This delegated resource access can be achieved by setting up Azure Lighthouse.

What is Azure Lighthouse

Azure Lighthouse is a way to enable multitenant management with scalability, higher automation, and enhanced governance across resources. By using Azure Lighthouse, organizations can deliver services via the Azure platform. The main advantage is that the onboarded parties maintain control over who has access to their tenant, which resources they can access, and what actions they can take. As mentioned before, this is very useful in cases where organizations or MSPs have to manage multiple Azure Subscriptions that are located in multiple Entra Tenants.

What is possible with Azure Lighthouse

Azure Lighthouse offers you the following capabilities.

• Manage onboarded Azure resources within your own tenant without switching context.
• It offers great insights into the tenants you manage.
• View cross-tenant information within the Azure Lighthouse blade.
• With deployment templates you can perform cross-tenant management tasks.

How does it work

Azure Lighthouse configures permissions and capabilities for resources on a specified level. This can for example be a resource group or an Azure Subscription. This is all done by specifying this within a Template (ARM / Bicep).

To see more about this template you can check out the samples repository for Azure Lighthouse on GitHub.

In the template for an Azure Lighthouse connection, this is done in the following steps:

• Find out which role your identities / groups need to manage Azure resources in the other tenant. This is the role definition id.
• Onboard the resources/tenant by using a template. This could also be possible by using managed applications. This option is mainly used by service providers that sell management capabilities to their customers.
• Once the other tenant is onboarded, the specified identities/group of identities are able to manage the resources.

A lot of information about Azure Lighthouse can be found on Microsoft Learn.

Is there a downside

Every capability normally also has a downside of using it. Personally speaking, one of the downsides I see for Azure Lighthouse is that the scopes that can be onboarded are subscriptions or resource groups. At the moment of writing this article, it isn’t possible to onboard a subscription automatically.

As a company that manages multiple customers (tenants), this can be a pretty tough situation. Normally, you would like to offer customers some kind of flexibility, meaning that you allow them to create Azure Subscriptions. When that is the case, you introduce the problem that you will not be able to manage those subscriptions for your customer.

That is where this article kicks in. There are options to automatically onboard new Azure Subscriptions.

How do I onboard new Azure Subscriptions

You might be asking: how do we then onboard those new subscriptions?

This is where Azure Policy comes in. With Azure Policy, we are able to do deployments in certain specific situations. For this case, the situation would be a subscription that is not delegated for management in our management tenant. By deploying this policy to a Management Group, we make sure that every subscription that gets created and placed in this management group is automatically delegated for management by the other tenant.

With Azure Policy, we can use the ‘deployIfNotExists’ effect to achieve this. If you are interested in using this effect, you can check out this documentation from Microsoft. The effect of the policy checks a specific condition on a resource. If it does not find that condition, it performs a deployment that you specify.

Infrastructure as Code

The way to add the policy to the environment is by using infrastructure as code. In this example, we will use Bicep, but of course other languages such as Terraform can also be used. Adding a Policy to the Azure platform is done in two steps:

• Step 1: Adding the definition of the Azure Policy on a specific scope. The definition basically describes what the policy does and when it performs the specified action. Adding the definition is normally done at the highest possible point in your Azure Hierarchy. This way, you can use the definition in lower parts of the hierarchy.
• Step 2: When the definition is added to the platform, you can make an assignment of the definition on a specific scope. This means basically activating the policy on a specific scope, such as a Management group. When making the assignment, you normally also have to add specific parameters for the policy.

As mentioned, we will be using Bicep. The below snippet represents our main.bicep file.

targetScope = 'managementGroup'

metadata info = {
  title: 'Azure Lighthouse Configuration'
  version: '1.1.0'
  author: 'Maik van der Gaag'
}
metadata description = '''
IaC for the creation of a Azure Lighthouse on customer subscriptions. 
'''

@description('The ID of the management group where the policy will be placed.')
param policyScopeId string 

@description('The IDs of the Management Group where the assignment will be done for the policy.')
param assignmentScopeIds array

@description('Specify an array of objects, containing tuples of Entra principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider\'s Entra and the principalIdDisplayName is visible to customers.')
param authorizations array

@description('The customer name used in the description')
param customer string

@description('The location of the Policy Assignment(s)')
param location string

// Default value Parameters
@description('Specify a unique name for your offer')
param mspOfferName string = 'Azure Lighthouse Management'

@description('Name of the Service Provider offering')
param mspOfferDescription string = 'Lighthouse connection between ${customer} and the management tenant'

@description('Specify the tenant id of the Managing party')
param managedByTenantId string

@description('date to append to the deployment name of modules')
param deploymentDate string = utcNow('yyyyMMddTHHmm')

@description('The description in the azure portal for the policy assignment')
param assignmentDescription string = 'This policy assignment deploys azure lighthouse so the managing can get access to the Azure subscriptions'

@description('The Display Name for the policy assignment')
param assignmentDisplayname string = 'Azure Lighthouse Deployment'

@description('The messages that describe why a resource is non-compliant with the policy.')
param nonComplianceMessage string = 'Azure Lighthouse is not configured on this subscription. Please contact your managing party to remediate this issue.'

@description('The name of the policy')
@maxLength(10)
param name string

module policyDefinition '../modules/lighthouse-policy.bicep' = {
  name: 'lighthouse-policy-def-${deploymentDate}'
  scope: managementGroup(policyScopeId)
  params: {
    authorizations: authorizations
    name: name
    managedByTenantId: managedByTenantId
    mspOfferName: mspOfferName
    mspOfferDescription: mspOfferDescription
  }
}

module policyAssignment '../modules/policyassignment.bicep' = [for id in assignmentScopeIds: {
  name: 'lighthouse-policy-assignment-${deploymentDate}'
  scope: managementGroup(id)
  params: {
    name: name
    location: location
    assignmentDescription: assignmentDescription
    assignmentDisplayname: assignmentDisplayname
    nonComplianceMessage: nonComplianceMessage
    policyDefinitionId: policyDefinition.outputs.policyDefinitionId
  }
}]

As you can see in the snippet, it uses two modules. One module for the policy definition and another for the assignment. Let’s go over a few important things about this Bicep file:

• The module ‘policyDefinition’ is deployed first. This makes sure we have the definition available. As you can see in the module specification, it will be deployed to a Management Group.
• The module ‘policyAssignment’ will be deployed second and will make the policy assignment on all management groups that are specified in the ‘assignmentScopeIds’ array.
• The parameter ‘authorizations’ is a specific tuple to specify which authorization will be made within the managing tenant. Take a look at the snippet below as an example. In the tuple, you specify which principal (this can be any type of identity, such as a group, user, or service principal) gets a specific role. The display name is optional and is what can be seen within the managing tenant:

{
  principalIdDisplayName: 'Security - Azure Lighthouse Reader'
  principalId: '91882300-3331-40dc-bc8a-14a665a2fc55'
  roleDefinitionId:  'acdd72a7-3385-48ef-bd42-f606fba81ae7'
}
{ 
  principalIdDisplayName: 'Security - Azure Lighthouse'
  principalId: '91882300-3331-40dc-bc8a-14a665a2fc55'
  roleDefinitionId: 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e'
}

The rest of the parameters speak for themselves and also have a decent description. So let’s look into the modules.

