DEV Community

Cover image for Create AAD group using Az Devops
Arindam Mitra
Arindam Mitra

Posted on • Edited on

Create AAD group using Az Devops

Greetings to my fellow Technology Advocates and Specialists.

In this Session, I will demonstrate How to Create Azure Active Directory (AAD) Group Using Azure DevOps.

I had the Privilege to talk on this topic in TWO Azure Communities:-

NAME OF THE AZURE COMMUNITY TYPE OF SPEAKER SESSION
Journey to the Cloud 9.0 Virtual
Festive Tech Calendar 2022 Virtual
LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation in JOURNEY TO THE CLOUD 9.0 Forum/Platform
Duration of My Demo = 55 Mins 42 Secs
LIVE DEMO was Recorded as part of my Presentation in FESTIVE TECH CALENDAR 2022 Forum/Platform
Duration of My Demo = 1 Hour 05 Mins 08 Secs
IMPORTANT NOTE:-
We can create one or more AAD Group with Same Name. The Unique Identifier for AAD Group is the Object ID.
USE CASE:-
Cloud Engineer DOES NOT have access to Azure Active Directory to Create Group(s).
Cloud Engineer CANNOT ELEVATE rights using PIM (Privileged Identity Management)to Create AAD Group(s).
AUTOMATION OBJECTIVE:-
Validate If the AAD Group Exists. If Yes, Pipeline will FAIL.
If the above validation is SUCCESSFUL, Pipeline will then Create Group in Azure Active Directory.
IMPORTANT NOTE:-

The YAML Pipeline is tested on WINDOWS BUILD AGENT Only!!!

REQUIREMENTS:-
  1. Azure Subscription.
  2. Azure DevOps Organisation and Project.
  3. Service Principal either assigned Global Administrator, Privileged Identity Management (PIM) Azure AD Role or Required Microsoft Graph API Rights.(Directory.ReadWrite.All: Read and Write Directory Data).
  4. Azure Resource Manager Service Connection in Azure DevOps.
CODE REPOSITORY:-

CREATE AAD GROUP USING AZ DEVOPS

Greetings to my fellow Technology Advocates and Specialists.

In this Session, I will demonstrate How to Create Azure Active Directory (AAD) Group Using Azure DevOps.

I had the Privilege to talk on this topic in TWO Azure Communities:-

NAME OF THE AZURE COMMUNITY TYPE OF SPEAKER SESSION
Journey to the Cloud 9.0 Virtual
Festive Tech Calendar 2022 Virtual
LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation in JOURNEY TO THE CLOUD 9.0 Forum/Platform
Duration of My Demo = 55 Mins 42 Secs
IMAGE ALT TEXT HERE
LIVE DEMO was Recorded as part of my Presentation in FESTIVE TECH CALENDAR 2022 Forum/Platform
Duration of My Demo = 1 Hour 05 Mins 08 Secs
IMAGE ALT TEXT HERE
IMPORTANT NOTE:-
We can create one or more AAD Group with Same Name. The Unique Identifier for AAD Group is the Object ID.
USE CASE:-
Cloud Engineer DOES NOT have access to
HOW DOES MY CODE PLACEHOLDER LOOKS LIKE:-
Image description
PIPELINE CODE SNIPPET:-
AZURE DEVOPS YAML PIPELINE (azure-pipelines-add-single-aad-group-v1.0.yml):-
trigger:
  none

######################
#DECLARE PARAMETERS:-
######################
parameters:
- name: SubscriptionID
  displayName: Subscription ID Details Follow Below:-
  type: string
  default: 210e66cb-55cf-424e-8daa-6cad804ab604
  values:
  - 210e66cb-55cf-424e-8daa-6cad804ab604

- name: AADGRPNAME
  displayName: Please Provide the AAD Group Name:-
  type: object
  default: 

######################
#DECLARE VARIABLES:-
######################
variables:
  ServiceConnection: amcloud-cicd-service-connection
  BuildAgent: windows-latest

#########################
# Declare Build Agents:-
#########################
pool:
  vmImage: $(BuildAgent)

###################
# Declare Stages:-
###################

stages:

