ARM Template: Looking up a user object Id

Question

I'm trying to programatically insert the object Id of a certain user account into an ARM template, like this:

"objectId": "[reference(resourceId('Microsoft.AAD/domainServices/user/read','domain','User.Name'),'2019-01-01').Id]",

I've tried many different resource providers in an attempt to get this to work. For example:

"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/read','[email protected]'),'2019-01-01').Id]",

and:

"objectId": "[reference(resourceId('Microsoft.Portal/usersettings/read','[email protected]'),'2018-10-01').Id]"

I looked up the API call used to get a list of users, to see if that would hint at the correct provider to use (it didn't):

GET https://graph.windows.net/{TenantId}/users?api-version=1.6 HTTP/1.1

I've been looking through this list of provider operations but have found two problems with this:

1 I can't see an operation which looks relevant to what I want to do.

2 It doesn't provide information on what parameters are required.

So I guess I have two questions really:

1. How do I dynamically look up the ObjectId of a user in an ARM template?
2. How do I find out in future which lookup functions are available and which parameters are required?

Answer 1

You could not insert the user object Id in the ARM template.

The user account is managed by your Azure AD tenant, it is not the azure resource, the ARM template is for the azure resources in your subscription.

Reference:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.

Answer 2

You can try from below code if you have VM in same template and enabled managed identity

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-resource#remarks-1

{
  "type": "Microsoft.KeyVault/vaults",
  "properties": {
    "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
        "objectId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.principalId]",
        "permissions": {
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ]
        }
      }
    ]

Answer 3

I find the best way to achieve this is to expose the ID as a parameter, then when you call the ARM template deployment, simply pass the parameter into the template.

How do you get the ID into the template parameter? Well, I run my ARM deployments via Azure DevOps CI/CD and I use the pipeline task AzureAppConfiguration.azure-app-configuration-task.custom-build-release-task.AzureAppConfiguration@1 to extract the ID from my own custom configuration setup.

How do you get the ID into the Azure App Configuration service? Well, when I seed an environment for the first time there will be some initial setup, e.g. users and groups. I just then run some scripts to extract this kind of "metadata" into my Azure App Configuration service.

e.g.

APP_ID=$(az ad sp list --all --query "[?displayName=='name-of-spn'].appId" --output tsv)

az appconfig kv set --name name-of-app-config-store --key name-of-spn-app-id --value ${APP_ID}