skip to Main Content

I want to grant AppService access to a Bing resource (Microsoft.Bing/accounts@2020-06-10).
Which role (Microsoft.Authorization/roleDefinitions) should I set in Bing’s IAM (Microsoft.Authorization/roleAssignments)?

In detail, I need to know the following xxx.

var role = subscriptionResourceId(
  'Microsoft.Authorization/roleDefinitions',
  'xxx-xxx-xxx-xxx-xxx'
)

resource searchServiceIndexAppPermissions 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(bingSearch.id, webApp.name, role)
  scope: bingSearch
  properties: {
    principalId: webApp.identity.principalId
    principalType: 'ServicePrincipal'
    roleDefinitionId: role
  }
}

2

Answers


  1. Chosen as BEST ANSWER

    I found the article(https://learn.microsoft.com/en-us/answers/questions/1578934/can-i-use-azure-bing-search-resource-with-managed) which says we need to use the key to access to a Bing resource. So it's meaningless to grant the role to the WebApp's managed id. We can't avoid using the key by using the managed id.


  2. roleDefinitions for Bing search services using bicep

    As following up with Github the Bing search we need to use the MSDoc which helps to achieve the requirement you mentioned in the requirement.

    The role required to assign the role is user access administrator which helps in providing the role to webapp and we need search service contributor or contributor
    based on the privilege we need to get by the webapp over the search service.

    Bicep File:

    param location string = resourceGroup().location
    param appServicePlanName string = 'vkkAppServicePlan'
    param webAppName string = 'vkkWebApp'
    param bingSearchName string = 'vkkbingsearch'
    
    resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = {
      name: appServicePlanName
      location: location
      sku: {
        name: 'B1'
        capacity: 1
      }
      properties: {
        reserved: false
      }
    }
    
    resource webApp 'Microsoft.Web/sites@2021-02-01' = {
      name: webAppName
      location: location
      identity: {
        type: 'SystemAssigned'
      }
      properties: {
        serverFarmId: appServicePlan.id
      }
      kind: 'app'
    }
    
    resource bingSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
      name: bingSearchName
      location: location
      sku: {
        name: 'standard'
      }
      identity: {
        type: 'SystemAssigned'
      }
      properties: {
        hostingMode: 'default'
        partitionCount: 1
        replicaCount: 1
        publicNetworkAccess: 'Enabled'
        authOptions: {
          aadOrApiKey: {
            aadAuthFailureMode: 'http401WithBearerChallenge' 
          }
        }
        disabledDataExfiltrationOptions: ['All'] 
        encryptionWithCmk: {
          enforcement: 'Unspecified' 
        }
      }
    }
    
    var roleDefinitionId = subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      'role_ID'
    )
    
    resource searchServiceIndexAppPermissions 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
      name: guid(bingSearch.id, webApp.name, roleDefinitionId)
      scope: bingSearch
      properties: {
        principalId: webApp.identity.principalId
        principalType: 'ServicePrincipal'
        roleDefinitionId: roleDefinitionId
      }
    }
    

    Deployment succeeded:

    enter image description here

    enter image description here

    enter image description here

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search