ARM Template: Looking up a user object Id

Question

I'm trying to programatically insert the object Id of a certain user account into an ARM template, like this:

"objectId": "[reference(resourceId('Microsoft.AAD/domainServices/user/read','domain','User.Name'),'2019-01-01').Id]",

I've tried many different resource providers in an attempt to get this to work. For example:

"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/read','user@domain.onmicrosoft.com'),'2019-01-01').Id]",

and:

"objectId": "[reference(resourceId('Microsoft.Portal/usersettings/read','user@domain.onmicrosoft.com'),'2018-10-01').Id]"

I looked up the API call used to get a list of users, to see if that would hint at the correct provider to use (it didn't):

GET https://graph.windows.net/{TenantId}/users?api-version=1.6 HTTP/1.1

I've been looking through this list of provider operations but have found two problems with this:

1 I can't see an operation which looks relevant to what I want to do.

2 It doesn't provide information on what parameters are required.

So I guess I have two questions really:

How do I dynamically look up the ObjectId of a user in an ARM template?
How do I find out in future which lookup functions are available and which parameters are required?

score 4 · Accepted Answer · answered Jun 04 '19 at 09:50

4

You could not insert the user object Id in the ARM template.

The user account is managed by your Azure AD tenant, it is not the azure resource, the ARM template is for the azure resources in your subscription.

Reference:https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview

Azure Resource Manager is the deployment and management service for Azure. It provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.

answered Jun 04 '19 at 09:50

Joy Wang

39,905
3
30
54

Thanks. This is a shame, and I was hoping there would at least be some way. For example, in Terraform, I could use local-exec to perform a PowerShell lookup for the Object ID. Is there no way of doing this using ARM templates? – Dicky Moore Jun 04 '19 at 10:49
@DickyMoore ARM template is not the same as Terraform, as I said, it is not for that like AAD users, service principal, etc. – Joy Wang Jun 04 '19 at 11:29
1

@DickyMoore See this [similar issue](https://stackoverflow.com/questions/43386364/arm-template-for-azure-active-directory), although it is two years ago, it is the same currently. – Joy Wang Jun 04 '19 at 11:39

score 3 · Answer 2 · answered Jul 17 '19 at 12:51

You can try from below code if you have VM in same template and enabled managed identity

https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-template-functions-resource#remarks-1

{
  "type": "Microsoft.KeyVault/vaults",
  "properties": {
    "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
    "accessPolicies": [
      {
        "tenantId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.tenantId]",
        "objectId": "[reference(concat('Microsoft.Compute/virtualMachines/', variables('vmName')), '2017-03-30', 'Full').identity.principalId]",
        "permissions": {
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ]
        }
      }
    ]

This should be the accepted answer, the link has slightly changed, it is now [https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#remarks-2](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-resource#remarks-2) — colinD, Dec 22 '22 at 13:59

score 1 · Answer 3 · answered Nov 04 '19 at 14:15

I find the best way to achieve this is to expose the ID as a parameter, then when you call the ARM template deployment, simply pass the parameter into the template.

How do you get the ID into the template parameter? Well, I run my ARM deployments via Azure DevOps CI/CD and I use the pipeline task AzureAppConfiguration.azure-app-configuration-task.custom-build-release-task.AzureAppConfiguration@1 to extract the ID from my own custom configuration setup.

How do you get the ID into the Azure App Configuration service? Well, when I seed an environment for the first time there will be some initial setup, e.g. users and groups. I just then run some scripts to extract this kind of "metadata" into my Azure App Configuration service.

e.g.

APP_ID=$(az ad sp list --all --query "[?displayName=='name-of-spn'].appId" --output tsv)

az appconfig kv set --name name-of-app-config-store --key name-of-spn-app-id --value ${APP_ID}

score 1 · Answer 4 · answered Nov 16 '22 at 14:07

I think I have solution.

I am tying to refer to a Client ID in a Managed User Identity generated by an ARM template.

I have declared the name of the Managed Identity as a Parameter to use as an administrator for an SQL server:

[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',parameters('managed-identity')), '2018-11-30', 'full').properties.clientId]

Once you switch our the parameter you should be good to go.

ARM Template: Looking up a user object Id

4 Answers4

Linked