Deploying Active Directory with Microsoft DSC v3 — A Configuration-as-Code Approach

Introduction

Microsoft Desired State Configuration (DSC) v3 is a cross-platform, declarative configuration management engine built in Rust. Unlike its PowerShell-based predecessors (DSC v1 and v2), DSC v3 is a standalone binary (dsc.exe) that orchestrates resources defined in YAML documents. It supports the full PowerShell DSC adapter ecosystem, enabling teams to configure Windows infrastructure — including Active Directory — using pure YAML files.

This post walks through a complete, modular Active Directory deployment built on DSC v3, covering every configuration file, parameter file, and the commands used to apply them.

Why DSC v3 for Active Directory?

Traditional AD deployment relies on PowerShell scripts or manual steps that are difficult to audit, version, and reproduce. DSC v3 brings:

• Declarative YAML — describe what you want, not how to do it
• Idempotency — running the same configuration multiple times produces the same result
• Modularity — split large configurations into focused, reusable include files
• Parameter separation — keep environment-specific values (domain names, passwords) out of the configuration files
• Built-in dependency management — dependsOn ensures resources are applied in the correct order

Prerequisites

Before running any configuration, ensure the following are in place on the target Domain Controller:

Search DSC v3:

winget search DesiredStateConfiguration
Name                              Id            Version Match                          Source
----------------------------------------------------------------------------------------------
DesiredStateConfiguration         9NVTPZWRC6KQ  Unknown                                msstore
DesiredStateConfiguration-Preview 9PCX3HX4HZ0Z  Unknown                                msstore
DSC v3                            Microsoft.DSC 3.2.0   Tag: desiredstateconfiguration winget

Install DSC v3:

winget install --id 9PCX3HX4HZ0Z --source msstore

Install the ActiveDirectoryDsc PowerShell module:

Install-Module -Name ActiveDirectoryDsc -Repository PSGallery -Force

Verify DSC v3 is available and can discover resources:

dsc resource list

Project File Structure

The configuration is split into a layered directory structure to separate concerns:

config/ADS/
├── ads-root-forest.dsc.yaml          # Stage 1 – Forest/domain creation
├── ads-root.dsc.parameters.yaml      # Parameters for root forest deployment
├── ads-child-forest.dsc.yaml         # Stage 1 (optional) – Child domain creation
│
└── ADS-Include/
    ├── ads.main.dsc.yaml             # Stage 2 – Orchestrator (Include entries)
    │
    ├── config/
    │   ├── ads.ou.dsc.yaml           # OU hierarchy definition
    │   ├── ads.admin-users.dsc.yaml  # Administrative user accounts
    │   ├── ads.groups.dsc.yaml       # Delegation security groups
    │   ├── ads.groups-members.dsc.yaml    # Group membership assignments
    │   ├── ads.ou-delegation.dsc.yaml     # OU permission entries (ACLs)
    │   └── ads.finegrained-password-policy.dsc.yaml  # PSO policies
    │
    └── parameters/
        ├── ads.parameters.yaml            # Domain root path parameter
        └── ads.admin-user.parameters.yaml # Admin user credentials

Stage 1 — Forest and Domain Creation

ads-root-forest.dsc.yaml

This is the entry point for bringing up the first domain controller. It installs the required Windows features and then creates the AD forest using ActiveDirectoryDsc/ADDomain.

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
metadata:
  name: ads-root-forest-configuration
  version: 1.0.0
  description: Global Active Directory configuration for forest and domain creation
  Microsoft.DSC:
    requiredSecurityContext: current

parameters:
  SafemodeAdministratorPassword:
    type: secureObject
  Credential:
    type: secureObject
  DomainName:
    type: string
    defaultValue: contoso.com
  DomainNetBiosName:
    type: string
    defaultValue: contoso
  ForestMode:
    type: string
    defaultValue: WinThreshold   # Win2008, Win2008R2, Win2012, Win2012R2, WinThreshold, Win2025
  SuppressReboot:
    type: bool
    defaultValue: true
resources:
  - name: Windows Features Install ADS
    type: PSDesiredStateConfiguration/WindowsFeature
    properties:
      ensure: Present
      name: AD-Domain-Services
  - name: Windows Features Install ADS RSAT
    type: PSDesiredStateConfiguration/WindowsFeature
    properties:
      ensure: Present
      name: RSAT-AD-PowerShell
  - name: Windows Features Install AD DS Tools
    type: PSDesiredStateConfiguration/WindowsFeature
    properties:
      ensure: Present
      name: RSAT-ADDS
      IncludeAllSubFeature: true
  - name: Active Directory Forest
    type: ActiveDirectoryDsc/ADDomain
    properties: 
      DomainName: "[parameters('DomainName')]"
      DomainNetBiosName: "[parameters('DomainNetBiosName')]"
      SafemodeAdministratorPassword: "[parameters('SafemodeAdministratorPassword')]"
      Credential: "[parameters('Credential')]"
      ForestMode: "[parameters('ForestMode')]"
      SuppressReboot: "[parameters('SuppressReboot')]" # no reboot rquired
    dependsOn: 
      - "[resourceId('PSDesiredStateConfiguration/WindowsFeature','Windows Features Install ADS')]"
      - "[resourceId('PSDesiredStateConfiguration/WindowsFeature','Windows Features Install ADS RSAT')]"
      - "[resourceId('PSDesiredStateConfiguration/WindowsFeature','Windows Features Install AD DS Tools')]"

Key resources:

The ADDomain resource depends on all three WindowsFeature resources, so DSC applies them in sequence automatically.

ads-root.dsc.parameters.yaml — supplies the sensitive values at runtime, keeping them out of the configuration file:

parameters:
  Credential:
    username: AdminTest
    password: Password
  SafemodeAdministratorPassword:
    username: AdminTest
    password: AdminTest
  DomainName: contoso.com
  DomainNetBiosName: contoso

Security note: In Organization, replace plain-text passwords with secrets retrieved from Azure Key Vault or a secrets manager. Never commit credential files to source control.

Deploy command:

dsc config set `
  --parameters-file .\ads-root.dsc.parameters.yaml `
  --file .\ads-root-forest.dsc.yaml

ads-child-forest.dsc.yaml

Used when adding a child domain to an existing forest. The structure mirrors the root forest file but adds DomainType and DomainMode parameters:

parameters:
  DomainType:
    type: string
    defaultValue: ChildDomain   # TreeDomain or ChildDomain
  DomainMode:
    type: string
    defaultValue: WinThreshold

This allows the same pattern to deploy both root and child domains by varying the parameters.

Stage 2 — AD Structure with Include-Based Orchestration

Once the domain exists, the second stage configures its internal structure. Rather than one monolithic YAML, the project uses the Microsoft.DSC/Include resource type to compose smaller, focused files.

ADS-Include/ads.main.dsc.yaml

This is the single entry point for Stage 2. It does nothing itself — it delegates to six sub-configurations via Include, order of deployment is base on yaml files:

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
resources:

# Deploy in order 

- name: Active Directory Ou structure
  type: Microsoft.DSC/Include
  properties:
    configurationFile: config\ads.ou.dsc.yaml
    parametersFile: parameters\ads.parameters.yaml

- name: Active Directory Administrative User
  type: Microsoft.DSC/Include
  properties:
    configurationFile: config\ads.admin-users.dsc.yaml
    parametersFile: parameters\ads.admin-user.parameters.yaml

- name: Active Directory Groups Management
  type: Microsoft.DSC/Include
  properties:
    configurationFile: config\ads.groups.dsc.yaml
    parametersFile: parameters\ads.parameters.yaml

- name: Active Directory Groups Membership
  type: Microsoft.DSC/Include
  properties:
    configurationFile: config\ads.groups-members.dsc.yaml

- name: Active Directory Groups OU Delegation
  type: Microsoft.DSC/Include
  properties:
    configurationFile: config\ads.ou-delegation.dsc.yaml
    parametersFile: parameters\ads.parameters.yaml

- name: Active Directory Password Policy
  type: Microsoft.DSC/Include
  properties:
    configurationFile: config\ads.finegrained-password-policy.dsc.yaml
    parametersFile: parameters\ads.parameters.yaml

The Microsoft.DSC/Include resource loads an external configuration file and optionally merges a parameters file into it before execution. This pattern is the key to keeping each concern in its own file without repeating boilerplate.

