Share via

Deploy Microsoft Graph resources without an Azure subscription

  • Article

Deployments can be scoped so that the resources defined in a Bicep template are deployed to a specific Azure scope such as a management group, subscription, or resource group. These scopes all require an Azure subscription.

There are several scenarios where you need to use Bicep templates to deploy Microsoft Graph resources, but:

  1. Your company or tenant doesn't use Azure services
  2. You have an Azure AD B2C tenant that can't support Azure subscriptions
  3. You have a Microsoft Entra External ID external tenant that can't support Azure subscriptions

Using a tenant-scoped deployment, it's possible to deploy Microsoft Graph resources without an Azure subscription.

This article demonstrates how to scope your deployments to a tenant scope and without using an Azure subscription. It only applies if your Bicep template file contains Microsoft Graph resources only. If your template file contains Azure resources in addition to Microsoft Graph resources, you need a valid Azure subscription.

Important

Microsoft Graph Bicep is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

  • Your tenant has no Azure subscriptions.
  • To deploy a Bicep file, the principal performing the deployment needs the least-privileged permissions to deploy the resources declared in the Bicep file.
  • Install Bicep tools for authoring and deployment. This how-to article uses VS Code with the Bicep extension for authoring and Azure CLI for deployment. Samples are also provided for Azure PowerShell.
  • You can deploy the Bicep files interactively or via zero-touch (app-only) deployment.

Deploy Microsoft Graph resources

The following steps show how to deploy Microsoft Graph resources at the tenant-scope without requiring an Azure subscription.

  1. Assign the requisite deployment permissions to the principal performing the deployment. Only a Microsoft Entra Global Administrator can perform this assignment:

    • Elevate account access so the Global Administrator can assign Azure roles.

    • Assign the Owner or Contributor role to the <principalId> of the user or service principal, <principalType>, that needs to deploy the templates. The / scope refers to a tenant-wide scope.

      az role assignment create --assignee-object-id "<principalId>" --assignee-principal-type "<principalType>" --scope "/" --role "Owner"`

  2. In your main.bicep file, add targetScope = 'tenant' to set a tenant-level deployment scope. Your Bicep file must declare only Microsoft Graph resources.

  3. Perform a tenant deployment using the security principal that has deployment privileges, using az deployment tenant create or New-AzTenantDeployment:

    az deployment tenant create --location WestUS --template-file main.bicep

For more information about tenant deployments, see Deploy to a tenant.