Policy

The policy definition is specified in a separate module. This module only deploys the definition on a management group scope based on the parameters that are supplied.

targetScope = 'managementGroup'

metadata info = {
  title: 'Azure Lighthouse Policy'
  version: '1.1.0'
  author: 'Maik van der Gaag'
}

metadata description = '''
Module for the creation of a Azure Lighthouse Policy on customer environments.
'''

@description('The name of the Azure Policy')
param name string

@description('Add the tenant id provided by the MSP')
param managedByTenantId string

@description('the name of the MSP offering')
param mspOfferName string

@description('The description of the managing party offer')
param mspOfferDescription string

@description('Specify an array of objects, containing tuples of principalId, a roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider\'s Entra and the principalIdDisplayName is visible to customers.')
param authorizations array 

@description('The ID of the Owner Role')
var rbacOwner = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'

resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
  name: 'def-${name}'
  properties: {
    description: 'Policy to enforce Lighthouse on subscriptions, delegating mgmt to MSP'
    displayName: 'Enforce Lighthouse on subscriptions'
    mode: 'All'
    policyType: 'Custom'
    parameters: {
      managedByTenantId: {
        type: 'string'
        defaultValue: managedByTenantId
        metadata: {
          description: 'Add the tenant id provided by the MSP'
        }
      }
      mspOfferName: {
        type: 'string'
        defaultValue: mspOfferName
        metadata: {
          description: 'Add the tenant name of the provided MSP'
        }
      }
      mspOfferDescription: {
        type: 'string'
        defaultValue: mspOfferDescription
        metadata: {
          description: 'Add the description of the offer provided by the MSP'
        }
      }
      managedByAuthorizations: {
        type: 'array'
        defaultValue: authorizations
        metadata: {
          description: 'Add the authZ array provided by the MSP'
        }
      }
    }
    policyRule: {
      if: {
        allOf: [
          {
            field: 'type'
            equals: 'Microsoft.Resources/subscriptions'
          }
        ]
      }
      then: {
        effect: 'deployIfNotExists'
        details: {
          type: 'Microsoft.ManagedServices/registrationDefinitions'
          deploymentScope: 'Subscription'
          existenceScope: 'Subscription'
          roleDefinitionIds: [
            '/providers/Microsoft.Authorization/roleDefinitions/${rbacOwner}'
          ]
          existenceCondition: {
            allOf: [
              {
                field: 'type'
                equals: 'Microsoft.ManagedServices/registrationDefinitions'
              }
              {
                field: 'Microsoft.ManagedServices/registrationDefinitions/managedByTenantId'
                equals: '[parameters(\'managedByTenantId\')]'
              }
            ]
          }
          deployment: {
            location: 'westeurope'
            properties: {
              mode: 'incremental'
              parameters: {
                managedByTenantId: {
                  value: '[parameters(\'managedByTenantId\')]'
                }
                mspOfferName: {
                  value: '[parameters(\'mspOfferName\')]'
                }
                mspOfferDescription: {
                  value: '[parameters(\'mspOfferDescription\')]'
                }
                managedByAuthorizations: {
                  value: '[parameters(\'managedByAuthorizations\')]'
                }
              }
              template: {
                '$schema': 'https://schema.management.azure.com/2018-05-01/subscriptionDeploymentTemplate.json#'
                contentVersion: '1.0.0.0'
                parameters: {
                  managedByTenantId: {
                    type: 'string'
                  }
                  mspOfferName: {
                    type: 'string'
                  }
                  mspOfferDescription: {
                    type: 'string'
                  }
                  managedByAuthorizations: {
                    type: 'array'
                  }
                }
                variables: {
                  managedByRegistrationName: '[guid(parameters(\'mspOfferName\'))]'
                  managedByAssignmentName: '[guid(parameters(\'mspOfferName\'))]'
                }
                resources: [
                  {
                    type: 'Microsoft.ManagedServices/registrationDefinitions'
                    apiVersion: '2019-06-01'
                    name: '[variables(\'managedByRegistrationName\')]'
                    properties: {
                      registrationDefinitionName: '[parameters(\'mspOfferName\')]'
                      description: '[parameters(\'mspOfferDescription\')]'
                      managedByTenantId: '[parameters(\'managedByTenantId\')]'
                      authorizations: '[parameters(\'managedByAuthorizations\')]'
                    }
                  }
                  {
                    type: 'Microsoft.ManagedServices/registrationAssignments'
                    apiVersion: '2019-06-01'
                    name: '[variables(\'managedByAssignmentName\')]'
                    dependsOn: [
                      '[resourceId(\'Microsoft.ManagedServices/registrationDefinitions/\', variables(\'managedByRegistrationName\'))]'
                    ]
                    properties: {
                      registrationDefinitionId: '[resourceId(\'Microsoft.ManagedServices/registrationDefinitions/\',variables(\'managedByRegistrationName\'))]'
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  }
}

output mspOfferName string = 'Managed by ${mspOfferName}'
output authorizations array = authorizations
output policyDefinitionId string = policyDefinition.id

In the code above, the policy definition is constructed where you can see that it has the ‘deployIfNotExist’ effect when a subscription does not have the managedByTenantId specified. The fact that it works for a subscription is set in the If condition of the policy.

Within the ‘deployment’ part of the policy, the ARM template is specified that will be deployed when the condition is not met. This means that it will deploy the Lighthouse connection to the subscription.

This module outputs the policyDefinitionId after the creation of the definition. This output value can then be used for the assignment of the policy.

Assignment

The next part to get this solution operational is the assignment. As mentioned in this article, this is the other module.

targetScope = 'managementGroup'

metadata info = {
  title: 'Azure Policy Assignment'
  description: 'Module for creating policy assignments'
  version: '1.1.0'
  author: 'Maik van der Gaag'
}

metadata description = '''
Module for creating policy assignments
'''

@maxLength(10)
@description('The name of the policyassignment')
param name string

@description('The description in the azure portal for the policy assignment')
param assignmentDescription string

@description('The location of the resources')
param location string

@description('The Display Name for the policy assignment')
param assignmentDisplayname string

@allowed([
  'Default'
  'DoNotEnforce'
])
@description('The enforcement mode of the assignment, default is Default so the policy will get enforced. (default,DoNotEnforce )')
param enforcementMode string = 'Default'

@description('The messages that describe why a resource is non-compliant with the policy.')
param nonComplianceMessage string

@description('The ID of the policy definition or policy set definition being assigned.')
param policyDefinitionId string

@description('The ID of the Role that will be given to the managed identity')
param roleDefinitionId string = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'

@description('Deploy with identity')
param identity bool = false

@description('The list of resource IDs to be excluded from the policy assignment.')
param exclusions array = []

var identityValue = {
  type: 'SystemAssigned'
}

resource policyassignment 'Microsoft.Authorization/policyAssignments@2025-11-01' = {
  name: 'assignment-${name}'
  location: location
  identity: identityValue
  properties: {
    description: assignmentDescription
    displayName: assignmentDisplayname
    enforcementMode: enforcementMode
    nonComplianceMessages: [
      {
        message: nonComplianceMessage
      }
    ]
    policyDefinitionId: policyDefinitionId
    notScopes: exclusions
  }
}

resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (identity) {
  name: roleDefinitionId
}

resource roleassignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (identity) {
  name: guid('policyassignment', policyassignment.name, roleDefinitionId)
  properties: {
    principalId: policyassignment.identity.principalId
    principalType: 'ServicePrincipal'
    roleDefinitionId: roleDefinition.id
  }
}

output policyAssignmentIdentityId string = policyassignment.identity.principalId

This module is not specific for setting up Lighthouse but can be used for assigning policies in general to the management scope in Azure. A few things to note here are:

• The assignment can use an Identity. When it uses an Identity, it will use the SystemAssigned identity type. The role it needs is specified in the roleDefinitionId parameter.
• The policy that it will assign is specified in the parameter policyDefinitionId, and it will be assigned at the scope where this module is executed.

Conclusion

Managing Azure resources within multiple tenants is a challenging task. Using Azure Lighthouse simplifies this job in several ways. By using the solution described in this post, it may help you in situations where you are unsure if additional subscriptions will be added to the environment and where you do not want to lose control.

This way, you only have to onboard a tenant once and subscriptions will turn up when they are added.

It might not be the exact scenario, but it certainly sounds like an intriguing story. Before diving into the mystery, let’s start by exploring what Azure Tags are.

Tags in the Azure platform are key-value pairs that let you store descriptive information about your resources. For example, when deploying resources to Azure, you may want to save the resource owner.

If you check the snippet below, you’ll see that we add specific tags to a resource, such as owner, environment, purpose, version, and clean. This small snippet shows how this could be done via Bicep, but as you know, it is also possible through the Azure portal.

