microsoftgraph
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/functionApp.bicep‎
Lines changed: 7 additions & 1 deletion b/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/functionApp.bicep‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/functionAppSlot.bicep‎
Lines changed: 7 additions & 1 deletion b/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/functionAppSlot.bicep‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/keyVaultReader.bicep‎
Lines changed: 7 additions & 0 deletions b/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/keyVaultReader.bicep‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/template.bicep‎
Lines changed: 27 additions & 0 deletions b/‎Service/GroupMembershipManagement/Hosts/AzureMaintenance/Infrastructure/compute/template.bicep‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/functionApp.bicep‎
Lines changed: 7 additions & 1 deletion b/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/functionApp.bicep‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/functionAppSlot.bicep‎
Lines changed: 7 additions & 1 deletion b/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/functionAppSlot.bicep‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/keyVaultReader.bicep‎
Lines changed: 7 additions & 0 deletions b/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/keyVaultReader.bicep‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/template.bicep‎
Lines changed: 27 additions & 0 deletions b/‎Service/GroupMembershipManagement/Hosts/AzureUserReader/Infrastructure/compute/template.bicep‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎Service/GroupMembershipManagement/Hosts/DestinationAttributesUpdater/Infrastructure/compute/functionApp.bicep‎
Lines changed: 7 additions & 1 deletion b/‎Service/GroupMembershipManagement/Hosts/DestinationAttributesUpdater/Infrastructure/compute/functionApp.bicep‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Service/GroupMembershipManagement/Hosts/DestinationAttributesUpdater/Infrastructure/compute/functionAppSlot.bicep‎
Lines changed: 7 additions & 1 deletion b/‎Service/GroupMembershipManagement/Hosts/DestinationAttributesUpdater/Infrastructure/compute/functionAppSlot.bicep‎
Lines changed: 7 additions & 1 deletion
@@ -20,6 +20,11 @@ param servicePlanName string
 @description('app settings')
 param secretSettings object
 
+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')
+param userManagedIdentities object = {}
+
+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}
+
 resource functionApp 'Microsoft.Web/sites@2018-02-01' = {
   name: name
   location: location
@@ -35,7 +40,8 @@ resource functionApp 'Microsoft.Web/sites@2018-02-01' = {
     }
   }
   identity: {
-    type: 'SystemAssigned'
+    type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'
+    userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null
   }
 }
 
 
@@ -20,6 +20,11 @@ param servicePlanName string
 @description('app settings')
 param secretSettings object
 
+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')
+param userManagedIdentities object = {}
+
+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}
+
 resource functionAppSlot 'Microsoft.Web/sites/slots@2018-11-01' = {
   name: name
   kind: kind
@@ -36,7 +41,8 @@ resource functionAppSlot 'Microsoft.Web/sites/slots@2018-11-01' = {
     }
   }
   identity: {
-    type: 'SystemAssigned'
+    type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'
+    userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null
   }
 }
 
 
@@ -0,0 +1,7 @@
+// Do not use this to return secrets like passwords or API keys
+// This is only for returning plain values that are not sensitive
+@description('Plain value')
+@secure()
+param value string
+var plainValue = string(value)
+output value string = plainValue
@@ -167,6 +167,26 @@ var productionSettings = {
   AzureFunctionsWebHost__hostid: 'AzureMaintenance'
 }
 
+resource dataKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: dataKeyVaultName
+  scope: resourceGroup(dataKeyVaultResourceGroup)
+}
+
+module userAssignedManagedIdentityNameReader 'keyVaultReader.bicep' = {
+  name: 'userAssignedManagedIdentityNameReaderTemplate'
+  params: {
+    value: dataKeyVault.getSecret('graphUserAssignedManagedIdentityName')
+  }
+  dependsOn: [
+    dataKeyVault
+  ]
+}
+
+resource graphUAMI 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = {
+  name: userAssignedManagedIdentityNameReader.outputs.value
+  scope: resourceGroup(dataKeyVaultResourceGroup)
+}
+
 module functionAppTemplate_AzureMaintenance 'functionApp.bicep' = {
   name: 'functionAppTemplate-AzureMaintenance'
   params: {
@@ -175,9 +195,13 @@ module functionAppTemplate_AzureMaintenance 'functionApp.bicep' = {
     location: location
     servicePlanName: servicePlanName
     secretSettings: commonSettings
+    userManagedIdentities:{
+      '${graphUAMI.id}' : {}
+    }
   }
   dependsOn: [
     servicePlanTemplate
+    graphUAMI
   ]
 }
 
@@ -189,6 +213,9 @@ module functionAppSlotTemplate_AzureMaintenance 'functionAppSlot.bicep' = {
     location: location
     servicePlanName: servicePlanName
     secretSettings: commonSettings
+    userManagedIdentities:{
+      '${graphUAMI.id}' : {}
+    }
   }
   dependsOn: [
     functionAppTemplate_AzureMaintenance
 
@@ -26,6 +26,11 @@ param dataKeyVaultName string
 @description('Name of the resource group where the \'data\' key vault is located.')
 param dataKeyVaultResourceGroup string
 
+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')
+param userManagedIdentities object = {}
+
+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}
+
 resource functionApp 'Microsoft.Web/sites@2018-02-01' = {
   name: name
   location: location
@@ -41,7 +46,8 @@ resource functionApp 'Microsoft.Web/sites@2018-02-01' = {
     }
   }
   identity: {
-    type: 'SystemAssigned'
+    type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'
+    userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null
   }
 }
 
 
@@ -26,6 +26,11 @@ param dataKeyVaultName string
 @description('Name of the resource group where the \'data\' key vault is located.')
 param dataKeyVaultResourceGroup string
 
