Create AAD group using Az Devops

#azure #devops #pipelines #community

Greetings to my fellow Technology Advocates and Specialists.

In this Session, I will demonstrateHow to Create Azure Active Directory (AAD) Group Using Azure DevOps.

I had the Privilege to talk on this topic inTWO Azure Communities:-

NAME OF THE AZURE COMMUNITY	TYPE OF SPEAKER SESSION
Journey to the Cloud 9.0	Virtual
Festive Tech Calendar 2022	Virtual

LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation inJOURNEY TO THE CLOUD 9.0 Forum/Platform
Duration of My Demo =55 Mins 42 Secs

LIVE DEMO was Recorded as part of my Presentation inFESTIVE TECH CALENDAR 2022 Forum/Platform
Duration of My Demo =1 Hour 05 Mins 08 Secs

IMPORTANT NOTE:-
We can create one or more AAD Group with Same Name. The Unique Identifier for AAD Group is the Object ID.

USE CASE:-
Cloud EngineerDOES NOT have access toAzure Active Directory to Create Group(s).
Cloud EngineerCANNOT ELEVATE rights usingPIM (Privileged Identity Management)to Create AAD Group(s).

AUTOMATION OBJECTIVE:-
Validate If the AAD Group Exists. IfYes, Pipeline willFAIL.
If the above validation isSUCCESSFUL, Pipeline will then Create Group in Azure Active Directory.

IMPORTANT NOTE:-

The YAML Pipeline is tested onWINDOWS BUILD AGENT Only!!!

REQUIREMENTS:-

Azure Subscription.
Azure DevOps Organisation and Project.
Service Principal either assigned Global Administrator, Privileged Identity Management (PIM) Azure AD Role or Required Microsoft Graph API Rights.(Directory.ReadWrite.All: Read and Write Directory Data).
Azure Resource Manager Service Connection in Azure DevOps.

CODE REPOSITORY:-

arindam0310018 / 26-Aug-2022-DevOps__Create-AAD-Group

CREATE AAD GROUP USING AZ DEVOPS

Greetings to my fellow Technology Advocates and Specialists.

In this Session, I will demonstrateHow to Create Azure Active Directory (AAD) Group Using Azure DevOps.

I had the Privilege to talk on this topic inTWO Azure Communities:-

NAME OF THE AZURE COMMUNITY	TYPE OF SPEAKER SESSION
Journey to the Cloud 9.0	Virtual
Festive Tech Calendar 2022	Virtual

LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation inJOURNEY TO THE CLOUD 9.0 Forum/Platform
Duration of My Demo =55 Mins 42 Secs

LIVE DEMO was Recorded as part of my Presentation inFESTIVE TECH CALENDAR 2022 Forum/Platform
Duration of My Demo =1 Hour 05 Mins 08 Secs

IMPORTANT NOTE:-
We can create one or more AAD Group with Same Name. The Unique Identifier for AAD Group is the Object ID.

USE CASE:-
Cloud EngineerDOES NOT have access to

…

View on GitHub

HOW DOES MY CODE PLACEHOLDER LOOKS LIKE:-

PIPELINE CODE SNIPPET:-

AZURE DEVOPS YAML PIPELINE (azure-pipelines-add-single-aad-group-v1.0.yml):-

trigger:  none#######################DECLARE PARAMETERS:-######################parameters:- name: SubscriptionID  displayName: Subscription ID Details Follow Below:-  type: string  default: 210e66cb-55cf-424e-8daa-6cad804ab604  values:  - 210e66cb-55cf-424e-8daa-6cad804ab604- name: AADGRPNAME  displayName: Please Provide the AAD Group Name:-  type: object  default: #######################DECLARE VARIABLES:-######################variables:  ServiceConnection: amcloud-cicd-service-connection  BuildAgent: windows-latest########################## Declare Build Agents:-#########################pool:  vmImage: $(BuildAgent)#################### Declare Stages:-###################stages:- stage: CREATE_SINGLE_AAD_GROUP   jobs:  - job: CREATE_SINGLE_AAD_GROUP     displayName: CREATE SINGLE AAD GROUP    steps:    - task: AzureCLI@2      displayName: VALIDATE AND CREATE AAD GROUP      inputs:        azureSubscription: $(ServiceConnection)        scriptType: ps        scriptLocation: inlineScript        inlineScript: |          az --version          az account set --subscription ${{ parameters.SubscriptionID }}          az account show          $name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv          if ($name -eq "${{ parameters.AADGRPNAME }}") {          echo "################################################################################################"          echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"          echo "################################################################################################"          exit 1          }          else {          echo "############################################################################"          echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"          echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"          echo "############################################################################"          az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}             echo "##################################################################"          echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"          echo "##################################################################"          }

Now, let me explain each part of YAML Pipeline for better understanding.

PART #1:-

BELOW FOLLOWS PIPELINE RUNTIME VARIABLES CODE SNIPPET:-

#######################DECLARE PARAMETERS:-######################parameters:- name: SubscriptionID  displayName: Subscription ID Details Follow Below:-  type: string  default: 210e66cb-55cf-424e-8daa-6cad804ab604  values:  - 210e66cb-55cf-424e-8daa-6cad804ab604- name: AADGRPNAME  displayName: Please Provide the AAD Group Name:-  type: object  default:

PART #2:-

BELOW FOLLOWS PIPELINE VARIABLES CODE SNIPPET:-

#######################DECLARE VARIABLES:-######################variables:  ServiceConnection: amcloud-cicd-service-connection  BuildAgent: windows-latest

NOTE:-
Please change the values of the variables accordingly.
The entire YAML pipeline is build usingRuntime Parameters and Variables. No Values are Hardcoded.

PART #3:-

BELOW FOLLOWS THE CONDITIONS AND LOGIC DEFINED IN THE PIPELINE (AS MENTIONED ABOVE IN THE "AUTOMATION OBJECTIVE"):-

inlineScript: |          az --version          az account set --subscription ${{ parameters.SubscriptionID }}          az account show          $name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv          if ($name -eq "${{ parameters.AADGRPNAME }}") {          echo "################################################################################################"          echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"          echo "################################################################################################"          exit 1          }          else {          echo "############################################################################"          echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"          echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"          echo "############################################################################"          az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}             echo "##################################################################"          echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"          echo "##################################################################"          }

NOW ITS TIME TO TEST !!!...

TEST CASES:-

TEST CASE #1: AAD GROUP EXISTS:-
DESIRED OUTPUT: PIPELINE FAILS STATING THAT THE MENTIONED AAD GROUP EXISTS.
AAD GROUP IN PLACE:-

PIPELINE RUNTIME VARIABLES VALUE:-

PIPELINE FAILED:-


TEST CASE #2: AAD GROUP DID NOT EXISTS:-
DESIRED OUTPUT: PIPELINE EXECUTED SUCCESSFULLY CREATING THE AAD GROUP.
PIPELINE EXECUTED SUCCESSFULLY:-