@description('Solutions to add to workspace')
param solutions array = []

@description('Tags to apply to the resource')
param tags object = {
  owner: 'maikvandergaag'
  environment: env
  purpose: 'monitoring'
  version: '1.0.0'
  clean: 'false'
}

resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2025-02-01' = {
  name: 'la-${name}-${env}'
  location: location
  tags: tags
  properties: {
    sku: {
      name: sku
    }
    retentionInDays: retentionInDays
  }
}

Tags that you want to apply can be applied to Azure resources, resource groups, and subscriptions. Management groups are not supported.

If you are looking for a strategy on how to deal with tagging, make sure to check out this article.

Managing tags in large environments manually can become quite intensive. That is why there is support for Azure Policies. With the help of Azure Policies, you can overcome most of the hassles. For example by using policies the eco system can help you with:

• Inheriting tags from the resource group for the resources in the group.
• Automatically adding tags to resource groups or resources.
• Making sure that supported resources have a tag assigned.

Information about the tagging policies can be found here

Hidden Tags

Now to the mystery of this festive tale. As you may know, all tags you add to Azure via the API, PowerShell, Bicep, or the Portal are displayed in the web interface.

Try creating a new tag in the portal and prefix it with ‘hidden-‘. The tag will be made, but as the mystery reveals, it disappears from the portal.

With this capability, you can build tag-based automations and features that rely on tags but do not want to display those values in plain sight, so people are less likely to change them. You could use this in scenarios like:

• Automation for starting and stopping VMs
• Cost analysis based on specific tag data

Azure uses hidden tags itself, and for some people, this function remains a mystery. For example, add a tag called ‘hidden-title’ to a specific resource and see what happens. The screenshots below show you what happened in my environment:

Before

During

After

Notice that basically nothing changed. We added the tag, and it isn’t displayed. But now move to the resources list view, for example, the resource group in which you created the tag for the resource.

Resource List

The title now appears in the resources list and lets you add a descriptive title to all your resources.

Automation

The default Get-AzTag and Remove-AzTag do not retrieve the tags; how can you then use them in automation?

Using hidden tags for automation is done with the Get-AzResource command.

The snippet below, for example, gets all resources that have a tag ‘hidden-title’

 Get-AzResource -TagName 'hidden-title' 

Removing the hidden tag

As you must have noticed in the portal, there is no way to delete the tag. But for the hidden title tag, you can remove the title by adding the same tag name with an empty value.

In this case, the added title will disappear, but the tag itself will remain.

To delete the tags completely, you need to use PowerShell or the Azure CLI. The example below shows how to delete the hidden tag using PowerShell.

$removeTags = @{"hidden-title"=""}                                                                                                                            
Update-AzTag -ResourceId $resource.id -Tag $removeTags -Operation Delete     

Conclusion

Tags are a handy option for saving additional data with your resources. Using hidden tags can be effective, but it’s essential to know that further work is required to keep your environment clean and up to date.

If you’re interested in building your own extension, be sure to check out the documentation on Creating a Local Extension with .Net. It’s a great starting point to help you get up and running.

HTTP Extension

I’ve built an extension that enables performing HTTP requests directly from Bicep. With this capability, a number of powerful scenarios become possible, such as:

• Updating your CMDB automatically when deploying resources to Azure.
• Calling external APIs to retrieve additional data required for deployments.
• Chaining API calls — for example, requesting a token from Microsoft Entra to authenticate a subsequent API call.

The source code of the extension can be found here: bicep-ext-http

The extension provides a new resource type HttpCall that can perform HTTP requests (GET, POST, PUT, DELETE, PATCH) and capture the response for use in your Bicep templates. This is useful for scenarios like I mentioned above.

Features

• Multiple HTTP Methods: Supports GET, POST, PUT, DELETE, and PATCH requests
• Custom Headers: Add custom headers to your HTTP requests
• Request Body: Include JSON or other content in request bodies
• Response Capture: Access both the response body and HTTP status code
• Type Safety: Full IntelliSense support and type checking in Bicep

Creating your own extension

When creating your own extension based on the article I shared earlier, there are a few important considerations and steps to keep in mind. To make this more practical, I’ll walk you through the process using the source code of my own extension as an example.

In my example, I followed specific coding guidelines, which is why my extension differs slightly from the one described in the article. One of the main things that I have changed is the separation of the code files.

Program

The core of the extension resides in ‘Program.cs’. Using dependency injection, the necessary components are loaded and the extension is assigned its name. As you can see in the snippet below I call my extension ‘bicep-ext-http’.

using Microsoft.AspNetCore.Builder;
using Bicep.Local.Extension.Host.Extensions;
using Microsoft.Extensions.DependencyInjection;
using Bicep.Ext.Http.Handler;

var builder = WebApplication.CreateBuilder();

builder.AddBicepExtensionHost(args);
builder.Services
    .AddBicepExtension(
        name: "bicep-ext-http",
        version: "1.0.0",
        isSingleton: true,
        typeAssembly: typeof(Program).Assembly)
    .WithResourceHandler<HttpCallHandler>();

var app = builder.Build();

app.MapBicepExtension();

await app.RunAsync();

Deployment Identifier

To deploy a specific resource type, you first need to create an identifier for it. The snippet below shows the identifier I use for my HTTP calls, where I’ve chosen to define it with a simple name.

namespace Bicep.Ext.Http.Model {
    public class HttpCallIdentifiers {
        [TypeProperty("The Http Call Name", ObjectTypePropertyFlags.Identifier | ObjectTypePropertyFlags.Required)]
        public required string Name { get; set; }
    }
}

Resource Type

For the resource itself, you need to define a resource type. As you may know, in Bicep every deployment is carried out through a specific resource. The snippet below shows the ‘httpcall’ resource type that inherits from the Identifer.

This class contains a few properties that defined the resource type and are required to be able to perform a HTTP Call.

namespace Bicep.Ext.Http.Model {
    [ResourceType("httpcall")]
    public class HttpCall : HttpCallIdentifiers {

        [TypeProperty("The Http Call Url", ObjectTypePropertyFlags.Required)]
        [JsonPropertyName("url")]
        public required string Url { get; set; }

        [TypeProperty("The HTTP method to use", ObjectTypePropertyFlags.Required)]
        [JsonConverter(typeof(JsonStringEnumConverter))]
        [JsonPropertyName("method")]
        public Method? Method { get; set; }

        [TypeProperty("The body to include in the request")]
        [JsonPropertyName("body")]
        public string? Body { get; set; }

        [TypeProperty("The http call headers")]
        [JsonPropertyName("headers")]
        public Header[]? Headers { get; set; }

        [TypeProperty("The http call result")]
        [JsonPropertyName("result")]
        public string? Result { get; set; }

        [TypeProperty("The http call status code")]
        [JsonPropertyName("statuscode")]
        public int StatusCode { get; set; }
    }
}

There are a few important details about this resource type. First, the Method property is defined as an enum (see below). This ensures that only the supported options can be used, preventing invalid inputs and adding the ability to choose a value when defining it in Bicep.

namespace Bicep.Ext.Http.Model {
    public enum Method {
        Get,
        Post,
        Put,
        Delete,
        Patch
    }
}

Secondly, the ‘Headers’ property is not defined as a dictionary. Initially, I chose to use a dictionary, but I discovered that the extension model does not support dictionaries. To work around this, I created a custom type called Header and defined Headers as an array property instead. The code below shows this ‘Header’ type.

namespace Bicep.Ext.Http.Model {
    public class Header {
        [TypeProperty("The name.", ObjectTypePropertyFlags.Required)]
        public string? Name { get; set; }

        [TypeProperty("The value.", ObjectTypePropertyFlags.Required)]
        public string? Value { get; set; }
    }
}

This is were the magic happens

The final component of your extension is the ‘Handler’. This is where the actions are executed. In my extension, the handler performs the API call and returns its response.

