Skip to content

Commit 5f886e6

Browse files
authored
Merge pull request #212 from microsoftgraph/dkershaw10-users-sample
Sample demonstrating the new Users bicep type
2 parents 16f39aa + f37c24f commit 5f886e6

File tree

4 files changed

+101
-0
lines changed

4 files changed

+101
-0
lines changed
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
# Configure a security group's user members, referencing users by UPN
2+
3+
This sample demonstrates use of the read-only [`Microsoft.Graph/Users` bicep type][users-ref] which allows you to
4+
fetch `user` resources by their user principal name (UPN).
5+
6+
This quickstart creates a security group and adds users, referenced via their UPNs, as members.
7+
The list of users to be added as members are in a txt file, with each user's UPN on a separate line.
8+
Replace the UPN values in the example "userlist.txt" file with user UPN values from your tenant, before deployment.
9+
10+
## Details
11+
12+
This template sample:
13+
14+
1. Creates a user UPN list from a txt file.
15+
2. Creates/updates a security group with its members set based on the user UPN list
16+
17+
**NOTE:** Due to current modelling limitations [no more than 20 members can be added/updated at a time][20-members], and only [update semantics][update-only] are supported for members (and owners).
18+
19+
### Prerequisites
20+
21+
- A valid **Azure subscription**: If you don't own an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
22+
- An **Azure resource group** that you own under a valid Azure subscription, or [deploy without an Azure subscription][no-azure-sub].
23+
- [Bicep tools for authoring and deployment](https://learn.microsoft.com/graph/templates/quickstart-install-bicep-tools). The minimum required Bicep version is [v0.32.4](https://github.com/Azure/bicep/releases/tag/v0.32.4).
24+
- Have the requisite **Microsoft Entra roles** to deploy this template:
25+
26+
- Permissions to create security groups. [Users have this permission by default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions). However, [admins can turn off this default](https://learn.microsoft.com/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) in which case you need to be assigned at least the [Groups Administrator](https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#groups-administrator) role.
27+
28+
### Deploy the Bicep template
29+
30+
Before deploying the template, you **must** replace the UPN values in the example "userlist.txt" file with user UPN values from your tenant.
31+
32+
##### Az CLI
33+
34+
```sh
35+
az deployment group create --resource-group <resource-group> --template-file main.bicep --parameters date='2025-01-24'
36+
```
37+
38+
##### Az Powershell
39+
40+
```powershell
41+
New-AzResourceGroupDeployment -ResourceGroupName <resource-group> -TemplateFile .\main.bicep -date "2025-01-24"
42+
```
43+
44+
[update-only]:https://learn.microsoft.com/graph/templates/known-issues-graph-bicep#deployment-behavior-group-members-and-owners-are-append-only
45+
[20-members]:https://learn.microsoft.com/graph/templates/limitations#no-more-than-20-members-andor-owners-can-be-declared-for-a-groups-resource
46+
[no-azure-sub]:https://learn.microsoft.com/graph/templates/how-to-deploy-without-azure-sub?view=graph-bicep-1.0&tabs=CLI
47+
[users-ref]:https://learn.microsoft.com/graph/templates/reference/users?view=graph-bicep-1.0
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
{
2+
"experimentalFeaturesEnabled": {
3+
"extensibility": true
4+
},
5+
// specify an alias for the version of the v1.0 dynamic types package you want to use
6+
"extensions": {
7+
"microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.9-preview"
8+
}
9+
}
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
extension microsoftGraphV1
2+
3+
// TEMPLATE OVERVIEW:
4+
// Creates a security group and adds the referenced users as members.
5+
// The user list are in a txt file, with each user's UPN on a separate line.
6+
// Replace example userlist.txt file values with user UPNs from your tenant.
7+
8+
@description('Today\'s date used to configure a unique daily app name')
9+
param date string
10+
11+
// File name/path must be a compile time constant, so this cannot be a param
12+
var userListFilename = 'userlist.txt'
13+
14+
// Load a text file with a list of users separated by newlines
15+
var upnListFromFile = loadTextContent(userListFilename)
16+
var upnList = split(upnListFromFile,'\r\n')
17+
var upnListLength = length(upnList)
18+
19+
var groupName = 'sg-${date}-${uniqueString(deployer().objectId, 'group')}'
20+
21+
// create a users object list, looking up by the list of UPNs
22+
// Referencing a user resource that doesn't exist results in a "NotFound" error and deployment failure.
23+
// Check the name and scope of the resource you're trying to reference.
24+
// See https://learn.microsoft.com/azure/azure-resource-manager/bicep/existing-resource
25+
resource userList 'Microsoft.Graph/[email protected]' existing = [for upn in upnList: {
26+
userPrincipalName: upn
27+
}]
28+
29+
// create security group and add user list as members
30+
resource group 'Microsoft.Graph/[email protected]' = {
31+
displayName: groupName
32+
mailEnabled: false
33+
mailNickname: uniqueString(groupName)
34+
securityEnabled: true
35+
uniqueName: groupName
36+
members: [for i in range(0, upnListLength): userList[i].id]
37+
}
38+
39+
// outputs
40+
output addedUserList array = upnList
41+
output groupName string = group.displayName
42+
output groupId string = group.id
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
2+
3+

0 commit comments

Comments
 (0)