question

yooakim avatar image
0 Votes"
yooakim asked sikumars commented

"BadRequestFormat" deploying bicep template at tenant level

I'm trying to deploy a #Biceplang template at the tenant level to set role assignments.

But I keep getting "BadRequestFormat" - I'd appreciate any pointers on how to find the underlying issue


The template is available as a GiHub Gist here.

I'm posting here as suggested by @AzureSupport on Twitter.

azure-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for reaching out.

I am testing it on my environment, I will update you with findings. Thanks.

0 Votes 0 ·

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

1 Answer

sikumars avatar image
1 Vote"
sikumars answered sikumars edited

Hello @yooakim,

Thanks for reaching out.

The roleDefinitionId needs to be fully qualified for an example: /subscriptions/123a3941-b0ee-12ad-bd9f-d9de123e9c4e/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635 and would recommend using the subscriptionResourceId() function. Here is good sample one for your reference. hope this helps.

I just tweaked roleDefinitionId as shown below which works as expected:

 targetScope = 'tenant'
 // Groups defined in Azure AD
 var AzureAdmininstrators = '6f769210-651f-4579-9577-7b1f3fd2bfd3'
 var AzureSubscriptionOwners = '690fd5cb-1d22-4a35-afe4-a34d36be150d'
    
 // Azure built-in role IDs (see: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)
 var OwnerRoleDefinitionId = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
 var ContributorRoleDefinitionId = 'b24988ac-6180-42a0-ab88-20f7382dd24c'
    
    
 // Generate uniqe names for the assignent and role
 var OwnerRoleAssignmentName = guid(AzureSubscriptionOwners, OwnerRoleDefinitionId)
 var ContributorRoleAssignmentName = guid(AzureAdmininstrators, ContributorRoleDefinitionId)
    
    
 resource assignOwnerRole 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
   name: OwnerRoleAssignmentName
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', OwnerRoleDefinitionId)
     principalId: AzureSubscriptionOwners
   }
 }
    
 resource assignContributorRole 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = {
   name: ContributorRoleAssignmentName
   properties: {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', ContributorRoleDefinitionId)
     principalId: AzureAdmininstrators
   }
 }
    
    
 // To deploy this, use the following AZ CLI command (adapted to your needs of course)
 // 
 // az deployment tenant create --template-file .\tenant-roles.bicep -l westeurope


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.