namespace Bicep.Ext.Http.Handler {
    public class HttpCallHandler : TypedResourceHandler<HttpCall, HttpCallIdentifiers> {
        protected override async Task<ResourceResponse> Preview(ResourceRequest request, CancellationToken cancellationToken) {
            await Task.CompletedTask;

            return GetResponse(request);
        }

        protected override async Task<ResourceResponse> CreateOrUpdate(ResourceRequest request, CancellationToken cancellationToken) {
            await Task.CompletedTask;

            using (var client = new HttpClient()) {
                var httpRequest = new HttpRequestMessage {
                    Method = request.Properties.Method switch {
                        Method.Get => HttpMethod.Get,
                        Method.Post => HttpMethod.Post,
                        Method.Delete => HttpMethod.Delete,
                        Method.Put => HttpMethod.Put,
                        Method.Patch => HttpMethod.Patch,
                        _ => throw new InvalidOperationException($"Unsupported HTTP method: {request.Properties.Method}"),
                    },
                    RequestUri = new Uri(request.Properties.Url),
                    Content = request.Properties.Body != null ? new StringContent(request.Properties.Body) : null
                };

                if (request.Properties.Headers != null) {
                    foreach (var header in request.Properties.Headers) {
                        if (header.Name != null && header.Value != null) {
                            if (header.Name.Equals("Content-Type", StringComparison.OrdinalIgnoreCase) && httpRequest.Content != null) {
                                httpRequest.Content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue(header.Value);
                            } else {
                                httpRequest.Headers.Add(header.Name, header.Value);
                            }
                        }
                    }
                }

                var response = await client.SendAsync(httpRequest, cancellationToken);
                response.EnsureSuccessStatusCode();

                request.Properties.StatusCode = (int)response.StatusCode;
                request.Properties.Result = await response.Content.ReadAsStringAsync(cancellationToken);
            }

            return GetResponse(request);
        }

        protected override HttpCallIdentifiers GetIdentifiers(HttpCall properties)
            => new() {
                Name = properties.Name,
            };
    }
}

In my handler, there are no specific preview capabilities, which is why this method is left for a clear implementation. The ‘CreateOrUpdate’ method is the part that performs the API call and returns the ‘StatusCode’ as a output and the result of the call as a string.

Getting it to work

With all the code in place, the extension is ready to be built. To do this, open a terminal and run the following commands:

dotnet publish --configuration release -r osx-arm64 .
dotnet publish --configuration release -r linux-x64 .
dotnet publish --configuration release -r win-x64 .

bicep publish-extension --bin-osx-arm64 ./bin/release/osx-arm64/publish/bicep-ext-http --bin-linux-x64 ./bin/release/linux-x64/publish/bicep-ext-http --bin-win-x64 ./bin/release/win-x64/publish/bicep-ext-http.exe --target ./bin/bicep-ext-http --force

Next step is to update the ‘bicepconfig.json’ file to be able to use the extension.

{
  "experimentalFeaturesEnabled": {
    "localDeploy": true,
    "extensibility": true
  },
  "extensions": {
    "http": "./extension-publish/bicep-ext-http"
  },
  "implicitExtensions": []
}

Now your defined resource type can be used in bicep.

targetScope = 'local'
extension http

var callBody = loadTextContent('sample/body.json')

resource getHttp 'httpcall' = {
  name: 'getcall'
  url: 'https://bicep-local.free.beeceptor.com'
  method: 'Get'
}

resource postHttp 'httpcall' = {
  name: 'postcall'
  url: 'https://bicep-local.free.beeceptor.com'
  method: 'Post'
  headers:[
    {name: 'Content-Type', value: 'application/json' }
  ]
  body: callBody
}

resource deleteHttp 'httpcall' = {
  name: 'deletecall'
  url: 'https://bicep-local.free.beeceptor.com/1'
  method: 'Delete'
}

output getResponse object = json(getHttp.result)
output getStatusCode int = getHttp.statusCode
output postResponse object = json(postHttp.result)
output postStatusCode int = postHttp.statusCode
output deleteStatusCode int = deleteHttp.statusCode

Conclusion

Creating your own extension isn’t difficult and can add powerful capabilities to your infrastructure-as-code workflow.

It’s also worth noting that, at the time of writing, the Bicep team is working on a new deploy command. This will allow Bicep to perform deployments directly, without relying on the Azure CLI or PowerShell, and will also support local deployments. To stay updated on this development, check out this issue.

If you’re looking for extensions, be sure to check out the community-maintained repository. If you’d like to contribute your own extension, don’t hesitate to submit a pull request.

• Bicep Extension Repository

With this parameter, you can target multiple files by specifying a specific file-matching pattern. Some use cases to use this are:

• Bulk building Bicep files.
• Validating all the Bicep files (lint) in a repository. (modules)

As mentioned, the option is used to specify file-matching patterns, allowing you to target multiple files in one command without manually listing them all. The parameter accepts standard patterns (similar to those used in shells or file systems). This makes it very useful for automating builds or validations across a whole repository of Bicep templates.

Pattern

The pattern is a simple string-matching syntax used to select files and folders based on wildcards. In the Bicep CLI, patterns let you target multiple files without listing them individually.

• * → matches any number of characters (except /).
• ** → matches any number of subdirectories.

Examples

Validate all bicep files found in all subfolders.

bicep lint --pattern  "./**/*.bicep

Build all bicep files in the current directory.

bicep build --pattern  "./*.bicep

While many developers are familiar with classic options like personal access tokens or OAuth apps, GitHub Apps introduce a more modern and scalable approach. Depending on your use case—whether it’s automating workflows, integrating with third-party services, or managing resources at scale—you can choose between several authentication methods. In this post, we’ll explore the available options for authenticating against GitHub’s APIs, with a focus on how GitHub App authentication works from C#.

Creating an App

To get started with App authentication, you, of course, need a GitHub App. Take the following steps to create your App.

1. Go to your organization settings page within GitHub https://github.com/[organisation]/settings/
2. Click on “GitHub Apps” and then on “New GitHub App”.

3. On the “Register new GitHub App” page, fill in all the information that is required for your application.

Next to the general information about the application, the GitHub App can have additional capabilities.

Identifying and Authorizing users

A capability to let your GitHub App perform actions on behalf of a user, like creating an issue, posting a comment, or making a deployment.

Post Installation

A GitHub App can have specific configurations based on the installation and can also redirect people to a particular page when you update the App within a Repository.

Webhook

Webhooks enable your GitHub App to receive real-time notifications when events happen on GitHub.

After providing information about the App and its capabilities, you also need to configure the permissions. In this section, you must clearly specify the permissions the App requires to perform its actions. For this article, we will create an App that registers issues, so we choose “Repository” - “Issues” - “Read and Write”.

Also, make sure that you set the App access. If you want other people to be able to use your application, you have to set it to “Any Account”.

When done, click “Create GitHub App”

4. When all the information is supplied correctly, you will be directed to the page of your GitHub App where you can provide additional information, like an image for your App. From this page, make sure to copy the App ID and generate a Private Key that we will use during the authentication.

Download this key, as it will be used for app authentication. As you may have noticed, this page also offers the capability to configure allowed IP addresses for using the App.

With the application in place, we can begin the authentication process. Authenticating with the App is done in several steps:

1. Generate a JWT App Token.
2. Exchange the App Token for an Installation access token.
3. Use the installation access token to call the API’s.

Generate a JWT Token

To generate the JWT token, we need the private key and the appId retrieved from the GitHub App page.

private void GenerateJwtToken()
{
    var jwtSecurityTokenHandler = new JwtSecurityTokenHandler { SetDefaultTimesOnTokenCreation = false };
    var rsa = RSA.Create();
    rsa.ImportFromPem(_privateKeyPem.ToCharArray());
    var securityKey = new RsaSecurityKey(rsa);
    var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);
    var now = DateTime.UtcNow.AddSeconds(-60);
    var token = jwtSecurityTokenHandler.CreateToken(new SecurityTokenDescriptor {
        Issuer = _appId,
        Expires = now.AddMinutes(10),
        IssuedAt = now,
        SigningCredentials = credentials
    });
    _jwt = jwtSecurityTokenHandler.WriteToken(token);
}

The above snippet shows a function that takes the Content of the private key as a string and generates a token that expires in 10 minutes.