+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')
+param userManagedIdentities object = {}
+
+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}
+
 resource functionAppSlot 'Microsoft.Web/sites/slots@2018-11-01' = {
   name: name
   kind: kind
@@ -42,7 +47,8 @@ resource functionAppSlot 'Microsoft.Web/sites/slots@2018-11-01' = {
     }
   }
   identity: {
-    type: 'SystemAssigned'
+    type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'
+    userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null
   }
 }
 
 
@@ -0,0 +1,7 @@
+// Do not use this to return secrets like passwords or API keys
+// This is only for returning plain values that are not sensitive
+@description('Plain value')
+@secure()
+param value string
+var plainValue = string(value)
+output value string = plainValue
@@ -146,6 +146,26 @@ var productionSettings = {
   AzureFunctionsWebHost__hostid: 'AzureUserReader'
 }
 
+resource dataKeyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: dataKeyVaultName
+  scope: resourceGroup(dataKeyVaultResourceGroup)
+}
+
+module userAssignedManagedIdentityNameReader 'keyVaultReader.bicep' = {
+  name: 'userAssignedManagedIdentityNameReaderTemplate'
+  params: {
+    value: dataKeyVault.getSecret('graphUserAssignedManagedIdentityName')
+  }
+  dependsOn: [
+    dataKeyVault
+  ]
+}
+
+resource graphUAMI 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = {
+  name: userAssignedManagedIdentityNameReader.outputs.value
+  scope: resourceGroup(dataKeyVaultResourceGroup)
+}
+
 module functionAppTemplate_AzureUserReader 'functionApp.bicep' = {
   name: 'functionAppTemplate-AzureUserReader'
   params: {
@@ -156,9 +176,13 @@ module functionAppTemplate_AzureUserReader 'functionApp.bicep' = {
     dataKeyVaultName: dataKeyVaultName
     dataKeyVaultResourceGroup: dataKeyVaultResourceGroup
     secretSettings: commonSettings
+    userManagedIdentities:{
+      '${graphUAMI.id}' : {}
+    }
   }
   dependsOn: [
     servicePlanTemplate
+    graphUAMI
   ]
 }
 
@@ -172,6 +196,9 @@ module functionAppSlotTemplate_AzureUserReader 'functionAppSlot.bicep' = {
     dataKeyVaultName: dataKeyVaultName
     dataKeyVaultResourceGroup: dataKeyVaultResourceGroup
     secretSettings: commonSettings
+    userManagedIdentities:{
+      '${graphUAMI.id}' : {}
+    }
   }
   dependsOn: [
     functionAppTemplate_AzureUserReader
 
@@ -20,6 +20,11 @@ param servicePlanName string
 @description('app settings')
 param secretSettings object
 
+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')
+param userManagedIdentities object = {}
+
+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}
+
 resource functionApp 'Microsoft.Web/sites@2018-02-01' = {
   name: name
   location: location
@@ -35,7 +40,8 @@ resource functionApp 'Microsoft.Web/sites@2018-02-01' = {
     }
   }
   identity: {
-    type: 'SystemAssigned'
+    type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'
+    userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null
   }
 }
 
 
@@ -20,6 +20,11 @@ param servicePlanName string
 @description('app settings')
 param secretSettings object
 
+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')
+param userManagedIdentities object = {}
+
+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}
+
 resource functionAppSlot 'Microsoft.Web/sites/slots@2018-11-01' = {
   name: name
   kind: kind
@@ -36,7 +41,8 @@ resource functionAppSlot 'Microsoft.Web/sites/slots@2018-11-01' = {
     }
   }
   identity: {
-    type: 'SystemAssigned'
+    type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'
+    userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,11 @@ param servicePlanName string`
`20`	`20`	`@description('app settings')`
`21`	`21`	`param secretSettings object`
`22`	`22`
	`23`	`+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')`
	`24`	`+param userManagedIdentities object = {}`
	`25`	`+`
	`26`	`+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}`
	`27`	`+`
`23`	`28`	`resource functionApp 'Microsoft.Web/sites@2018-02-01' = {`
`24`	`29`	`name: name`
`25`	`30`	`location: location`
`@@ -35,7 +40,8 @@ resource functionApp 'Microsoft.Web/sites@2018-02-01' = {`
`35`	`40`	`}`
`36`	`41`	`}`
`37`	`42`	`identity: {`
`38`		`- type: 'SystemAssigned'`
	`43`	`+ type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'`
	`44`	`+ userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null`
`39`	`45`	`}`
`40`	`46`	`}`
`41`	`47`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,11 @@ param dataKeyVaultName string`
`26`	`26`	`@description('Name of the resource group where the \'data\' key vault is located.')`
`27`	`27`	`param dataKeyVaultResourceGroup string`
`28`	`28`
	`29`	`+@description('User assigned managed identities. Single or list of user assigned managed identities. Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}')`
	`30`	`+param userManagedIdentities object = {}`
	`31`	`+`
	`32`	`+var deployUserManagedIdentity = userManagedIdentities != null && userManagedIdentities != {}`
	`33`	`+`
`29`	`34`	`resource functionApp 'Microsoft.Web/sites@2018-02-01' = {`
`30`	`35`	`name: name`
`31`	`36`	`location: location`
`@@ -41,7 +46,8 @@ resource functionApp 'Microsoft.Web/sites@2018-02-01' = {`
`41`	`46`	`}`
`42`	`47`	`}`
`43`	`48`	`identity: {`
`44`		`- type: 'SystemAssigned'`
	`49`	`+ type: deployUserManagedIdentity ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'`
	`50`	`+ userAssignedIdentities: deployUserManagedIdentity ? userManagedIdentities : null`
`45`	`51`	`}`
`46`	`52`	`}`
`47`	`53`