- stage: CREATE_SINGLE_AAD_GROUP 
  jobs:
  - job: CREATE_SINGLE_AAD_GROUP 
    displayName: CREATE SINGLE AAD GROUP
    steps:
    - task: AzureCLI@2
      displayName: VALIDATE AND CREATE AAD GROUP
      inputs:
        azureSubscription: $(ServiceConnection)
        scriptType: ps
        scriptLocation: inlineScript
        inlineScript: |
          az --version
          az account set --subscription ${{ parameters.SubscriptionID }}
          az account show
          $name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv
          if ($name -eq "${{ parameters.AADGRPNAME }}") {
          echo "################################################################################################"
          echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"
          echo "################################################################################################"
          exit 1
          }
          else {
          echo "############################################################################"
          echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"
          echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"
          echo "############################################################################"
          az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}   
          echo "##################################################################"
          echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"
          echo "##################################################################"
          }

Enter fullscreen mode Exit fullscreen mode

Now, let me explain each part of YAML Pipeline for better understanding.

PART #1:-
BELOW FOLLOWS PIPELINE RUNTIME VARIABLES CODE SNIPPET:-
######################
#DECLARE PARAMETERS:-
######################
parameters:
- name: SubscriptionID
  displayName: Subscription ID Details Follow Below:-
  type: string
  default: 210e66cb-55cf-424e-8daa-6cad804ab604
  values:
  - 210e66cb-55cf-424e-8daa-6cad804ab604

- name: AADGRPNAME
  displayName: Please Provide the AAD Group Name:-
  type: object
  default: 

Enter fullscreen mode Exit fullscreen mode
PART #2:-
BELOW FOLLOWS PIPELINE VARIABLES CODE SNIPPET:-
######################
#DECLARE VARIABLES:-
######################
variables:
  ServiceConnection: amcloud-cicd-service-connection
  BuildAgent: windows-latest

Enter fullscreen mode Exit fullscreen mode
NOTE:-
Please change the values of the variables accordingly.
The entire YAML pipeline is build using Runtime Parameters and Variables. No Values are Hardcoded.
PART #3:-
BELOW FOLLOWS THE CONDITIONS AND LOGIC DEFINED IN THE PIPELINE (AS MENTIONED ABOVE IN THE "AUTOMATION OBJECTIVE"):-
inlineScript: |
          az --version
          az account set --subscription ${{ parameters.SubscriptionID }}
          az account show
          $name = az ad group show --group ${{ parameters.AADGRPNAME }} --query "displayName" -o tsv
          if ($name -eq "${{ parameters.AADGRPNAME }}") {
          echo "################################################################################################"
          echo "Azure AD Group ${{ parameters.AADGRPNAME }} EXISTS and hence Cannot Proceed with Creation!!!"
          echo "################################################################################################"
          exit 1
          }
          else {
          echo "############################################################################"
          echo "THE ABOVE WARNING IS A STANDARD MESSAGE WHEN AAD GROUP DOES NOT EXISTS!!!"
          echo "AAD GROUP BY THE NAME ${{ parameters.AADGRPNAME }} WILL BE CREATED"
          echo "############################################################################"
          az ad group create --display-name ${{ parameters.AADGRPNAME }} --mail-nickname ${{ parameters.AADGRPNAME }}   
          echo "##################################################################"
          echo "Azure AD Group ${{ parameters.AADGRPNAME }} created successfully!!!"
          echo "##################################################################"
          }

Enter fullscreen mode Exit fullscreen mode

NOW ITS TIME TO TEST !!!...

TEST CASES:-
TEST CASE #1: AAD GROUP EXISTS:-
DESIRED OUTPUT: PIPELINE FAILS STATING THAT THE MENTIONED AAD GROUP EXISTS.
AAD GROUP IN PLACE:-
Image description
PIPELINE RUNTIME VARIABLES VALUE:-
Image description
PIPELINE FAILED:-
Image description
Image description
TEST CASE #2: AAD GROUP DID NOT EXISTS:-
DESIRED OUTPUT: PIPELINE EXECUTED SUCCESSFULLY CREATING THE AAD GROUP.
PIPELINE EXECUTED SUCCESSFULLY:-
Image description
Image description
Image description
Image description

Hope You Enjoyed the Session!!!

Stay Safe | Keep Learning | Spread Knowledge

Top comments (0)