This token can then be used to get a specific installation token.

Exchange the App Token for an Installation access token

To exchange the App Token for an installation access token, call the following API: “https://api.github.com/app/installations”.

This API retrieves the installations of the applications, and contains information that is required to be abble to get a installation access token. The information that we need is the URL to request a access token. As you can see in the example below, this is the “access_token_url”.

[
  {
    "id": 00000,
    "client_id": "-----",
    "account": {
      "login": "msftplayground",
      "id": 49311642,
      "node_id": "------",
      "avatar_url": "https://avatars.githubusercontent.com/u/49311642?v=4",
      "gravatar_id": "",
      "url": "https://api.github.com/users/msftplayground",
      "html_url": "https://github.com/msftplayground",
      "followers_url": "https://api.github.com/users/msftplayground/followers",
      "following_url": "https://api.github.com/users/msftplayground/following{/other_user}",
      "gists_url": "https://api.github.com/users/msftplayground/gists{/gist_id}",
      "starred_url": "https://api.github.com/users/msftplayground/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/msftplayground/subscriptions",
      "organizations_url": "https://api.github.com/users/msftplayground/orgs",
      "repos_url": "https://api.github.com/users/msftplayground/repos",
      "events_url": "https://api.github.com/users/msftplayground/events{/privacy}",
      "received_events_url": "https://api.github.com/users/msftplayground/received_events",
      "type": "Organization",
      "user_view_type": "public",
      "site_admin": false
    },
    "repository_selection": "selected",
    "access_tokens_url": "https://api.github.com/app/installations/83382606/access_tokens",
    "repositories_url": "https://api.github.com/installation/repositories",
    "html_url": "https://github.com/organizations/msftplayground/settings/installations/83382606",
    "app_id": 1864472,
    "app_slug": "msftplayground-issue-registration",
    "target_id": 49311642,
    "target_type": "Organization",
    "permissions": {
      "issues": "write",
      "metadata": "read"
    },
    "events": [],
    "created_at": "2025-08-29T15:41:16.000Z",
    "updated_at": "2025-08-29T15:41:32.000Z",
    "single_file_name": null,
    "has_multiple_single_files": false,
    "single_file_paths": [],
    "suspended_by": null,
    "suspended_at": null
  }
]

The URI shown above is the endpoint you call to obtain the application’s installation access token, which is required for performing actions as the application. In my implementation, I don’t hardcode this URI — instead, I retrieve the exact access_tokens_url by first querying the installation details for a given organization.

public async Task<string> GetAccessTokenUrl(string organization, string jwtToken) {

    var client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);
    client.DefaultRequestHeaders.UserAgent.Add(new ProductInfoHeaderValue(_appHeader, "1.0"));

    var response = await client.GetAsync(
        $"https://api.github.com/app/installations");

    response.EnsureSuccessStatusCode();
    var json = await response.Content.ReadAsStringAsync();
    var doc = JsonDocument.Parse(json);

    string accessTokensUrl = string.Empty;

    foreach (var installation in doc.RootElement.EnumerateArray()) {

        var account = installation.GetProperty("account");
        var login = account.GetProperty("login").GetString();
        string type = account.GetProperty("type").GetString();

        if(login == organization && type == "Organization"){
            accessTokensUrl = installation.GetProperty("access_tokens_url").GetString();
            break;
        }
    }

    return accessTokensUrl;
}

Now that we have the specific URI for the installation access token, we can proceed. The URI can be used in combination with the token to get the installation token.

public async Task<string> GetInstallationTokenAsync(string accessTokenUrl, string jwtToken)
{
    var client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);
    client.DefaultRequestHeaders.UserAgent.Add(new ProductInfoHeaderValue(_appHeader, "1.0"));
    var response = await client.PostAsync(accessTokenUrl, null);
    response.EnsureSuccessStatusCode();
    var json = await response.Content.ReadAsStringAsync();
    var doc = JsonDocument.Parse(json);
    return doc.RootElement.GetProperty("token").GetString();
}

Use the installation access token to call the API’s

The token returned by the “GetInstallationTokenAsync” method can then be used to perform actions on the desired location. The snippet below creates an issue within the specified repository.

public async Task<string> CreateIssueAsync(string title, string body)
{
    string retVal = string.Empty;

    string token = GenerateJwtToken();
    var url = await GetAccessTokenUrl(_owner, token);
    var installationToken = await GetInstallationTokenAsync(url, token);
    var client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", installationToken);
    client.DefaultRequestHeaders.UserAgent.Add(new ProductInfoHeaderValue(_appHeader, "1.0"));

    var issue = new { title, body };
    var response = await client.PostAsJsonAsync(
        $"https://api.github.com/repos/{_owner}/{_repo}/issues", issue);

    var result = await response.Content.ReadAsStringAsync();
    if (response.IsSuccessStatusCode) {
        var json = await response.Content.ReadAsStringAsync();
        var doc = JsonDocument.Parse(json);
        return doc.RootElement.GetProperty("id").ToString();
    }

    return retVal;
}

Conclusion

GitHub Apps represent a more secure and flexible way of authenticating to GitHub. Besides that, they can also act as a standalone entity. Based on the snippets above, the complete solution looks like this.

using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Security.Cryptography;
using System.Text.Json;

namespace App.Core.Services
{
    public class GitHubService
    {
        private readonly string _appId;
        private readonly string _privateKeyPem;
        private readonly string _owner;
        private readonly string _repo;
        private const string _appHeader = "msftplayground-Issue-registration";

        public GitHubService(string appId, string privateKeyPem, string owner, string repo)
        {
            _appId = appId;
            _owner = owner;
            _repo = repo;
            _privateKeyPem = privateKeyPem;
        }

        public string GenerateJwtToken()
        {
            var jwtSecurityTokenHandler = new JwtSecurityTokenHandler { SetDefaultTimesOnTokenCreation = false };

            var rsa = RSA.Create();
            rsa.ImportFromPem(_privateKeyPem.ToCharArray());

            var securityKey = new RsaSecurityKey(rsa);
            var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);

            var now = DateTime.UtcNow.AddSeconds(-60);
            var token = jwtSecurityTokenHandler.CreateToken(new SecurityTokenDescriptor {
                Issuer = _appId,
                Expires = now.AddMinutes(10),
                IssuedAt = now,
                SigningCredentials = credentials
            });

            return jwtSecurityTokenHandler.WriteToken(token);
        }

        public async Task<string> GetAccessTokenUrl(string organization, string jwtToken) {

            var client = new HttpClient();
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);
            client.DefaultRequestHeaders.UserAgent.Add(new ProductInfoHeaderValue(_appHeader, "1.0"));

            var response = await client.GetAsync(
                $"https://api.github.com/app/installations");

            response.EnsureSuccessStatusCode();
            var json = await response.Content.ReadAsStringAsync();
            var doc = JsonDocument.Parse(json);

            string accessTokensUrl = string.Empty;

            foreach (var installation in doc.RootElement.EnumerateArray()) {

                var account = installation.GetProperty("account");
                var login = account.GetProperty("login").GetString();
                string type = account.GetProperty("type").GetString();

                if(login == organization && type == "Organization"){
                    accessTokensUrl = installation.GetProperty("access_tokens_url").GetString();
                    break;
                }
            }

            return accessTokensUrl;
        }

        public async Task<string> GetInstallationTokenAsync(string accessTokenUrl, string jwtToken)
        {
            var client = new HttpClient();
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", jwtToken);
            client.DefaultRequestHeaders.UserAgent.Add(new ProductInfoHeaderValue(_appHeader, "1.0"));

            var response = await client.PostAsync(accessTokenUrl, null);

            response.EnsureSuccessStatusCode();
            var json = await response.Content.ReadAsStringAsync();
            var doc = JsonDocument.Parse(json);
            return doc.RootElement.GetProperty("token").GetString();
        }

        public async Task<string> CreateIssueAsync(string title, string body)
        {
            string retVal = string.Empty;

            string token = GenerateJwtToken();
            var url = await GetAccessTokenUrl(_owner, token);
            var installationToken = await GetInstallationTokenAsync(url, token);
            var client = new HttpClient();
            client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", installationToken);
            client.DefaultRequestHeaders.UserAgent.Add(new ProductInfoHeaderValue(_appHeader, "1.0"));

            var issue = new { title, body };
            var response = await client.PostAsJsonAsync(
                $"https://api.github.com/repos/{_owner}/{_repo}/issues", issue);

            var result = await response.Content.ReadAsStringAsync();
            if (response.IsSuccessStatusCode) {
                var json = await response.Content.ReadAsStringAsync();
                var doc = JsonDocument.Parse(json);
                return doc.RootElement.GetProperty("id").ToString();
            }

            return retVal;
        }
    }
}

For additional information, make sure to check out the documentation below.

