're created in the correct order, including the Microsoft Graph resources.

The following image shows a Bicep template file where the Microsoft Graph group creation is dependent on the managed identity resource, as it is being added as a group member. The deployments engine first sends the managed identity request to the Resource Manager, which routes it to the Microsoft.ManagedIdentity resource provider. Next, the deployments engine sees that Microsoft.Graph/groups is an extensible resource, so it knows to route this resource request to the Microsoft Graph Bicep extension. The Microsoft Graph Bicep extension then translates the groups resource request into a request to Microsoft Graph.

Deploying a Bicep file containing Microsoft Graph resources

Scenario: Using GitHub Actions to build and deploy a web app to Azure App Service

In this scenario you can configure workload identity federation and a GitHub Action workflow, so that the GitHub Action can log into Microsoft Entra, build and deploy a web app into an Azure App Service, without the use of any secrets.

GitHub Action deploys a web app to Azure App Services using a federated identity credential

You can enable a GitHub Actions workflow to exchange a GitHub access token for a Microsoft Entra ID access token, so that the GitHub Actions workflow can access Azure resources. The template below creates an Entra ID application (to represent the GitHub Action) and configures it with a federated identity credential. When the GitHub Actions workflow requests to exchange a GitHub access token for an access token from the Microsoft identity platform, the values in the federated identity credential are checked against the provided GitHub token's issuer and subject claim values.

Bicep template declaring an application and federated identity credential for a GitHub Action, and assigning that application Azure contributor privileges

The Configure federated identity credentials for GitHub Actions contains the full end-to-end sample. 

Now that we've walked you through how Bicep templates for Microsoft Graph works and demonstrated it through a scenario sample, you can start creating your own Bicep templates to meet your infrastructure as code scenario needs.

Learn more

Updated Jul 28, 2025
Version 1.0
governance
management

6 Comments

  • BenStreetST's avatar
    BenStreetST
    Copper Contributor
    Jul 30, 2025

    Is there a plan or roadmap to support additional Graph functionality, leaning towards Intune for example?

  • Simon_Geary's avatar
    Simon_Geary
    Brass Contributor
    Jul 29, 2025

    Do you know if there are any plans to make an Azure Verified Module for this?

    • Dan_Kershaw's avatar
      Dan_Kershaw
      Icon for Microsoft rankMicrosoft
      Jul 29, 2025

      We've been in discussions with the AVM team. While we don't have any commitment or dates yet, it is something we'd like to do.  Are there particular AVM scenarios that you are particularly interested in?

      • Simon_Geary's avatar
        Simon_Geary
        Brass Contributor
        Jul 29, 2025

        My technical use case is to be able to add\remove certificates, secrets and redirect URIs to an app registration. But even if that can be accomplished using this new extension, I would in more general terms like to standardise on AVM, just for consistency.