Sub-Configuration Files

config/ads.ou.dsc.yaml — Organizational Unit Hierarchy

Defines the entire OU tree under the domain root. The structure follows a tiered model:

Organization (root)
├── Accounts
│   ├── Users
│   ├── Users.NoSync
├── Devices
│   └── Servers
│       ├── Tier0
│       ├── Tier1
│       └── Tier2
│   └── Computers
└── Groups
    ├── Delegation
    └── Distribution

Each OU uses ActiveDirectoryDsc/ADOrganizationalUnit and declares its parent via dependsOn, using the resourceId() function to reference sibling resources:

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
metadata:
  name: ads-groups-ou-configuration
  version: 1.0.0
  description: Active Directory configuration of defualt groups
  Microsoft.DSC:
    requiredSecurityContext: current # this is the default and just used as an example indicating this config works for admins and non-admins

parameters:
  DomainRootPath:
    type: string
    defaultValue: "DC=contoso,DC=com"
resources:

- name: Active Directory Root Organizational Unit
  type: ActiveDirectoryDsc/ADOrganizationalUnit
  properties: 
    Name: Organization
    Path: "[parameters('DomainRootPath')]"
    Description: "Organization OU for All organizational objects"
    ProtectedFromAccidentalDeletion: true
    ensure: Present


- name: Active Directory Accounts Organizational Unit
  type: ActiveDirectoryDsc/ADOrganizationalUnit
  properties:
    Name: Accounts
    Path: "[concat('OU=Organization,', parameters('DomainRootPath'))]"
    Description: "Accounts OU for all user and service accounts"
    ProtectedFromAccidentalDeletion: true
    ensure: Present
    dependsOn:
      - "[resourceId('ActiveDirectoryDsc/ADOrganizationalUnit','Active Directory Root Organizational Unit')]"

- name: Active Directory Users Organizational Unit
  type: ActiveDirectoryDsc/ADOrganizationalUnit
  properties: 
    Name: Users
    Path: "[concat('OU=Accounts,','OU=Organization,', parameters('DomainRootPath'))]"
    Description: "OU for Users accounts that can be synchonized to Microsoft 365 or used for on-premises authentication"
    ProtectedFromAccidentalDeletion: true
    ensure: Present
    dependsOn: 
      - "[resourceId('ActiveDirectoryDsc/ADOrganizationalUnit','Active Directory Accounts Organizational Unit')]"

The concat() function builds the LDAP path dynamically from the DomainRootPath parameter, making the file fully portable across domains.

All OUs have ProtectedFromAccidentalDeletion: true set to prevent inadvertent removal.

config/ads.admin-users.dsc.yaml — Administrative User Accounts

Creates privileged user accounts and places them in the correct OU:

parameters:
  DomainName:
    type: string
    defaultValue: "contoso.com"
  DomainRootPath:
    type: string
    defaultValue: "DC=contoso,DC=com"
  Password:
    type: secureObject

The Password parameter is typed as secureObject, meaning it accepts a { username, password } structure without exposing the value in logs. The user is placed in OU=Users.Special.NoSync — the dedicated OU for privileged accounts that must not synchronize to Microsoft 365:

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
metadata:
  name: ads-admin-users-configuration
  version: 1.0.0
  description: Active Directory configuration for administrative user
  Microsoft.DSC:
    requiredSecurityContext: current # this is the default and just used as an example indicating this config works for admins and non-admins

parameters:
  DomainName:
    type: string
    defaultValue: "contoso.com"
  DomainRootPath:
    type: string
    defaultValue: "DC=contoso,DC=com"
  Password:
    type: secureObject
resources:
- name: Active Directory admin - michal.mmachniak
  type: ActiveDirectoryDsc/ADUser
  properties:
    Ensure: Present
    UserName: michal.mmachniak
    CommonName: "Michal Machniak"
    UserPrincipalName: "[concat('michal.mmachniak@', parameters('DomainName'))]"
    Password: "[parameters('Password')]"
    Path: "[concat('OU=Users.Special.NoSync,OU=Accounts,OU=Organization,', parameters('DomainRootPath'))]"
    PasswordNeverResets: true # Each deployment won't setup new password

parameters/ads.admin-user.parameters.yaml provides the runtime values for this config:

parameters:
  Password:
    username: admin
    password: P@SSWord!@!
  DomainRootPath: "DC=contoso,DC=com"
  DomainName: "contoso.com"

config/ads.groups.dsc.yaml — Delegation Security Groups

Creates Universal Security Groups in the OU=Delegation,OU=Groups,OU=Organization container. Each group corresponds to a delegation scope on a specific OU:

All groups follow the same pattern:

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
metadata:
  name: ads-groups-ou-configuration
  version: 1.0.0
  description: Active Directory configuration of defualt groups
  Microsoft.DSC:
    requiredSecurityContext: current # this is the default and just used as an example indicating this config works for admins and non-admins

parameters:
  DomainRootPath:
    type: string
    defaultValue: "DC=contoso,DC=com"
resources:

- name: Active Directory Organization OU
  type: ActiveDirectoryDsc/ADGroup
  properties:
    GroupName: OU-Organization-FullControl
    GroupScope: Universal
    Category: Security
    Description: Delegation group for OU Organization with full control permissions
    Path: "[concat('OU=Delegation,OU=Groups,OU=Organization,', parameters('DomainRootPath'))]"
    Ensure: Present

Using Universal scope allows these groups to work across trusts in multi-domain forest scenarios.

config/ads.groups-members.dsc.yaml — Group Membership

Assigns accounts to groups using MembersToInclude, which is additive and non-destructive (it does not remove existing members):

- name: Active Directory - Domain Admins group membership
  type: ActiveDirectoryDsc/ADGroup
  properties:
    GroupName: Domain Admins
    Ensure: Present
    MembersToInclude:
      - michal.mmachniak

This config intentionally has no parameters file — the group names and member accounts are static by design for privileged group membership, reducing the risk of accidental misconfiguration.

config/ads.ou-delegation.dsc.yaml — OU Permission Entries

Applies ACLs to OUs using ActiveDirectoryDsc/ADObjectPermissionEntry. Each entry grants the corresponding delegation group the required access:

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
metadata:
  name: ads-groups-ou-configuration
  version: 1.0.0
  description: Active Directory configuration for organizational units delegations
  Microsoft.DSC:
    requiredSecurityContext: current # this is the default and just used as an example indicating this config works for admins and non-admins

parameters:
  DomainRootPath:
    type: string
    defaultValue: "DC=contoso,DC=com"
resources:

# This configuration defines a security group for delegating permissions on the Organization OU in Active Directory. The group is created with full control permissions on the OU, allowing members of the group to manage the OU and its contents effectively.


  - name: Active Directory Organization OU Delegation Group Permissions
    type: ActiveDirectoryDsc/ADObjectPermissionEntry
    properties: 
      Ensure: Present
      Path: "[concat('OU=Organization,', parameters('DomainRootPath'))]"
      IdentityReference: OU-Organization-FullControl
      ActiveDirectoryRights: 
        - GenericAll
      AccessControlType: Allow
      ObjectType: 00000000-0000-0000-0000-000000000000
      ActiveDirectorySecurityInheritance: Descendents
      InheritedObjectType: 00000000-0000-0000-0000-000000000000

# This configuration defines a security group for delegating permissions on the Organization-Accounts OU in Active Directory. The group is created with full control permissions on the OU, allowing members of the group to manage user accounts and other objects within the OU effectively.