• REST API endpoints for GitHub App installations

• Use Bicep Extensions
• Bicep Graph Extension
• Bicep Kubernetes Extension

These extensions are really great and make Bicep much more powerful than it already is. However, what if I tell you that the way this is built also has its shortcomings?

Disadvantage Bicep Extensions

At the time of writing this article, Bicep extensions have one main disadvantage. Let me explain, take a close look at the image below.

As you may have seen in the image, the Bicep templates that you create locally are sent to the Azure Resource Manager API, where the deployment engine determines whether the Azure Resource Manager should perform its work or, in this example, the resources should be created by the Graph API. As this is all server-side (@Microsoft), there is no really good way for the community to jump in and help build extensions, unlike with Terraform, which makes the improvements and new additions to the extensions take a very long time. But wait, there are some cool things in preview.

Bicep Local

Since a couple of months Bicep contains a preview feature called “localDeploy”. When activated, you can initiate the deployment from your local device and add extensions.

Currently, the community has already developed some nice extensions that you can use and try out:

• Bicep GitHub Extensions - Anthony Martin (Microsoft)
• Key Vault Extension - Anthony Martin (Microsoft)
• Azure Databricks extension - Gijs Reijn
• Http Extension - Maik van der Gaag

As you can imagine, and as you may have seen on the list of extensions, you can create your own. Since version 0.37.4 of Bicep, there has been documentation released to get started creating your own extensions:

• Creating a Local Extension with .Net

Start Testing Bicep Local deployments

To get started deploying with local deployments, a few steps need to be taken. For these steps, we use the repository below as a reference.

• Bicep Local Repository

In that repository, you can find multiple samples of doing local deployments. With the steps and configurations below, you can get started using this extraordinary capability.

1. Make sure that you have one of the latest Bicep installations.
2. Add the “localDeploy” experimental feature to your bicepconfig.json file.

  "experimentalFeaturesEnabled": {
    "localDeploy": true
  }

3. When using the CLI you can deploy locally by using the “bicep local” command.

Bicep local main.bicepparam

The deployments can also be run from Visual Studio Code. To do it from Visual Studio code open the deployments pane. You can do this while the bicepparam file is open.

From the pane that opens, deploy the Bicep file and see the output of your local deployment.

Tracing

When you have problems during your local deployments, which I have encountered occacionally you can enable tracing to get more insights. This is done by setting the Bicep Tracing environment variable.

cmd

set BICEP_TRACING_ENABLED=true

PowerShell

$env:BICEP_TRACING_ENABLED=$true

Conclusion

Local deploy is a great extension to Bicep that helps you get started with different platforms or enables more on the data plane. So let’s hope this functionality will be further developed and that it will become generally available.

Be sure to look out for my next blog post, where I’ll delve deeper into the extension I have developed.

Cost management is crucial for maintaining a cost-effective cloud platform. Without proper cost management, you can face unexpected charges. Azure contains a couple of possibilities for efficient cost management.

Almost every scope within Azure (Management groups, subscriptions, and resources groups) has a ‘cost management’ section within the menu. All of these can also be managed from the ‘Cost Management’ blade within the Azure Portal.

When thinking about cost management in Azure, a few things are very important. One of them is the visibility of the costs within the platform. You should always be able to see the costs associated with your resources and applications. To get insights into this, you should use tags (especially when resources span resource groups or subscriptions).

Note: Tags used for your resources can also be used to create specific budget alerts.

In your environment, a person or team should be responsible for cost management. In many organizations, these responsibilities are also assigned within the DevOps teams. Managing costs for the platform is an iterative process that should be handled by the people responsible for it. The process really spans optimizing, adjusting, and sharing insights. Besides the responsibility, applications should be designed with costs in mind. When setting up a technical design for Azure, it is expected to include a subsection on costs and a description of why specific resources are used, which could also be based on costs. Even choosing the right location for a resource could be based on costs.

To help you make these decisions, the Azure Cost Calculator can help.

Insights regarding the costs within Azure are retrieved in a couple of ways, and Azure already offers an extensive one with the Cost Management Blade within the platform:

The rest of this article will discuss how to monitor your costs across the different scopes and set up budget and anomaly alerts.

Cost Anomaly Alert

An anomaly is something that deviates from the expected or normal pattern. In the context of Azure and the associated costs, an anomaly typically refers to an unexpected spike or drop in cloud costs that is different based on historical information.

The Azure platform offers the capability to set up alerts for these anomalies, allowing you and, for example, your DevOps team to monitor their costs.

With an Azure Landing Zone implementation in place, it is a good option to include this with your application deployments and subscription vending process.

These alert rules can be created in the portal by performing the following steps:

1. Go to Azure Cost Management within the Azure Portal.
2. In the monitoring section, click on ‘alert rules.’

3. Click on ‘Add’ to create a new alert rule.
4. Set the alert type to ‘Anomaly’ and fill in the other information.

Save the alert rule and wait to see if you have strange behavior within the costs. Before saving, make sure the alert’s scope is the correct one.

Before saving alert rules, make sure that the alert is configured on the correct scope. This way, you can ensure that you are not over-alerting people.

Bicep Anomaly Alert

Creating the alerts within the portal is nice, of course, but it would be much better if we could automate this process. So, let’s see if we can specify an anomaly alert within Bicep.

targetScope = 'subscription'

@description('The name for the scheduled action. This name is used in the resource ID. Default: AnomalyAlert.')
param name string = 'AnomalyAlert'

@description('The display name to show in the portal when viewing the list of alerts. Default: (scheduled action name).')
param displayName string = name

@description('Email address of the person or team responsible for this scheduled action.')
param notificationEmail string

@description('List of email addresses that should receive emails.')
param emailRecipients array

@description('The body of the email. Default: Anomaly detected in your subscription. Please review the Cost Management dashboard for more details.')
@maxLength(250)
param emailBody string = 'Anomaly detected in your subscription. Please review the Cost Management dashboard for more details.'

@description('The subject of the email. Default: (Anomaly alert: [subscription displayname]).')
@maxLength(70)
param emailSubject string = 'Anomaly alert: ${subscription().displayName}'

@description('The first day the schedule should run. Default = Now.')
param scheduleStartDate string = utcNow('yyyy-MM-ddTHH:00Z')

@description('The last day the schedule should run. Default = 1 year from start date.')
param scheduleEndDate string = dateTimeAdd(scheduleStartDate, 'P1Y')

@description('The view ID to use for the scheduled action (should not be adjust but is defined as param to comply to best practices). Default: DailyAnomalyByResourceGroup.')
param viewId string = '${subscription().id}/providers/Microsoft.CostManagement/views/ms:DailyAnomalyByResourceGroup'

resource sa 'Microsoft.CostManagement/scheduledActions@2024-08-01' = {
  name: name
  kind: 'InsightAlert'
  properties: {
    displayName: displayName
    viewId: viewId
    notificationEmail: notificationEmail
    status: 'enabled'
    notification: {
      subject: emailSubject
      to: emailRecipients
      message: emailBody
    }
    schedule: {
      frequency: 'Daily'
      startDate: scheduleStartDate
      endDate: scheduleEndDate
    }
  }
}

The above template creates an anomaly alert on a subscription scope. The parameters allow you to adjust the naming and information in your mail. Using this Bicep in your subscription vending process will help your team members spot any anomalies in the costs of their subscriptions.

