Greetings to my fellow Technology Advocates and Specialists.
In this Session, I will demonstrate How to Create Azure Active Directory (AAD) Group Using Azure DevOps.
I had the Privilege to talk on this topic in TWO Azure Communities:-
NAME OF THE AZURE COMMUNITY
TYPE OF SPEAKER SESSION
Journey to the Cloud 9.0
Virtual
Festive Tech Calendar 2022
Virtual
LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation in JOURNEY TO THE CLOUD 9.0 Forum/Platform
Duration of My Demo = 55 Mins 42 Secs
LIVE DEMO was Recorded as part of my Presentation in FESTIVE TECH CALENDAR 2022 Forum/Platform
Duration of My Demo = 1 Hour 05 Mins 08 Secs
IMPORTANT NOTE:-
We can create one or more AAD Group with Same Name. The Unique Identifier for AAD Group is the Object ID.
USE CASE:-
Cloud Engineer DOES NOT have access to Azure Active Directory to Create Group(s).
Cloud Engineer CANNOT ELEVATE rights using PIM (Privileged Identity Management)to Create AAD Group(s).
AUTOMATION OBJECTIVE:-
Validate If the AAD Group Exists. If Yes, Pipeline will FAIL.
If the above validation is SUCCESSFUL, Pipeline will then Create Group in Azure Active Directory.
IMPORTANT NOTE:-
The YAML Pipeline is tested on WINDOWS BUILD AGENT Only!!!
REQUIREMENTS:-
Azure Subscription.
Azure DevOps Organisation and Project.
Service Principal either assigned Global Administrator, Privileged Identity Management (PIM) Azure AD Role or Required Microsoft Graph API Rights.(Directory.ReadWrite.All: Read and Write Directory Data).
Azure Resource Manager Service Connection in Azure DevOps.
trigger:
none
######################
#DECLARE PARAMETERS:-
######################
parameters:
- name: SubscriptionID
displayName: Subscription ID Details Follow Below:-
type: string
default: 210e66cb-55cf-424e-8daa-6cad804ab604
values:
- 210e66cb-55cf-424e-8daa-6cad804ab604
- name: AADGRPNAME
displayName: Please Provide the AAD Group Name:-
type: object
default:
######################
#DECLARE VARIABLES:-
######################
variables:
ServiceConnection: amcloud-cicd-service-connection
BuildAgent: windows-latest
#########################
# Declare Build Agents:-
#########################
pool:
vmImage: $(BuildAgent)
###################
# Declare Stages:-
###################
stages:
- stage: CREATE_SINGLE_AAD_GROUP
jobs:
- job: CREATE_SINGLE_AAD_GROUP
displayName: CREATE SINGLE AAD GROUP
steps:
- task: AzureCLI@2
displayName: VALIDATE AND CREATE AAD GROUP
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az --version
az account set --subscription ${{ parameters.SubscriptionID }}
az account show
$name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv
if ($name -eq "${{ parameters.AADGRPNAME }}") {
echo "################################################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"
echo "################################################################################################"
exit 1
}
else {
echo "############################################################################"
echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"
echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"
echo "############################################################################"
az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}
echo "##################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"
echo "##################################################################"
}
Now, let me explain each part of YAML Pipeline for better understanding.
Please change the values of the variables accordingly.
The entire YAML pipeline is build using Runtime Parameters and Variables. No Values are Hardcoded.
PART #3:-
BELOW FOLLOWS THE CONDITIONS AND LOGIC DEFINED IN THE PIPELINE (AS MENTIONED ABOVE IN THE "AUTOMATION OBJECTIVE"):-
inlineScript: |
az --version
az account set --subscription ${{ parameters.SubscriptionID }}
az account show
$name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv
if ($name -eq "${{ parameters.AADGRPNAME }}") {
echo "################################################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"
echo "################################################################################################"
exit 1
}
else {
echo "############################################################################"
echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"
echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"
echo "############################################################################"
az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}
echo "##################################################################"
echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"
echo "##################################################################"
}
NOW ITS TIME TO TEST !!!...
TEST CASES:-
TEST CASE #1: AAD GROUP EXISTS:-
DESIRED OUTPUT: PIPELINE FAILS STATING THAT THE MENTIONED AAD GROUP EXISTS.
AAD GROUP IN PLACE:-
PIPELINE RUNTIME VARIABLES VALUE:-
PIPELINE FAILED:-
TEST CASE #2: AAD GROUP DID NOT EXISTS:-
DESIRED OUTPUT: PIPELINE EXECUTED SUCCESSFULLY CREATING THE AAD GROUP.
PIPELINE EXECUTED SUCCESSFULLY:-
Hope You Enjoyed the Session!!!
Stay Safe | Keep Learning | Spread Knowledge
Top comments (0)
Subscribe
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (0)