  - name: Active Directory Organization-Accounts OU Delegation Group Permissions Descendents
    type: ActiveDirectoryDsc/ADObjectPermissionEntry
    properties: 
      Ensure: Present
      Path: "[concat('OU=Accounts,OU=Organization,', parameters('DomainRootPath'))]"
      IdentityReference: OU-Organization-Accounts-RWD
      ActiveDirectoryRights: 
        - GenericAll
      AccessControlType: Allow
      ObjectType: 00000000-0000-0000-0000-000000000000
      ActiveDirectorySecurityInheritance: Descendents
      InheritedObjectType: User # User"


  - name: Active Directory Organization-Accounts-Users OU Delegation Group Permissions Descendents
    type: ActiveDirectoryDsc/ADObjectPermissionEntry
    properties: 
      Ensure: Present
      Path: "[concat('OU=Users,OU=Accounts,OU=Organization,', parameters('DomainRootPath'))]"
      IdentityReference: OU-Organization-Accounts-Users-RWD
      ActiveDirectoryRights: 
        - GenericAll
      AccessControlType: Allow
      ObjectType: 00000000-0000-0000-0000-000000000000
      ActiveDirectorySecurityInheritance: Descendents
      InheritedObjectType: User # User

      ## User.NoSync

  - name: Active Directory Organization-Accounts-Users.NoSync OU Delegation Group Permissions Descendents
    type: ActiveDirectoryDsc/ADObjectPermissionEntry
    properties: 
      Ensure: Present
      Path: "[concat('OU=Users.NoSync,OU=Accounts,OU=Organization,', parameters('DomainRootPath'))]"
      IdentityReference: OU-Organization-Accounts-Users.NoSync-RWD
      ActiveDirectoryRights: 
        - GenericAll
      AccessControlType: Allow
      ObjectType: 00000000-0000-0000-0000-000000000000
      ActiveDirectorySecurityInheritance: Descendents
      InheritedObjectType: User # User

      
# Computer objects in the Organization-Devices OU are delegated to a security group with permissions to manage computer accounts and other objects within the OU effectively.

  - name: Active Directory Organization-Devices OU Delegation Group Permissions
    type: ActiveDirectoryDsc/ADObjectPermissionEntry
    properties: 
      Ensure: Present
      Path: "[concat('OU=Devices,OU=Organization,', parameters('DomainRootPath'))]"
      IdentityReference: OU-Organization-Devices-RWD
      ActiveDirectoryRights: 
        - GenericAll
      AccessControlType: Allow
      ObjectType: 00000000-0000-0000-0000-000000000000
      ActiveDirectorySecurityInheritance: Descendents
      InheritedObjectType: Computer # Computer objects


   

For granular OUs (like Users, Users.NoSync), the InheritedObjectType is set to User, restricting the ACE to apply only to user object descendants:

ActiveDirectorySecurityInheritance: Descendents
InheritedObjectType: User

This enforces the principle of least privilege — delegation group members can only manage user objects in their designated OU subtree.

config/ads.finegrained-password-policy.dsc.yaml — Fine-Grained Password Policies

Applies Password Settings Objects (PSOs) to privileged groups, enforcing stricter password rules than the default domain policy:

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
metadata:
  name: ads-finegrained-password-policy-configuration
  version: 1.0.0
  description: Active Directory configuration for AD FineGrained Password Policy
  Microsoft.DSC:
    requiredSecurityContext: current # this is the default and just used as an example indicating this config works for admins and non-admins

parameters:
  DomainRootPath:
    type: string
    defaultValue: "DC=contoso,DC=com"
resources:

  - name: Active Directory ADFineGrainedPasswordPolicy - Domain Admins
    type: ActiveDirectoryDsc/ADFineGrainedPasswordPolicy
    properties: 
      Name: 'DomainAdmins'
      DisplayName: 'Domain Admins Password Policy'
      Description: 'This is the Fine Grained Password Policy for Domain Admins'
      Subjects: 
        - Domain Admins
      ComplexityEnabled: true
      LockoutDuration: '00:30:00'
      LockoutObservationWindow: '00:30:00'
      LockoutThreshold: 5
      MaxPasswordAge: '90.00:00:00'
      MinPasswordAge: '1.00:00:00'
      MinPasswordLength: 15
      PasswordHistoryCount: 6
      ReversibleEncryptionEnabled: false
      ProtectedFromAccidentalDeletion: true
      Precedence: 10

  - name: Active Directory ADFineGrainedPasswordPolicy - Enterprise Admins
    type: ActiveDirectoryDsc/ADFineGrainedPasswordPolicy
    properties: 
      Name: 'EnterpriseAdmins'
      DisplayName: 'Enterprise Admins Password Policy'
      Description: 'This is the Fine Grained Password Policy for Enterprise Admins'
      Subjects: 
        - Enterprise Admins
      ComplexityEnabled: true
      LockoutDuration: '00:30:00'
      LockoutObservationWindow: '00:30:00'
      LockoutThreshold: 5
      MaxPasswordAge: '90.00:00:00'
      MinPasswordAge: '1.00:00:00'
      MinPasswordLength: 15
      PasswordHistoryCount: 6
      ReversibleEncryptionEnabled: false
      ProtectedFromAccidentalDeletion: true
      Precedence: 11

Two PSOs are defined:

Lower Precedence numbers take priority when multiple PSOs apply to the same user.

Parameter Files

parameters/ads.parameters.yaml

Shared by most sub-configurations to supply the domain LDAP root path:

parameters:
  DomainRootPath: "DC=contoso,DC=com"

parameters/ads.admin-user.parameters.yaml

Provides all values required by the admin users configuration:

parameters:
  Password:
    username: AdminTest
    password: Password
  DomainRootPath: "DC=contoso,DC=com"
  DomainName: "contoso.com"

Deployment Workflow

Step 1 — Validate configuration (dry-run)

Before applying anything, use test mode to see what is out of compliance:

dsc config --parameters-file .\ads-root.dsc.parameters.yaml test `
  --file .\ads-root-forest.dsc.yaml

For the Stage 2 orchestrator:

dsc config --parameters-file .\ADS-Include\parameters\ads.parameters.yaml test `
  --file .\ADS-Include\ads.main.dsc.yaml

Step 2 — Apply Stage 1: Create the forest

Run this on the first server that will become the Domain Controller. The server will be promoted and — if SuppressReboot: false — will reboot automatically.

dsc config --parameters-file .\ads-root.dsc.parameters.yaml set `
  --file .\ads-root-forest.dsc.yaml

Step 3 — Apply Stage 2: Configure AD structure

After the DC is up and the domain is functional, run the main orchestrator from within the ADS-Include directory:

Set-Location .\ADS-Include

dsc config set --file .\ads.main.dsc.yaml

The Include resource resolves configurationFile paths relative to the location of ads.main.dsc.yaml, so the working directory must match.

Step 4 — Enable trace-level logging (troubleshooting)

If any resource fails, enable detailed output with --trace-level:

dsc --trace-level trace config --parameters-file .\parameters\ads.parameters.yaml set `
  --file .\ads.main.dsc.yaml

Available trace levels: error, warn, info, debug, trace

Step 5 — Re-validate after apply

Confirm the configuration converged successfully:

dsc config test --file .\ads.main.dsc.yaml

A fully converged configuration returns InDesiredState: true for every resource.

DSC v3 Concepts Used in This Project

Recommended Execution Checklist

• DSC v3 (dsc.exe) installed and in PATH
• ActiveDirectoryDsc module installed via PSGallery
• Running as a Domain Admin (or local Administrator for Stage 1)
• Passwords in parameter files replaced with vault-sourced values before Organization use
• dsc config test passes cleanly before dsc config set
• Stage 1 (forest creation) completes and DC reboots before running Stage 2
• Stage 2 executed from within the ADS-Include directory

Summary

This project demonstrates how DSC v3 can manage the full lifecycle of an Active Directory environment — from forest creation to a Organization-ready OU structure, delegation model, and password policies — using nothing but declarative YAML files.

The Microsoft.DSC/Include pattern is the architectural cornerstone: it allows each concern (OUs, users, groups, delegation, password policy) to live in its own file while a single orchestrator file (ads.main.dsc.yaml) ties them together. Combined with parameter files, the same set of configurations can target any domain simply by swapping the DomainRootPath and DomainName values.

This approach brings Active Directory configuration into the modern infrastructure-as-code world — auditable, reproducible, and version-controlled.

Links for more resources

• Microsoft DSCv3
• DSC community

This post shows a real-life example for using AzureDevOpsDscv3 inside an Azure DevOps pipeline. The goal is to define Azure DevOps projects, users, and groups as code, then apply the configuration in a controlled pipeline.

Scenario

You are onboarding a new product team. Every environment must have:

• A standard project created from a Git template
• A group created from Entra ID
• A baseline set of users

Instead of clicking in the UI, you use DSC v3 to declare everything, and the pipeline applies it consistently across environments.

Prerequisites

• Azure DevOps organization and a PAT with permissions to manage projects and users
• A self-hosted or Microsoft-hosted Windows agent
• PowerShell 7 and DSC v3 (dsc CLI)
• The AzureDevOpsDscv3 module from the PowerShell Gallery

In the pipeline we will install the required modules, so the agent stays clean and the process is repeatable.

