1// Bicep template for Microsoft Entra App Registration
2// Requires: Bicep v0.21.1+ with Microsoft Graph extension enabled
3 
4extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0'
5 
6@description('Display name for the application')
7param appDisplayName string = 'MyEntraApp'
8 
9@description('Sign-in audience for the application')
10@allowed([
11  'AzureADMyOrg'
12  'AzureADMultipleOrgs'
13  'AzureADandPersonalMicrosoftAccount'
14  'PersonalMicrosoftAccount'
15])
16param signInAudience string = 'AzureADMyOrg'
17 
18@description('Redirect URIs for web application')
19param webRedirectUris array = [
20  'https://localhost:5001/signin-oidc'
21  'https://myapp.azurewebsites.net/signin-oidc'
22]
23 
24@description('Redirect URIs for single-page application')
25param spaRedirectUris array = [
26  'http://localhost:3000'
27  'https://myapp.azurewebsites.net'
28]
29 
30@description('Tags for the application')
31param tags array = [
32  'Production'
33  'WebApp'
34]
35 
36// App Registration
37resource appRegistration 'Microsoft.Graph/[email protected]' = {
38  displayName: appDisplayName
39  uniqueName: toLower(replace(appDisplayName, ' ', '-'))
40  signInAudience: signInAudience
41  tags: tags
42 
43  // Application identification
44  identifierUris: [
45    'api://${appDisplayName}'
46  ]
47 
48  // Web application settings
49  web: {
50    redirectUris: webRedirectUris
51    implicitGrantSettings: {
52      enableIdTokenIssuance: true
53      enableAccessTokenIssuance: false
54    }
55    homePageUrl: 'https://myapp.azurewebsites.net'
56    logoutUrl: 'https://myapp.azurewebsites.net/signout-oidc'
57  }
58 
59  // Single-page application settings
60  spa: {
61    redirectUris: spaRedirectUris
62  }
63 
64  // Public client (mobile/desktop) settings
65  publicClient: {
66    redirectUris: [
67      'http://localhost'
68      'myapp://auth'
69      'https://login.microsoftonline.com/common/oauth2/nativeclient'
70    ]
71  }
72 
73  // API definition (expose an API) 
74  api: {
75    // Version of the access token affects the values present in the token claims
76    requestedAccessTokenVersion: 2
77    oauth2PermissionScopes: [
78      {
79        id: '00000000-0000-0000-0000-000000000001'
80        adminConsentDisplayName: 'Read user data'
81        adminConsentDescription: 'Allows the app to read user data on behalf of the signed-in user'
82        userConsentDisplayName: 'Read your data'
83        userConsentDescription: 'Allows the app to read your data'
84        value: 'User.Read'
85        type: 'User'
86        isEnabled: true
87      }
88      {
89        id: '00000000-0000-0000-0000-000000000002'
90        adminConsentDisplayName: 'Read and write user data'
91        adminConsentDescription: 'Allows the app to read and write user data on behalf of the signed-in user'
92        userConsentDisplayName: 'Read and write your data'
93        userConsentDescription: 'Allows the app to read and write your data'
94        value: 'User.ReadWrite'
95        type: 'User'
96        isEnabled: true
97      }
98    ]
99  }
100 
101  // App roles for authorization
102  appRoles: [
103    {
104      id: '00000000-0000-0000-0000-000000000010'
105      displayName: 'Admin'
106      description: 'Administrators can manage all aspects of the app'
107      value: 'Admin'
108      allowedMemberTypes: ['User', 'Application']
109      isEnabled: true
110    }
111    {
112      id: '00000000-0000-0000-0000-000000000011'
113      displayName: 'Reader'
114      description: 'Readers can view data but not modify'
115      value: 'Reader'
116      allowedMemberTypes: ['User']
117      isEnabled: true
118    }
119  ]
120 
121  // Required API permissions (Microsoft Graph)
122  requiredResourceAccess: [
123    {
124      // Microsoft Graph API
125      resourceAppId: '00000003-0000-0000-c000-000000000000'
126      resourceAccess: [
127        {
128          // User.Read - Delegated
129          id: 'e1fe6dd8-ba31-4d61-89e7-88639da4683d'
130          type: 'Scope'
131        }
132        {
133          // User.ReadBasic.All - Delegated
134          id: 'b340eb25-3456-403f-be2f-af7a0d370277'
135          type: 'Scope'
136        }
137        {
138          // Mail.Read - Delegated
139          id: '570282fd-fa5c-430d-a7fd-fc8dc98a9dca'
140          type: 'Scope'
141        }
142        {
143          // User.Read.All - Application
144          id: 'df021288-bdef-4463-88db-98f22de89214'
145          type: 'Role'
146        }
147      ]
148    }
149  ]
150 
151  // Optional claims configuration
152  optionalClaims: {
153    idToken: [
154      {
155        name: 'email'
156        essential: false
157      }
158      {
159        name: 'upn'
160        essential: false
161      }
162      {
163        name: 'groups'
164        essential: false
165      }
166    ]
167    accessToken: [
168      {
169        name: 'email'
170        essential: false
171      }
172    ]
173  }
174 
175  // Information URLs
176  info: {
177    marketingUrl: 'https://myapp.example.com'
178    privacyStatementUrl: 'https://myapp.example.com/privacy'
179    supportUrl: 'https://myapp.example.com/support'
180    termsOfServiceUrl: 'https://myapp.example.com/terms'
181  }
182}
183 
184// Service Principal (Enterprise Application)
185resource servicePrincipal 'Microsoft.Graph/[email protected]' = {
186  appId: appRegistration.appId
187  displayName: appDisplayName
188  tags: [
189    'WindowsAzureActiveDirectoryIntegratedApp'
190  ]
191  appRoleAssignmentRequired: false
192  preferredSingleSignOnMode: 'oidc'
193}
194 
195// Outputs
196output applicationId string = appRegistration.appId
197output objectId string = appRegistration.id
198output servicePrincipalId string = servicePrincipal.id
199output identifierUri string = appRegistration.identifierUris[0]
200