Azure Question posted in
The official documentation to get you started can be found here.

Azure – Get applicationId/clientId for a system-assigned identity in bicep template

I need the managed identity client id for setting up auth between an Azure Function and a service bus. I’ve solved it with a user-assigned identity, but would like to achieve it with a system-assigned identity.

I’ve removed some irrelevant from the screenshot below, but see the autocomplete, I can’t see any clientId/applicationId.

Screenshot of setup

When using a user-assigned identity, it’s solved as here.

To clarify, I’m after the ID marked in green below:
Screenshot from Azure Portal

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    @Julian Hüppauff put me on the right track, I don't actually need it.

    I was messing with a template that had previously been setup for a user-assigned identity, I can't seem to find an official reference for it, but apparently you need to set these 3 for a function app when using user-assigned identity and want to connect to a service bus namespace.

        {
      name: 'demoservicebus__fullyQualifiedNamespace'
      value: '${servicebus.name}.servicebus.windows.net'
    }
    {
      name: 'demoservicebus__credential'
      value: 'managedidentity'
    }
    {
      name: 'demoservicebus__clientID'
      value: userIdentity.properties.clientId
    }

    When using system-assigned identity, I can simply remove these 3, so no need to lookup the clientId in the bicep.


  2. 0

    An ugly solution, but it works. To simplify, I used logicapp to replace your site, there is no difference in essence.

    1. Create a user-assigned managed identity, which be used to give access to deployment script.

    2. Assign a Global Reader role to the user-assigned managed identity

    3. use Get-AzADServicePrincipal -ObjectId $objectId get applicationId From objectId, then output it.

    param location string = resourceGroup().location
param logicappName string = 'xxlogicapptest'
param deploymentScriptUserIdentityName string = 'xx-user-assigned-managedIdentity'

resource logicapp 'Microsoft.Logic/workflows@2019-05-01' existing = {
  name: logicappName
}

@description('The user identity for the deployment script.')
resource scriptIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = {
  name: deploymentScriptUserIdentityName
}

resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
  name: 'inlinePS'
  location: location
  kind: 'AzurePowerShell'
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${scriptIdentity.id}':{}
    }
  }
  properties: {
    azPowerShellVersion: '10.0'
    arguments: '-objectId ${logicapp.identity.principalId}'
    scriptContent: '''
      param([string] $objectId)
      Write-Output "The argument is {0}." -f $objectId
      $output = "Hello {0}." -f $objectId
      $sp = Get-AzADServicePrincipal -ObjectId $objectId
      $appId = $sp.AppId

      $DeploymentScriptOutputs = @{}
      $DeploymentScriptOutputs['text'] = $appId
    '''
    cleanupPreference: 'OnExpiration'
    retentionInterval: 'PT1H'
  }
}

output objectId string = logicapp.identity.principalId
output appId string = deploymentScript.properties.outputs.text

    enter image description here

    DeploymentScript

    I have also tried Microsoft.Graph servicePrincipals, but be in vain, because, the service principal bicep - existing also need applicationId as parameters to fill-in

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search