Repository Layout

Example structure you can place in your repo:

.
├─ dsc
│  └─ ado.dsc.yaml
├─ pipelines
│  └─ ado-dsc.yml
└─ README.md

DSC v3 Configuration File

Below is a simplified config that creates a project, adds a user, and links an Entra ID group. Save it as dsc/ado.dsc.yaml.

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
parameters:
	Token:
		type: string
		defaultValue: PAT-Token
resources:
- name: Configure Azure DevOps
	type: Microsoft.Windows/WindowsPowerShell
	properties:
		resources:
		- name: Create project
			type: AzureDevOpsDscv3/ProjectResource
			properties:
				Organization: ExampleOrganization
				ProjectName: Contoso-Platform
				Description: "Project created via DSC v3"
				pat: "[parameters('Token')]"
				SourceControlType: Git
				Ensure: Present
		- name: Add user
			type: AzureDevOpsDscv3/OrganizationUserResource
			properties:
				UserPrincipalName: dev1@contoso.com
				Organization: ExampleOrganization
				AccessLevel: Basic
				Ensure: Present
				pat: "[parameters('Token')]"
		- name: Add group
			type: AzureDevOpsDscv3/OrganizationGroupResource
			properties:
				GroupOriginId: 00000000-0000-0000-0000-000000000000
				GroupDisplayName: Contoso-DevTeam
				Organization: ExampleOrganization
				AccessLevel: Basic
				Ensure: Present
				pat: "[parameters('Token')]"

Notes:

• GroupOriginId is the Entra ID group object ID.
• pat is sourced from the Token parameter, which we inject in the pipeline.

Azure DevOps Pipeline

Create a pipeline YAML file, for example pipelines/ado-dsc.yml.

trigger:
- main

pool:
	vmImage: windows-latest

variables:
- name: DscConfigPath
	value: dsc/ado.dsc.yaml

steps:
- checkout: self

- task: PowerShell@2
	displayName: Install DSC v3 and AzureDevOpsDscv3
	inputs:
		pwsh: true
		targetType: inline
		script: |
			Set-StrictMode -Version Latest
			$ErrorActionPreference = 'Stop'

			#(Note: If you are on a 32-bit system, use .x86 instead).
            winget install Microsoft.VCRedist.2015+.x64 

            # Install latest stable
            winget install --id 9NVTPZWRC6KQ --source msstore
			Install-Module -Name AzureDevOpsDscv3 -Scope CurrentUser -Force
			dsc --version

- task: PowerShell@2
	displayName: Inject PAT and apply configuration
	inputs:
		pwsh: true
		targetType: inline
		script: |
			Set-StrictMode -Version Latest
			$ErrorActionPreference = 'Stop'

			$configPath = "$(DscConfigPath)"
			$tempPath = Join-Path $env:Agent_TempDirectory 'ado.dsc.yaml'

			(Get-Content $configPath -Raw) -replace 'PAT-Token', $env:ADO_PAT | Set-Content $tempPath

			dsc -l debug config set --file $tempPath
	env:
		ADO_PAT: $(ADO_PAT)

Secure the PAT

Create a variable in your Azure DevOps pipeline or a variable group:

• Name: ADO_PAT
• Type: secret

Keep the PAT scoped to the minimum permissions required to manage projects, users, and groups in your organization.

Run the Pipeline

1. Commit the DSC config and pipeline YAML.
2. Create a new pipeline from pipelines/ado-dsc.yml.
3. Run the pipeline.

The pipeline installs the required modules, injects the PAT into the config, and executes dsc config set to apply the desired state.

Real-World Tips

• Store multiple configs per environment and pass the file path as a pipeline parameter.
• Use a dedicated service account for the PAT to keep audit trails clean.
• Add a validation step that runs dsc config get (or dsc resource list) to verify expected resources.
• For production, add a manual approval gate between validation and apply.

Troubleshooting

• If dsc is not found, confirm the Microsoft.PowerShell.DSC module is installed and available in the pwsh session.
• If the pipeline fails to create a project, check the PAT scope and the Azure DevOps organization name.
• For group assignment, verify GroupOriginId is the Entra ID object ID, not the display name.

Closing

This pattern lets you manage Azure DevOps configuration as code with minimal drift. Start small with one project and a few users, then expand to include repos, pipelines, and permissions in a controlled, repeatable way.

Building a well-structured and secure network in Azure is one of the foundational steps toward a successful cloud deployment. Whether you’re migrating workloads, designing new environments, or improving existing infrastructure, Azure networking provides powerful tools to help you design for scalability, performance, and governance.

In this post, we’ll walk through the core principles and best practices for building a network in Azure — from initial planning to advanced connectivity options.

🧭 Start with the Azure Landing Zone Concept

Before diving into subnets and IP ranges, it’s crucial to understand the Azure Landing Zone model.

Microsoft defines an Azure Landing Zone as an environment that implements key design principles across eight design areas — governance, security, identity, networking, operations, management, and more. It ensures that your environment can scale and support multiple applications and workloads consistently.

Platform vs Application Landing Zones

Azure uses subscriptions to isolate and scale resources:

• Platform landing zones host shared services like networking, identity, and monitoring.
• Application landing zones host workloads and apps.

This separation allows for cleaner management boundaries, better security, and easier automation.

🕸️ Designing Your Network Topology

One of the most common approaches for Azure networking is the hub-and-spoke topology.

Hub-and-Spoke Model

In this model:

• The hub is the central network that hosts shared components like firewalls, DNS, or VPN gateways.
• The spokes are individual VNets (Virtual Networks) that connect to the hub and host application workloads.

This approach provides:

• Centralized management of connectivity and security.
• Isolation between applications.
• Easier integration with on-premises networks.

You can also use Azure Virtual Network Manager to create and manage:

• Hub-and-spoke topology
• Mesh topology (in preview)
• Hybrid hub-spoke with direct spoke-to-spoke connectivity

🧱 Planning Your Network

Mapping on-premises network to Azure network

Mapping VLANs to Azure networking depends on how and where you’re connecting Azure to your on-premises or extended network. Azure itself doesn’t use VLANs internally—it uses Virtual Networks (VNets) for segmentation—but VLANs still matter when you’re integrating Azure with your physical or hybrid infrastructure.

• Use subnets within a VNet to logically segment traffic (similar to VLANs).
• Apply Network Security Groups (NSGs) or Azure Firewall rules for isolation.
• VLAN tagging or trunking is not available between Azure VMs or subnets.

Naming Conventions

A consistent naming convention is the foundation of an organized environment.
Follow Microsoft’s Cloud Adoption Framework recommendations for naming standards:

[Cloud Adoption Framework

Microsoft Learn](https://learn.microsoft.com/azure/cloud-adoption-framework/)

IP Addressing

When planning your VNets and subnets, avoid overlapping with your on-premises or partner networks.

Common private address ranges:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• 100.64.0.0/10 (shared address space)

Keep subnet masks small, such as /28 or /26, to maintain flexibility and minimize wasted IPs.

Remember:

Azure reserves certain IPs in every subnet:

• .0 — network address
• .1 — default gateway
• .2 and .3 — Azure DNS mapping
• .255 — broadcast address

Subnet nameing and functionality example

Subnet ranges

Tool for to help design your subnets

Visual Subnet Calculator

The Visual Subnet Calculator is a free, browser-based tool designed to assist network administrators and IT professionals in subnetting IPv4 networks.
It offers a straightforward interface to quickly visualize and manage subnets without requiring advanced mathematical calculations.

Visual Subnet Calculator

🔐 Security and Access

Security starts with Network Security Groups (NSGs) is easier to unblock traffic, then setup block rules on production environment.
It’s a best practice to:

• Create custom rules.
• Block all inbound and outbound traffic by default.
• Explicitly allow only what’s required.

🔗 Private Connectivity

When connecting Azure services privately:

• Use Private Link for secure, private access to Azure services like Storage, SQL, and Key Vault.
• Use Private DNS Zones to manage DNS resolution for private endpoints.
  • A single Private DNS Zone can be linked to multiple VNets.
  • No need to deploy a separate DNS resolver for every network.

