Azure · ryanhamel · Mar 17, 2025 · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025
diff --git a/bicep/ccw.bicep b/bicep/ccw.bicep
@@ -252,6 +252,7 @@ module ccwANF 'anf.bicep' = [
 ]
 
 var deployOOD = ood.type != 'disabled'
+var registerOODApp = ood.?registerEntraIDApp ?? false
 
 module oodNIC 'ood-NIC.bicep' = if (deployOOD) {
   name: 'oodNIC'
@@ -264,12 +265,12 @@ module oodNIC 'ood-NIC.bicep' = if (deployOOD) {
 }
 
 // create a user assigned managed identity to be assigned to the OOD VM
-resource oodNewManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (deployOOD) {
+resource oodNewManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (registerOODApp) {
   name: 'ood-${uniqueString(az.resourceGroup().id)}-mi'
   location: location
 }
 
-module oodApp 'oodEntraApp.bicep' = if (deployOOD) {
+module oodApp 'oodEntraApp.bicep' = if (registerOODApp) {
   name: 'oodApp'
   params: {
     umiName: 'ood-${uniqueString(az.resourceGroup().id)}-mi'
@@ -392,7 +393,7 @@ output acceptMarketplaceTerms bool = acceptMarketplaceTerms
 output ood object = union(ood, {
   version: '1.0.0'
   nic: deployOOD ? oodNIC.outputs.NICId : ''
-  managedIdentity: deployOOD ? oodApp.outputs.oodMiId : ''
-  clientId: deployOOD ? oodApp.outputs.oodClientAppId : ''
+  managedIdentity: deployOOD ? registerOODApp ? oodApp.outputs.oodMiId : ood.?appManagedIdentityId : ''
+  clientId: deployOOD ? registerOODApp ? oodApp.outputs.oodClientAppId : ood.?appId : ''
   tenantId: deployOOD ? subscription().tenantId : ''
 })
diff --git a/bicep/types.bicep b/bicep/types.bicep
@@ -251,8 +251,11 @@ type ood_enabled_t = {
   sku: string
   osImage: string
   userDomain: string
-  registerEntraIDApp: bool
   fqdn: string?
+  registerEntraIDApp: bool
+  appId: string?
+  appTenantId: string?
+  appManagedIdentityId: string?
 }
 
 @export()

diff --git a/uidefinitions/createUiDefinition.json b/uidefinitions/createUiDefinition.json
@@ -1897,14 +1897,58 @@
               },
               {
                 "name": "registerEntraIDApp",
-                "type": "Microsoft.Common.CheckBox",
-                "label": "Register an Entra ID Application",
-                "toolTip": "Register an Entra ID Application for Open OnDemand authentication using OpenID Connect",
-                "defaultValue": true,
+                "type": "Microsoft.Common.OptionsGroup",
+                "label": "Microsoft Entra ID Application Registration",
+                "defaultValue": "Automatically register an Entra ID Application",
+                "toolTip": "Register a Microsoft Entra ID Application for Open OnDemand authentication using OpenID Connect",
                 "constraints": {
-                  "required": false
+                  "allowedValues": [
+                    {
+                      "label": "Automatically register an Entra ID Application",
+                      "value": "autoregister"
+                    },
+                    {
+                      "label": "Use existing Entra ID Application registration",
+                      "value": "existing"
+                    },
+                    {
+                      "label": "None",
+                      "value": "no"
+                    }
+                  ],
+                  "required": true
                 },
                 "visible": "[steps('ood').OODSection.deployOOD]"
+              },
+              {
+                "name": "clientId",
+                "type": "Microsoft.Common.TextBox",
+                "label": "Application (client) ID",
+                "defaultValue": "",
+                "toolTip": "Application or client ID of the Entra ID Application in the Azure AD tenant",
+                "constraints": {
+                  "required": true,
+                  "regex": "^(\\w{8}(-\\w{4}){3}-\\w{12}?)$",
+                  "validationMessage": "Enter a valid application (client) ID"
+                },
+                "visible": "[equals(steps('ood').OODSection.registerEntraIDApp,'existing')]"
+              },
+              {
+                "name": "managedIdentity",
+                "type": "Microsoft.Solutions.ResourceSelector",
+                "label": "Managed Identity",
+                "toolTip": "Select the user-assigned managed identity created for the federated credentials",
+                "resourceType": "Microsoft.ManagedIdentity/userAssignedIdentities",
+                "constraints": {
+                  "required": true,
+                  "validationMessage": "Please select a managed identity."
+                },
+                "options": {
+                  "filter": {
+                    "subscription": "onBasics"
+                  }
+                },
+                "visible": "[equals(steps('ood').OODSection.registerEntraIDApp,'existing')]"
               }
             ],
             "visible": true
@@ -2025,8 +2069,10 @@
         "sku": "[if(steps('ood').OODSection.deployOOD,steps('ood').OODSection.vmsize,basics('nullValue'))]",
         "osImage": "[if(steps('ood').OODSection.deployOOD,if(equals(steps('ood').OODSection.ImageName,'custom'),steps('ood').OODSection.customImageName,steps('ood').OODSection.ImageName),basics('nullValue'))]",
         "userDomain": "[if(steps('ood').OODSection.deployOOD,steps('ood').OODSection.userDomain,basics('nullValue'))]",
-        "registerEntraIDApp": "[if(steps('ood').OODSection.deployOOD,steps('ood').OODSection.registerEntraIDApp,basics('nullValue'))]",
-        "fqdn": "[if(not(equals(steps('ood').OODSection.fqdn,'')),steps('ood').OODSection.fqdn,basics('nullValue'))]"
+        "fqdn": "[if(not(equals(steps('ood').OODSection.fqdn,'')),steps('ood').OODSection.fqdn,basics('nullValue'))]",
+        "registerEntraIDApp": "[if(steps('ood').OODSection.deployOOD,equals(steps('ood').OODSection.registerEntraIDApp,'autoregister'),basics('nullValue'))]",
+        "appId": "[if(equals(steps('ood').OODSection.registerEntraIDApp,'existing'),steps('ood').OODSection.clientId,basics('nullValue'))]",
+        "appManagedIdentityId": "[if(equals(steps('ood').OODSection.registerEntraIDApp,'existing'),steps('ood').OODSection.managedIdentity.id,basics('nullValue'))]"
       },
       "clusterInitSpecs": [],
       "tags": "[steps('tags').tagsByResource]"