Budget Alerting

Next to anomaly alerts, there is also the option to configure budget alerts. This alert type allows you to set up alerts based on actual costs and forecasted costs.

Note: The alerts you configure do not affect resources. Alerts are only an option to keep you informed.

What is essential to know about the budgets is that cost and usage data is normally available within 8-24 hours, and budgets are evaluated against these costs every 24 hours. Usually, when an alert needs to be sent out, it will be sent out within the hour.

Budget alerts can be specified on many different scopes. The most well-known scopes are management groups, subscriptions, and resource groups, but there are also other scopes, such as EA accounts. More info about the scopes can be found here: Microsoft Learn

Setting up these alerts is easy and can be done quickly. These steps can be performed from the specific scope but can also be started from the cost management blade.

1. Click on ‘Add’ to create a new budget alert.
2. Specify the scope of your budget alert. Be sure to also look into the filter capabilities within the filter options. You can, for example, create budget alerts for all resources with a specific tag value.

3. Fill in the budget details and amount. The system will alert you against this amount. Also, watch the suggestions the platform gives you.

4. Now, the alert conditions can be specified. The alert conditions specify when alerts will be sent. Here you can select if you want to alert on actual costs or on forecasted costs. Alerts are sent based on a percentage of your costs on the specified scope. An action group can be selected for the rule as a last option. This gives the possibility to notify specific people on specific thresholds.

Note: You can notify people with a specific RBAC role on the scope using the action group capability. This way, you can directly inform people who can take action!

5. Click Create to save the budget alert

Bicep Budget Alert

As with the anomaly alerts, it is great that you can configure them via the portal; it is even better if you can automate this within your existing processes.

To automate this, we will dive into the Bicep code again.

targetScope = 'subscription'

@description('Name of the budget.')
param name string

@description('The total amount of cost or usage to track with the budget')
param amount int = 1000

@description('The time covered by a budget. Tracking of the amount will be reset based on the time grain.')
@allowed([
  'Monthly'
  'Quarterly'
  'Annually'
])
param timeGrain string = 'Monthly'

@description('The start date must be first of the month in YYYY-MM-DD format.')
param startDate string = utcNow('yyyy-MM-ddTHH:00Z')

@description('The last day the schedule should run. Default = 10 year from start date.')
param endDate string = dateTimeAdd(startDate, 'P10Y')

@description('The notifications associated with a budget.')
param notifications object

@description('The first threshold amount that triggers the budget notification.')
param filter object

resource budget 'Microsoft.Consumption/budgets@2024-08-01' = {
  name: name
  properties: {
    timePeriod: {
      startDate: startDate
      endDate: endDate
    }
    timeGrain: timeGrain
    amount: amount
    category: 'Cost'
    notifications: notifications
    filter:filter
  }
}

The bicep file itself is very simple. This template’s scope is also a subscription, but it can be any of the other allowed scopes.

Most of the logic for this template is placed into parameters so that the template itself can be reused. Using this option, it is kind of hard to let end users manage it, but technical people should be able to work with it.

Take a look at the following bicep parameters in the below snippet.

using './budget-alert.bicep'

param name = 'Bicep Budget Alert 2'
param amount = 1000
param timeGrain = 'Monthly'
param notifications = {
  budgetone: {
    enabled: true
    operator: 'GreaterThan'
    threshold: 80
    contactEmails: [
      'maik@familie-vandergaag.nl'
    ]
    thresholdType: 'Actual'
  }
  budgettwo: {
    enabled: true
    operator: 'GreaterThan'
    threshold: 100
    contactEmails: [
      'maik@familie-vandergaag.nl'
    ]
    thresholdType: 'Forecasted'
  }
}
param filter = {
  and: [
    {
      dimensions: {
        name: 'ResourceGroupName'
        operator: 'In'
        values: [
          'rg-'
        ]
      }
    }
    {

     tags: {
        name: 'environment'
        operator: 'In'
        values: [
          'prd'
        ]
      }
    }
  ]
}

In the bicep parameter files, the notifications and filters are configured.

Conclusion

Optimizing budget configurations is crucial for monitoring your cloud usage and costs.

As you have read in this article, you should start by using automation and utilizing Infrastructure as Code to achieve efficient cost Management.

For further reading about this subject and to check out the source code shared in this post, look at the links below.

• Personal Bicep GitHub Repo
• Cost Management - Microsoft Learn

Add the following snippet to your Bicep configuration file (bicepconfig.json) to enable this experimental feature.

    "experimentalFeaturesEnabled": {
        "extensibility": true
    }

At the moment of writing this blog post there is support for the Microsoft Graph and Kubernetes.

Using the Graph extension for Bicep allows you to deploy and change a limited set of Entra objects (at the moment of writing). The objects that can be authored at the moment of writing are:

• Applications
• App role assignments
• Federated identity assignment
• Groups
• OAuth2 Permission grants
• Service Principals
• Users

As you might expect, the extension would call the Graph API from the machine where the deployment is executed. But the Bicep extension works a little bit differently.

As with the regular Bicep files without the extensions, the file is built into a JSON-represented format (locally). As you can see in the above image, this file is then sent to the Azure Resource Manager. The deployment agent then decides whether to send the resources to the Azure Resource Manager or the Graph API for the Graph resources.

To use the graph resources, you need to do two things. The extension alias needs to be configured within the ‘bicepconfig.json.’

    "extensions": {
      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.9-preview"
    }

‘microsoftGraphV1’ is the alias that needs to be used and included in the template file. To use the resources within that file, include the following line.

extension microsoftGraphV1

With all of this setup, the Graph objects can be specified. When using Visual Studio Code, the Bicep extension also has intelligence to get you started.

For this blog post, we will create an Entra group, add members and owners, and give that group permission on an Azure resource. Adding members and owners to a group normally uses the users’ IDs. However, as we want to parameterize the file so that other people can use it, we will have to retrieve the users’ IDs using their UPN.

param location string = resourceGroup().location

param members array = []

param owners array = []

param name string = 'default'

var readerRole = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'

var roleAssignmentName = guid(resourceGroup().id, groupName, storageName)

var groupName = 'sg-${name}'

var storageName = 'stgraphtest${name}'

This first section shows the parameters and variables we will use during the deployment. As you can see, there is an owners and members array, which specifies the users’ UPNs. The other variables and parameters specify the name and role we will use during the deployment.

The second part is the logic that will be used to retrieve the IDs of the owners and members based on their UPN. As mentioned above, you need to supply their IDs to add members and owners to the group.

resource ownerList 'Microsoft.Graph/users@v1.0' existing = [for upn in owners: {
  userPrincipalName: upn
}]

resource memberList 'Microsoft.Graph/users@v1.0' existing = [for upn in members: {
  userPrincipalName: upn
}]

The group can be created with the users’ information. The snippet below shows that the owners and members have been added, and the group name has been specified.

resource readerGroup 'Microsoft.Graph/groups@v1.0' = {
  displayName: groupName
  mailEnabled: false
  mailNickname: uniqueString(groupName)
  securityEnabled: true
  uniqueName: groupName
  owners: [for i in range(0, length(owners)): ownerList[i].id]
  members: [for i in range(0, length(members)): memberList[i].id]
}

The other parts needed for this deployment are just regular Bicep / Azure deployment of resources.

resource storage 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: storageName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
  properties:{
    minimumTlsVersion: 'TLS1_2'
  }
}

resource readersRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: storage
  name: roleAssignmentName
  properties: {
    principalId: readerGroup.id
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', readerRole)
  }
}

As you can see in the above snippet, a storage account is created, and a role is assigned to the security group we previously added.