Microsoft DNS: Azure IP address 168.63.129.16 is a virtual public IP address that facilitates communication channels to Azure platform resources. Customers can define any address space for their private virtual network in Azure. Therefore, the Azure platform resources must be presented as a unique public IP address

🔍 Monitoring Your Network

Don’t forget about visibility and diagnostics.
Use Network Watcher to:

• Monitor traffic flows.
• Diagnose connectivity issues.
• Capture packets and analyze performance.

🧰 Is One Subscription Enough?

For small environments, a single Azure subscription can be sufficient.
However, for larger organizations, multiple subscriptions provide better scalability, governance, and isolation between workloads or teams.

Example of building and envoling network in azure for organization

Example for organization with one Azure subscription

Example 1

• One Azure subscription
• One Azure Virtual Network
• Azure Virtual Network with subntes (segmentation)
• Network Secuirty groups for all subnetes with DenyRules for Inbound / Outbound
• Azure Virtual Gateway for Site to Site VPN connection
• Azure Nat Gateway for NAT outbound traffic

Example 2

• One Azure subscription
• One Azure Virtual Network
• Azure Virtual Network with subntes (segmentation)
• Network Secuirty groups for all subnetes with DenyRules for Inbound / Outbound
• Azure Virtual Gateway for Site to Site VPN connection
• Azure Nat Gateway for NAT outbound traffic
• Azure Private DNS zones dedicated for Azure SQL services
• Azure privet link for Azure SQL server
• Azure SQL server without any Internet access

Example 2

• One Azure subscription
• One Azure Virtual Network
• Azure Virtual Network with subntes (segmentation)
• Network Secuirty groups for all subnetes with DenyRules for Inbound / Outbound
• Azure Virtual Gateway for Site to Site VPN connection
• Azure Nat Gateway for NAT outbound traffic
• Azure Private DNS zones dedicated for Azure SQL services
• Azure privet link for Azure SQL server
• Azure SQL server without any Internet access
• Azure Firewall that inspect all traffic between subnets
• Azure user definie route to pass traffic between subnets over Azure firewall

Example for organization with multiple Azure subscription (Hub)

Example 1

• 3 Azure subscription
• 3 Azure Virtual Network
• Azure Virtual Network with subntes (segmentation)
• Network Secuirty groups for all subnetes with DenyRules for Inbound / Outbound
• Azure Virtual Gateway for Site to Site VPN connection
• Azure Nat Gateway for NAT outbound traffic
• Azure Private DNS zones dedicated for Azure SQL services
• Azure privet link for Azure SQL server

• 3 Azure subscription
• 3 Azure Virtual Network
• Azure Virtual Network with subntes (segmentation)
• Network Secuirty groups for all subnetes with DenyRules for Inbound / Outbound
• Azure Virtual Gateway for Site to Site VPN connection
• Azure Nat Gateway for NAT outbound traffic
• Azure Private DNS zones dedicated for Azure SQL services
• Azure privet link for Azure SQL server
• Azure Network Manager

⚙️ Tips and Best Practices

• Create good naming convention
• Keep it simple
• Subnet with small mask like 28 / 26
• One Virtual Network per Azure Subscription per region
• Use NAT gateway
• Avoid overlap network spaces with you on-premises environment
• Use Hub spoken network if it’s needed
• Not all resources need to have privet access
• DNS resolving is important – all azure resources work over HTTPS
• Good description of routing tables
• Private DNS Zones can be linked to multiple Vnet don’t need to user DNS resolver
• NSG create custom rule block all Inboud / Outboud traffic
• For internet access, use NAT Gateways instead of assigning public IPs directly to VMs.

🧩 Summary

Building a robust Azure network requires thoughtful design and attention to detail.
Start with a solid landing zone, plan your IPs and subnets carefully, use secure connectivity methods, and monitor everything.

When done right, your Azure network becomes the backbone for all your cloud workloads — secure, scalable, and future-proof.

Author: Michał Machniak
System Administrator / Cloud Architect / DevOps
mmachniak.net

“Automate everything you can — but plan your network manually first.”

When working with Azure Arc–enabled servers, you often need to control access in a way that doesn’t fit the built-in roles provided by Azure. While roles like Reader, Contributor, or Azure Connected Machine Onboarding cover many scenarios, they might either grant too many permissions or not enough.

That’s where custom roles come in. By defining a custom role, you can tailor access so that users, groups, or service principals only get the permissions they actually need — nothing more, nothing less.

Why Create a Custom Role for Azure Arc?

Some common scenarios include:

• Delegated administration: Allowing specific teams to manage extensions or policies on Arc-enabled machines, without giving them full subscription-wide rights.

• Security hardening: Enforcing least-privilege access so that hybrid server operators can perform their job without unnecessary permissions.

• Operational separation: Letting one team onboard servers, while another team manages monitoring or updates.

For example, you may want a role that only allows installation and management of VM extensions (like Azure Monitor Agent or Defender for Cloud extensions) on Arc servers — but nothing else.

Step 1: Identify the Required Permissions

Azure roles are defined as sets of Actions and NotActions. For Azure Arc hybrid compute, common permissions include:

• Microsoft.HybridCompute/machines/read – View Arc machines

• Microsoft.HybridCompute/machines/extensions/* – Manage extensions

• Microsoft.HybridCompute/machines/write – Update properties (if needed)

You can explore available permissions with:

az provider operation show --namespace Microsoft.HybridCompute

Step 2: Define the Custom Role JSON

Save the following as ArcOperator.json:

{
  "Name": "[Custom] Azure Arc Operator",
  "IsCustom": true,
  "Description": "View, update patch managment for hybride VM.",
  "Actions": [
                    "*/read",
                    "Microsoft.HybridCompute/operations/read",
                    "Microsoft.HybridCompute/osType/agentVersions/read",
                    "Microsoft.HybridCompute/osType/agentVersions/latest/read",
                    "Microsoft.HybridCompute/machines/read",
                    "Microsoft.HybridCompute/machines/installPatches/action",
                    "Microsoft.HybridCompute/machines/listAccessDetails/action",
                    "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
                    "Microsoft.HybridCompute/machines/assessPatches/action",
                    "Microsoft.HybridCompute/machines/addExtensions/action",
                    "Microsoft.HybridCompute/machines/patchInstallationResults/read",
                    "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
                    "Microsoft.HybridCompute/machines/extensions/read",
                    "Microsoft.HybridCompute/machines/extensions/write",
                    "Microsoft.HybridCompute/machines/extensions/delete",
                    "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
                    "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
                    "Microsoft.HybridCompute/machines/runcommands/read",
                    "Microsoft.HybridCompute/machines/runcommands/write",
                    "Microsoft.HybridCompute/machines/runcommands/delete",
                    "Microsoft.HybridCompute/machines/write"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/<SUBSCRIPTION_ID>" # Can be Managment group / Resource group
  ]
}

Step 3: Create the Role in Azure

Use the Azure CLI to create the role:

az role definition create –role-definition ./ArcOperator.json

To verify:

az role definition list --name "[Custom] Azure Arc Operator"

Step 4: Assign the Role

Assign the role to a user, group, or managed identity:

az role assignment create \
  --assignee <USER_OR_SP_OBJECT_ID> \
  --role "Arc Extension Operator" \
  --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>

This ensures that the principal can only manage Arc extensions within the defined scope.

Conclusion

Azure Arc custom roles let you implement least-privilege access for hybrid servers. By carefully crafting role definitions, you can give teams exactly the permissions they need — no more, no less.

This approach improves security, simplifies operations, and ensures compliance with enterprise governance requirements.

In large, multi-subscription environments, such as Azure Landing Zones, managing identity and access at scale is a constant challenge. Security groups are a key component of Azure RBAC (Role-Based Access Control), enabling centralized control of permissions for teams and workloads. While you can configure them manually in the Azure Portal, Infrastructure as Code (IaC) ensures consistency, repeatability, and compliance.

With Bicep and the Microsoft Graph extension, we can define security groups and assign Azure roles programmatically—integrating identity management directly into our landing zone deployment workflows

Why Use the Microsoft Graph Extension in Bicep?

By default, Bicep focuses on Azure Resource Manager (ARM) resources. However, security groups in Entra ID (formerly Azure AD) are not ARM resources—they are managed through Microsoft Graph. The Bicep Graph extension bridges this gap, enabling you to:

• Create Azure AD / Entra ID security groups.

• Assign users or service principals to those groups.

• Bind those groups to Azure roles within subscriptions or resource groups.

• This allows a single Bicep deployment to set up both your Azure resources and the associated identity access controls.

Example of code : Creating a Security Group and Assigning a Role

/*
SUMMARY: The Management Groups module deploys a management group hierarchy in a customer's tenant under the 'Tenant Root Group'.
DESCRIPTION: Management Group hierarchy is created through a tenant-scoped Azure Resource Manager (ARM) deployment.  The hierarchy is:
  * Tenant Root Group
      * Organization
        ** Platform
        ** DEV
        ** STAGE
        ** PROD
      * Default - new onborded subscriptions
AUTHOR/S: Michał Machniak
VERSION: 1.0
Logs: Get-AzTenantDeployment -id /providers/Microsoft.Resources/deployments/azl | Get-AzTenantDeploymentOperation
Logs: Get-AzTenantDeployment -id /providers/Microsoft.Resources/deployments/azl-rbac | Get-AzTenantDeploymentOperation
*/

targetScope = 'tenant'

extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/beta:1.0.0' // Load beta extension
extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0' // Load v1.0 extension

///////////////////////// PARAMETERS /////////////////////////

param par_list_secuirty_groups_name array = [
  {
    name: 'GAL-AAD-MG-Organization-Org-Reader'
    description: 'Security group with permissions to read the management group hierarchy'
    role: 'Reader'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGXYZOrgOrgReader' // No whitspaces allowed
    MangmentGroupId: 'Organization' // Management Group ID to assign the group to
  }
  {
    name: 'GAL-AAD-MG-Organization-Contributor'
    description: 'Security group with permissions to contribute to the management group hierarchy'
    role: 'Contributor'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGXYZOrgOrgContributor' // No whitspaces allowed
    MangmentGroupId: 'Organization' // Management Group ID to assign the group to
  }
  {
    name:'GAL-AAD-MG-Organization-Owner'
    description: 'Security group with permissions to manage the management group hierarchy'
    role: 'Owner'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGXYZOrgOrgOwner' // No whitspaces allowed
    MangmentGroupId: 'Organization' // Management Group ID to assign the group to
  }
  // Dev Groups
  {
    name: 'GAL-AAD-MG-DEV-Reader'
    description: 'Security group with permissions to read the management group hierarchy'
    role: 'Reader'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGDEVReader' // No whitspaces allowed
    MangmentGroupId: 'DEV' // Management Group ID to assign the group to
  }
  {
    name: 'GAL-AAD-MG-DEV-Contributor'
    description: 'Security group with permissions to contribute to the management group hierarchy'
    role: 'Contributor'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGDEVContributor' // No whitspaces allowed
    MangmentGroupId: 'DEV' // Management Group ID to assign the group to

  }
  {
    name:'GAL-AAD-MG-DEV-Owner'
    description: 'Security group with permissions to manage the management group hierarchy'
    role: 'Owner'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGDEVOwner' // No whitspaces allowed
    MangmentGroupId: 'DEV' // Management Group ID to assign the group to
  }
  // Prod groups
  {
    name: 'GAL-AAD-MG-PROD-Reader'
    description: 'Security group with permissions to read the management group hierarchy'
    role: 'Reader'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGPRODReader' // No whitspaces allowed
    MangmentGroupId: 'PROD' // Management Group ID to assign the group to
  }
  {
    name: 'GAL-AAD-MG-PROD-Contributor'
    description: 'Security group with permissions to contribute to the management group hierarchy'
    role: 'Contributor'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGPRODContributor' // No whitspaces allowed
    MangmentGroupId: 'PROD' // Management Group ID to assign the group to

  }
  {
    name:'GAL-AAD-MG-PROD-Owner'
    description: 'Security group with permissions to manage the management group hierarchy'
    role: 'Owner'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGPRODOwner' // No whitspaces allowed
    MangmentGroupId: 'PROD' // Management Group ID to assign the group to
  }
    // Prod Default
  {
    name: 'GAL-AAD-MG-Default-Reader'
    description: 'Security group with permissions to read the management group hierarchy'
    role: 'Reader'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGDefualtReader' // No whitspaces allowed
    MangmentGroupId: 'Default' // Management Group ID to assign the group to
  }
  {
    name: 'GAL-AAD-MG-Default-Contributor'
    description: 'Security group with permissions to contribute to the management group hierarchy'
    role: 'Contributor'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMDefualtContributor' // No whitspaces allowed
    MangmentGroupId: 'Default' // Management Group ID to assign the group to
  }
  {
    name:'GAL-AAD-MG-Default-Owner'
    description: 'Security group with permissions to manage the management group hierarchy'
    role: 'Owner'
    securityEnabled: true
    mailEnabled: false // Need to be false is not supported by v1.0 and beta
    uniqueName: 'GALAADMGDefualtOwner' // No whitspaces allowed
    MangmentGroupId: 'Default' // Management Group ID to assign the group to
  }

]


resource res_secuirty_group_alz 'Microsoft.Graph/groups@beta' = [for sec_group in par_list_secuirty_groups_name: {
  displayName: sec_group.name
  description: sec_group.description
  securityEnabled: true
  mailEnabled: false // Need to be false is not supported by v1.0 and beta
  mailNickname: toLower('${sec_group.name}')
  owners: {
    relationships: []
  }
  members: {
    relationships: []
  }
  uniqueName: sec_group.uniqueName  // No whitspaces allowed

}]



// Assign security groups to management groups - need delay against the creation of the security groups

module mod_mg_role_permissions '.modules/RoleAssigment/managmentGroups.bicep' = [for i in range(0, length(par_list_secuirty_groups_name)) : {
  name: guid(par_list_secuirty_groups_name[i].name)
  scope: managementGroup('${par_list_secuirty_groups_name[i].MangmentGroupId}')
  params: {
    principalId: res_secuirty_group_alz[i].id
    roleDefinitionIdOrName: par_list_secuirty_groups_name[i].role
    managementGroupId: par_list_secuirty_groups_name[i].MangmentGroupId
  }
  dependsOn: [
    res_secuirty_group_alz
  ]
}]

output out_groups_id array = [for i in range(0, length(par_list_secuirty_groups_name)): res_secuirty_group_alz[i].id]

Example Deployment Command:

New-AzTenantDeployment -Location "North Europe" -Name "AAD-v2" -TemplateFile .\main-aad-loop.bicep

az deployment sub tenant --location northeurope --template-file .\main-aad-loop.bicep

Link to repo with code:

You can find code example in my GitHub repository: Github Bicep code example

Know issue

When you create security groups in EntraID, it will take time for Graph API to procced chnages, so you can see that assigne permissions will faild because object wasn not found in Entra I, so this will required to rerun bicep as EntraID need some time.

Conclusion

By using the Microsoft Azure Bicep Graph extension, you can extend your IaC workflows beyond Azure resources, directly into identity and access management. This approach helps ensure that your Azure Landing Zone deployments are secure, consistent, and repeatable—with all permissions configured as code.

The Microsoft Entra (Graph in v1 and beat) Bicep Extension allows you to provision and manage Microsoft Entra ID (formerly Azure AD) resources using Bicep, extending Infrastructure as Code beyond Azure resources into identity management.

Bicep works only with Azure Resource Manager (ARM) resources. With this extension, you can deploy and configure Entra ID:

• Applications: Bicep Applications
• Service Principals: Bicep Service Principals
• App Roles & API Permissions: Bicep App Roles & API Permissions
• Federated idenity cedentials: Bicep Federated idenity cedentials:
• Groups & Group Membership (no mailenabled / distribution): Bicep Groups & Group Membership
• Users (ReadOnly mode): Bicep Users

This is powered by Microsoft Graph API under the hood, so changes made through Bicep are reflected directly in Entra ID.