All of this together creates the following deployment file.

extension microsoftGraphV1

param location string = resourceGroup().location

param owners array = []
param members array = []

param name string = 'default'

var readerRole = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'

var roleAssignmentName = guid(resourceGroup().id, groupName, storageName)

var groupName = 'sg-${name}'

var storageName = 'stgraphtest${name}'

resource ownerList 'Microsoft.Graph/users@v1.0' existing = [for upn in owners: {
  userPrincipalName: upn
}]

resource memberList 'Microsoft.Graph/users@v1.0' existing = [for upn in members: {
  userPrincipalName: upn
}]

resource storage 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: storageName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
  properties:{
    minimumTlsVersion: 'TLS1_2'
  }
}

resource readerGroup 'Microsoft.Graph/groups@v1.0' = {
  displayName: groupName
  mailEnabled: false
  mailNickname: uniqueString(groupName)
  securityEnabled: true
  uniqueName: groupName
  owners: [for i in range(0, length(owners)): ownerList[i].id]
  members: [for i in range(0, length(owners)): memberList[i].id]
}

resource readersRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: storage
  name: roleAssignmentName
  properties: {
    principalId: readerGroup.id
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', readerRole)
  }
}

As you can see, the extension model makes it very easy to create more advanced deployments by including the capabilities for Entra objects. For the deployment above, the parameter file could look like this.

using './main.bicep'

param owners = ['maik@msftplayground.info' ]
param members = [ 'piet@msftplayground.info'
 'charlotte@msftplayground.info'
]
param name = 'graph-group-name'

It would be great if, over time, many other graph objects are added to the extension so that we could also author SharePoint sites or other M365 / Entra objects.

If you want to learn more about the Graph extension or Bicep, you can have a look at the following resources:

• msft-bicep - My personal bicep repository that contains a lot of bicep samples and also includes examples regarding the graph extension.
• Bicep templates for Microsoft Graph - The official Microsoft learn documentation regarding the Graph extension for Bicep.

After having a first version and finding some shortcomings in the implementation:

• It constantly scans all files within the repository.
• When setting the output for the bicep linter to SARIF, I get a SARIF file for each file I scan.

This made me make a new version in which these shortcomings are fixed, and you can adjust the behavior based on input parameters. This ended in the composite action below.

name: "Bicep Linting"
description: "Composite action for running Bicep Linting."
branding:
  icon: 'code'
  color: 'blue'
inputs:
  allfiles:
    type: boolean
    description: 'Check all files or only the changed files'
    default: false
  create-sarif:
    description: 'Create a combined SARIF file'
    type: boolean
    default: true
  markdown-report:
    description: 'Create a markdown report'
    type: boolean
    default: false
  sarif-output-path:
    description: 'The file path to save the SARIF file'
    type: string
    default: 'bicep-lint.sarif'
  markdown-output-path:
    description: 'The file path to save the markdown report'
    type: string
    default: 'bicep-lint.md'
runs:
  using: "composite"
  steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
      - name: Get files
        shell: pwsh
        run: |
          $allFiles = [System.Convert]::ToBoolean("$")
          $\Get-BicepFiles.ps1 -AllFiles $allFiles
      - name: "Linting the bicep files"
        run: |
          $sarif = [System.Convert]::ToBoolean("$")
          $markdown = [System.Convert]::ToBoolean("$")
          $\Get-BicepLintingResults.ps1 -BicepFilesJson $ `
                     -CreateSarif $sarif `
                     -MarkdownReport $markdown `
                     -SarifOutputPath $ `
                     -MarkdownOutputPath $
        shell: pwsh

The action makes sure that the fetch dept of the repository is 2. This way, the action is able to retrieve the changed files. This happens in the step ‘Get files. ‘ The files it finds in this step are saved within an environment variable. Based on the input parameters, it will save the changed file or all the bicep files it can find.

The second step, ‘Linting the bicep files,’ will iterate through all the files and perform the ‘bicep lint’ command for each one. The command can optionally output to SARIF when the ‘create-sarif’ input parameter is set. It will combine the files into one large SARIF file.

As this was a personal project and I was also interested in how actions end up within the GitHub Marketplace, I published the action to the GitHub Marketplace for everyone to use. The action can be found here.

Key Features

1. Scan Only Changed Files: This feature allows the action to lint only the modified files, saving time and resources by not re-linting unchanged files.

2. Combine SARIF Output: The action can combine the SARIF (Static Analysis Results Interchange Format) output from the Bicep linter into a single file. This makes integrating with GitHub’s code scanning alerts easier and provides a comprehensive view of all linting issues.

3. Markdown Reporting: One of the most exciting features is the ability to display the linting results in the GitHub Actions Step Summary. This provides a clear and concise report directly within the GitHub interface, making it easy to review and address issues.

How It Works

The Bicep Linting Action leverages the Bicep linter to analyze your Bicep files for potential issues. The results are then processed and presented in a user-friendly format. Here’s a brief overview of how to set up and use the action in your GitHub workflows:

1. Setup the Action: Add the Bicep Linting Action to your workflow file.
2. Configure the Inputs: Specify the paths to your Bicep files and any additional options you want to use.
3. Run the Workflow: Trigger the workflow to lint your Bicep files and view the results in the GitHub Actions tab.

Example Workflow

Below is an example of how to integrate the Bicep Linting Action into your GitHub workflow:

name: Lint Bicep Files

on: [push, pull_request]

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Run Bicep Linting
        uses: maikvandergaag/bicep-linting-action@v1
        with:
          files: '**/*.bicep'
          only-changed: true
          sarif-output: 'bicep-lint-results.sarif'

By using the GitHub events, you can also ensure that different types of scans (full / changed) are done on different events. The below example shows this by doing a full scan on a pull request when the target branch is the main branch. If this is not the case, it will only take the changes, for example, for simple commits.

name: Bicep Linting

on:
  push:
  pull_request:
  workflow_dispatch:


env:
 allFiles: ${{ github.event_name == 'pull_request' || ( github.base_ref == 'main') }}


jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: maikvandergaag/action-biceplint@main
        with:
          allfiles: ${{ env.allFiles }}
          create-sarif: true
          markdown-report: false
          sarif-output-path: bicep-lint.sarif
      - name: Upload SARIF file
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: bicep-lint.sarif
          category: bicep-linting

Doing full scans on pull requests can be a requirement, especially when you have a rule set ‘use-recent-api-versions’ to error, and you must check the files occasionally. So you could, for example, create a daily scan using this extension.

Conclusion

The Bicep Linting GitHub Action is an incredibly personal project that can help maintain high-quality Bicep code. Focusing on changed files, combining SARIF outputs, and providing markdown reports streamlines the linting process and integrates seamlessly with your GitHub workflows. Try and experience the benefits of automated Bicep linting in your projects!

When you have feature requests or are having issues, please share these!

• Github Bicep Linting Action
• Linting Action repository
• Issues

deployer function

This newly added function helps get information about who is deploying the resources to the platform. This can, for example, help if there is a process within your organization to tag the resources with the person who deploys them.

Let’s look at an example by outputting the object retrieved by the deployer function.

output deployer object = deployer()

{
  "objectId":"f275e010-27ad-4b3b-8c33-e9aac30fded4",
  "tenantId":"324f7296-1869-4489-b11e-912351f38ead"
}

As visible in the snippet above, this function returns the object id and the tenant id of the deploying principal. This information can then be used in other scenarios, like setting permissions or tagging resources. The snippet below shows the option of giving the deployer access to a resource group.

var principalId = deployer().objectId 

resource contributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  scope: subscription()
  name: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroup().id, principalId, contributorRoleDefinition.id)
  properties: {
    roleDefinitionId: contributorRoleDefinition.id
    principalId: principalId
    principalType: 'ServicePrincipal'
  }
}

Having the information available during deployment time and not having to retrieve it separately before the execution and supplying it as a parameter helps a lot and can help in situations where:

• You need access to a newly deployed KeyVault with RBAC permissions configured, and also want to deploy secrets.
• Using the same identity for your deployment scripts.

Conclusion

The deployer function is a great new addition to the Bicep language and will help make advanced deployments much easier.

• Bicep deployment functions
• Bicep code in my GitHub Repository