Key Benefits:

• Unified IaC – manage Azure and Entra resources in a single Bicep deployment
• Automated Identity Management – create apps, assign roles, and manage groups as code
• CI/CD Ready – integrate identity provisioning into DevOps pipelines

Microsoft Artifact Registry

Extension verions can be found in Microsoft Artifact Registry

Microsoft Graph Bicep Extension (beta): https://mcr.microsoft.com/artifact/mar/bicep/extensions/microsoftgraph/beta/tags
Microsoft Graph Bicep Extension: https://mcr.microsoft.com/artifact/mar/bicep/extensions/microsoftgraph/v1.0/tags

Example of code

Example below deploy secuirty group in two verions of API:

extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/beta:1.0.0' // Load beta extension
extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:1.0.0' // Load v1.0 extension

resource res_account_v1 'Microsoft.Graph/users@v1.0' existing = {
  userPrincipalName: 'Tomasz.Oscypek@sys4ops.pl' // Existing user only supported in this edition
}

output accountId_v1 string = res_account_v1.id


resource res_account_beta 'Microsoft.Graph/users@beta' existing = {
  userPrincipalName: 'Tomasz.Oscypek@sys4ops.pl' // Existing user only supported in this edition
}

output accountId_beta string = res_account_beta.id


resource res_secuirty_group_beta 'Microsoft.Graph/groups@beta' = {
  displayName: 'Bicep Beta Security Group'
  description: 'Security group created by Bicep Beta extension'
  securityEnabled: true
  mailEnabled: false // Need to be false is not supported by v1.0 and beta
  mailNickname: 'bicep-beta-security-group'
  owners: {
    relationships: [res_account_beta.id]
  }
  uniqueName: 'BicepBetaSecurityGroup' // No whitspaces allowed

}

resource res_secuirty_group_v1 'Microsoft.Graph/groups@beta' = {
  displayName: 'Bicep Security Group'
  description: 'Security group created by Bicep extension'
  securityEnabled: true
  mailEnabled: false // Need to be false is not supported by v1.0 and beta
  mailNickname: 'bicep-security-group'
  uniqueName: 'BicepSecurityGroup' // No whitspaces allowed
  members: {
    relationships: [res_account_v1.id]
  }


}

Deploy options

We can deploy this code on any target scope as it support, and using Azure CLI or PowerShell. For troubleshooting is better to deploy on Resource Group or Subscription as it is easy to read deployment logs and check mistakes, example descibe below.

New-AzDeployment -Location "North Europe" -Name "AAD" -TemplateFile .\main-aad.bicep

New-AzResourceGroupDeployment -ResourceGroupName "D-AUT-ITW" -Name "AAD" -TemplateFile .\main-aad.bicep

Example deploy on tenat level and logs

New-AzDeployment -Location "North Europe" -Name "AAD" -TemplateFile .\main-aad.bicep  

Error message that was outputed on console:

New-AzDeployment: 17:24:23 - The deployment 'AAD' failed with error(s). Showing 2 out of 2 error(s).
Status Message: {"error":{"code":"Forbidden","target":"/resources/res_secuirty_group_v1","message":"Insufficient privileges to complete the operation. Graph client request id: cde03e9e-5a5c-48f1-83cb-3e1d385d3cb5. Graph request timestamp: 2025-07-31T15:24:20Z."}} (Code:DeploymentOperationFailed)

Status Message: {"error":{"code":"Forbidden","target":"/resources/res_secuirty_group_beta","message":"Insufficient privileges to complete the operation. Graph client request id: 9b988e59-3ad3-4d27-b60c-4560513d2325. Graph request timestamp: 2025-07-31T15:24:20Z."}} (Code:DeploymentOperationFailed)

CorrelationId: d95e67b1-ce6a-40d2-a9f4-31e16566d235

Issue in code was find when deployment was change to Resource Group

<code id='' style='white-space:pre-wrap'><div>{"error":{"code":"BadRequest","target":"/resources/res_secuirty_group_v1","message":"Property 'UniqueName' cannot contain whitespace. Graph client request id: 9296c621-e36a-4c80-b704-a7e9baf37096. Graph request timestamp: 2025-07-31T15:29:23Z."}}</div></code></br> (Code: DeploymentOperationFailed)

Quick templates from Microsoft

https://github.com/microsoftgraph/msgraph-bicep-types/tree/main/quickstart-templates

Azure Arc extends the power of Azure to your on-premises and multi-cloud environments. One great feature it enables is logging into Linux servers using Entra ID (formerly Azure AD). This provides centralized identity management, RBAC, and conditional access for your Linux infrastructure. In this post, I’ll walk you through how to enable and use Entra ID to log in to a Linux server connected to Azure Arc.

Prerequisites

• A Linux server connected to Azure Arc.
• Azure CLI installed.
• You are an Entra ID user with at least Virtual Machine User Login role.
• Azure Connected Machine agent is installed and running.

Step 1: Enable Entra ID Login on the Arc-Enabled Server

az connectedmachine extension create \
  --machine-name <server-name> \
  --resource-group <resource-group> \
  --location <location> \
  --name AADSSHLoginForLinux \
  --publisher Microsoft.Azure.ActiveDirectory \
  --type AADSSHLoginForLinux \
  --type-handler-version 1.0

Note: Replace server-name, resource-group, and location with appropriate values.

Step 2: Assign Entra ID Role

Assign the Virtual Machine User Login role (or Virtual Machine Administrator Login if you need sudo access) to a user or group for the connected machine resource:

az role assignment create \
  --assignee <user-object-id or user-UPN> \
  --role "Virtual Machine User Login" \
  --scope "/subscriptions/<sub-id>/resourceGroups/<resource-group>/providers/Microsoft.HybridCompute/machines/<server-name>"

Step 3: Install AAD Login Extension (if not already installed)

Check if the extension is installed:

ls /var/lib/waagent/custom-script/

You can also verify via the Azure portal under the “Extensions + applications” blade of the Arc server.

Step 4: Login to the Server Using az ssh or ssh with AAD

If using the Azure CLI az ssh command:

az ssh arc --subscription <subscription-id> --resource-group <resource-group> --name <server-name>

Alternatively, sign in to Azure Linux VMs with Microsoft Entra ID supports exporting the OpenSSH certificate and configuration. That means you can use any SSH clients that support OpenSSH-based certificates to sign in through Microsoft Entra ID

Export SSH configuration for Virtual Machnine

az ssh config --file ~/.ssh/config --ip <server-fqdn or IP>

Import configuration on local SSh client (Windows example)

Create config files for host with on local SSH client in .ssh folder

Host 172.19.0.20
	User michal.machniak@xxxxx.pl
	CertificateFile "C:/Users/Administrator.AD/.ssh/az_ssh_config/172.19.0.20/id_rsa.pub-aadcert.pub"
	IdentityFile "C:/Users/Administrator.AD/.ssh/az_ssh_config/172.19.0.20/id_rsa"

Connect from local to server using Entra ID credentianls

ssh <entra-username>@<server-fqdn or IP>

Your SSH client must support OpenSSH and be configured to request tokens. If needed, install Azure CLI login extension:

az extension add --name ssh

Step 5: Troubleshooting Tips

Ensure your user is assigned the proper Entra ID role.

Make sure the AADSSHLoginForLinux extension is in “Provisioning succeeded” state.

Check /var/log/auth.log on the server for login errors.

Use az ssh arc -d for debugging SSH connection.

Summary

Logging in to Linux servers with Entra ID via Azure Arc improves your security posture and simplifies identity management. By following these steps, you can ensure secure, role-based access to your Arc-connected servers with the power of Entra ID.

• Azure CLI installed

Generate public and private key for new administrator

Create an administrative/sudo user or revoke exsiting one

In Azure CLI, login to your account then setup subscription that is hosting VM, and run Azure CLI command with those options:

• –resource-group - Name of resource group that is hosting Virtula Machine.
• –name - name of Virtula Machnine
• –username - new administrator account name or existing one.
• –ssh-key-value - path to your saved public SSH key. ``` az login az account set –subscription “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” az vm user update –resource-group rg-admin-001 –name vm-linuxadmin –username revokeadmin –ssh-key-value “C:\Temp\SSH\azure-admin-vm-public-key.pub”

```

Connect to Virtula Machine using new account and SSH key (PuttY example)

1. Start PuTTY
2. Enter IP address of Virtual Machnine

1. On menu naviagate to Connection –> Data and enter admini login

   

2. On menu naviagate to Connection –> SSH –> Auth –> Credentials and load Private key located on the local storage.

   

3. Connect to VM with new sudo administrator account.

• Storage Account in different tenants.
• Az PowerShell module.

Configuration

Configuration to setup in each storage account, we need to allow object replication between diffrent tenants.

1. Navigate to Storage Account
2. In navigation go to Object replication
3. In context menu go to Advanced Settings

4. Allow cross tenant object access

   

   

Confiuration destination storage account

1. Prepare policy file in destination storage account
   • ruleId - for each blob need to unique guid
   • minCreationTime - For sync all content we need to setup date / time before day of creation
   • sourceAccount - object ID of source storage account
   • destinationAccount - object ID of destinationAccount storage account

{
  "properties": {
    "sourceAccount": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG_name_source/providers/Microsoft.Storage/storageAccounts/storageaccount_name_source",
    "destinationAccount": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG_name_destination/providers/Microsoft.Storage/storageAccounts/storageaccount_name_destination",
    "rules": [
      {
        "ruleId": "1f45eace-d5fb-4e8e-9e1c-cf8219615644", // Rule ID need to be guid random generated
        "sourceContainer": "dms5",
        "destinationContainer": "dms5",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z" // For sync all content we need to setup date / time before day of creation
        }
      },
      {
        "ruleId": "0fa15940-e42e-4a25-959e-88f8132eaf9b",
        "sourceContainer": "h0472",
        "destinationContainer": "h0472",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "3bfa51f9-a4fb-4acf-a59a-8c5af8e4d61b",
        "sourceContainer": "h0473",
        "destinationContainer": "h0473",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "d5be2cea-7459-4dbb-865a-11c4f53ae3b1",
        "sourceContainer": "h0781",
        "destinationContainer": "h0781",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "5822c0c4-8b66-425f-8120-1f7d678737d7",
        "sourceContainer": "h0984",
        "destinationContainer": "h0984",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "ec69dd0d-44d7-446e-b447-e5311e232241",
        "sourceContainer": "h1142",
        "destinationContainer": "h1142",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6f5fad1b-39ea-4d42-ad86-6c73719a4b66",
        "sourceContainer": "h1871",
        "destinationContainer": "h1871",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6f0a0272-24de-42cc-bccc-359edeafe71f",
        "sourceContainer": "h1988",
        "destinationContainer": "h1988",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "848fd02e-1ab9-4e82-8f19-569e05abdba5",
        "sourceContainer": "h2161",
        "destinationContainer": "h2161",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "db855105-a5d3-4202-9874-49386d94ba69",
        "sourceContainer": "h2907",
        "destinationContainer": "h2907",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6df9d571-93a5-4e6c-bb55-e9040b29e88c",
        "sourceContainer": "h3054",
        "destinationContainer": "h3054",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "85235bc7-8852-4631-b19b-e8b30119966e",
        "sourceContainer": "h3118",
        "destinationContainer": "h3118",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6bb2c27c-c649-4d60-b603-20280871ccca",
        "sourceContainer": "h3254",
        "destinationContainer": "h3254",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "615a2c0d-a803-491b-b1df-2d74be197ea0",
        "sourceContainer": "h3263",
        "destinationContainer": "h3263",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "dfd63c9d-60e2-4806-8b55-f01cc308677c",
        "sourceContainer": "h3264",
        "destinationContainer": "h3264",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "77701a25-2dca-4fd3-8b4f-590f12324471",
        "sourceContainer": "h3265",
        "destinationContainer": "h3265",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      }
    ]
  }
}

1. Logon to https://portal.azure.com
2. Navigate to Storage Account
3. In navigation go to Object replication and Upload Rules
4. Check that rules include all object and destination and source is correct.

Confiuration source storage account object replication policy

1. Get object replication rule ID on destination storage account.

Get-AzStorageObjectReplicationPolicy -ResourceGroupName "RG_name_destination" -StorageAccountName "storageaccount_name_destination""

1. Prepare policy file in destination storage account
   • ruleId - for each blob need to unique guid
   • minCreationTime - For sync all content we need to setup date / time before day of creation
   • sourceAccount - object ID of source storage account
   • destinationAccount - object ID of destinationAccount storage account
   • policyId - policy ID of uploaded replication rules in destination storage account.

{
  "properties": {
    "policyId": "a50abfe6-68df-xxxx-xxxx-013b9f2a5050",
    "sourceAccount": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG_name_source/providers/Microsoft.Storage/storageAccounts/storageaccount_name_source",
    "destinationAccount": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxx/resourceGroups/RG_name_destination/providers/Microsoft.Storage/storageAccounts/pstorageaccount_name_destination",
    "rules": [
      {
        "ruleId": "1f45eace-d5fb-4e8e-9e1c-cf8219615644", // Rule ID need to be guid random generated
        "sourceContainer": "dms5",
        "destinationContainer": "dms5",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z" // For sync all content we need to setup date / time before day of creation
        }
      },
      {
        "ruleId": "0fa15940-e42e-4a25-959e-88f8132eaf9b",
        "sourceContainer": "h0472",
        "destinationContainer": "h0472",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "3bfa51f9-a4fb-4acf-a59a-8c5af8e4d61b",
        "sourceContainer": "h0473",
        "destinationContainer": "h0473",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "d5be2cea-7459-4dbb-865a-11c4f53ae3b1",
        "sourceContainer": "h0781",
        "destinationContainer": "h0781",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "5822c0c4-8b66-425f-8120-1f7d678737d7",
        "sourceContainer": "h0984",
        "destinationContainer": "h0984",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "ec69dd0d-44d7-446e-b447-e5311e232241",
        "sourceContainer": "h1142",
        "destinationContainer": "h1142",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6f5fad1b-39ea-4d42-ad86-6c73719a4b66",
        "sourceContainer": "h1871",
        "destinationContainer": "h1871",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6f0a0272-24de-42cc-bccc-359edeafe71f",
        "sourceContainer": "h1988",
        "destinationContainer": "h1988",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "848fd02e-1ab9-4e82-8f19-569e05abdba5",
        "sourceContainer": "h2161",
        "destinationContainer": "h2161",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "db855105-a5d3-4202-9874-49386d94ba69",
        "sourceContainer": "h2907",
        "destinationContainer": "h2907",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6df9d571-93a5-4e6c-bb55-e9040b29e88c",
        "sourceContainer": "h3054",
        "destinationContainer": "h3054",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "85235bc7-8852-4631-b19b-e8b30119966e",
        "sourceContainer": "h3118",
        "destinationContainer": "h3118",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "6bb2c27c-c649-4d60-b603-20280871ccca",
        "sourceContainer": "h3254",
        "destinationContainer": "h3254",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "615a2c0d-a803-491b-b1df-2d74be197ea0",
        "sourceContainer": "h3263",
        "destinationContainer": "h3263",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "dfd63c9d-60e2-4806-8b55-f01cc308677c",
        "sourceContainer": "h3264",
        "destinationContainer": "h3264",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      },
      {
        "ruleId": "77701a25-2dca-4fd3-8b4f-590f12324471",
        "sourceContainer": "h3265",
        "destinationContainer": "h3265",
        "filters": {
          "minCreationTime": "1601-01-01T00:00:00Z"
        }
      }
    ]
  }
}

1. In navigation go to Object replication and Upload Rules
2. Check that rules include all object and destination and source is correct.

• Shared conntacts will be added to user personal mailbox.
• Multiple contacts can be added / updated.
• Caller ID will be displayed on user Phone.
• Contact will be displayed in user contact section on mailbox.
• Contact will be synchonized to user phone contact.

Prerequisites

• Azure Automation Account
• Service Principal for credentials

Configuration

Here you can find how to configure your environment step by step. Script is running in version 7 as for big organization reqaired paraller objecte in the same time.

Configure Service Principal

1. Logon to https://entra.microsoft.com/

2. Create app registration

   

   

3. Permission granted for application

   

Configure Azure Automation Account

Import Microsoft.Graph modules

Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Beta.Users
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.PersonalContacts
Import-Module Microsoft.Graph.Beta.PersonalContacts

1. Logon to https://portal.azure.com
2. Navigate to automation account

3. On Menu select Modules -> Add module

   

   

4. Create credentials for Runbook used in script.

User Name: Application ID
Password: Application secret

1. Create Runbook with PowerShell version 7.X

PowerShell script on GitHub run by Automation Account

GitHub Link

Link to script on GitHub M365-MgGraph-Add-Multiple-contact-Personal-Mailbox.ps1 can also be shown.

Example of contact created in user personal mailbox

Example of output in Outlook