Microsoft.Graph/groups@beta resource with existing keyword

[jikuja]

This is edge-case and I seriously hope this is not issue for anyone on productions.

---

Entra ID allows creating multiple groups with same displayName at least when using API. Portal blocks groups with identical names. Using following template

Get-MgGroup  | Where-Object {$_.DisplayName -eq "test-group"}

output:

DisplayName Id                                   MailNickname Description                     GroupTypes
----------- --                                   ------------ -----------                     ----------
test-group  33a2ba85-d81c-4c6e-a961-f1d6979db65e library      Self help community for library {Unified}
test-group  51f39484-e6de-49a1-83c2-369868374571 test-group                                   {}
test-group  a6415244-98b1-45e0-b5d0-361b40655040 library2     Self help community for library {Unified}

import 'microsoftGraph@1.0.0'

@description('Group to use')
param groupName1 string = 'test-group'

resource group 'Microsoft.Graph/groups@beta' existing = {
  name: groupName1
}

output id string = group.id

picks one of the groups with some undocumented logic. No warnings are generated about potential issues.

output:

new-azResourceGroupDeployment  -ResourceGroupName placeholder-rg -TemplateFile ./quickstart-templates/two-groups/main.bicep 
WARNING: WARNING: The following experimental Bicep features have been enabled: Extensibility, MicrosoftGraph Preview. Experimental features should be enabled for testing purposes only. Do not enable these settings for any production usage, or you may be unexpectedly broken at any time!

DeploymentName          : main
ResourceGroupName       : placeholder-rg
ProvisioningState       : Succeeded
Timestamp               : 10/8/2023 3:14:44 PM
Mode                    : Incremental
TemplateLink            : 
Parameters              : 
                          Name             Type                       Value     
                          ===============  =========================  ==========
                          groupName1       String                     "test-group"

Outputs                 : 
                          Name             Type                       Value     
                          ===============  =========================  ==========
                          id               String                     "51f39484-e6de-49a1-83c2-369868374571"

DeploymentDebugLogLevel : 

[jikuja]

other example/issue:

Get-MgGroup  | Where-Object {$_.DisplayName -eq "foo1"}

DisplayName Id                                   MailNickname                         Description GroupTypes
----------- --                                   ------------                         ----------- ----------
foo1        70630b5a-6a24-482d-b823-576b0f0abeb2 c87e8ca1-9b88-4986-b12e-8091f7dd45be             {}
foo1        a4abad9c-3c91-4690-8a17-281bf3b3ac60 704bd99d-8101-4e05-946e-56399ab8defc             {}
foo1        e1fefe17-799d-4676-bc18-8b2fd8e3ba71 e7eb3610-465e-46fc-b42e-97d543251d71             {}

Now same template

import 'microsoftGraph@1.0.0'

@description('Group to use')
param groupName1 string = 'foo1'

resource group 'Microsoft.Graph/groups@beta' existing = {
  name: groupName1
}

output id string = group.id

fails to deploy:

new-azResourceGroupDeployment  -ResourceGroupName placeholder-rg -TemplateFile ./quickstart-templates/two-groups/main.bicep                                             
WARNING: WARNING: The following experimental Bicep features have been enabled: Extensibility, MicrosoftGraph Preview. Experimental features should be enabled for testing purposes only. Do not enable these settings for any production usage, or you may be unexpectedly broken at any time!
New-AzResourceGroupDeployment: 6:18:17 PM - Error: Code=InvalidTemplateDeployment; Message=The template deployment 'main' is not valid according to the validation procedure. The tracking id is '281f92d3-5c77-463d-bd0c-303624d0ab74'. See inner errors for details.
New-AzResourceGroupDeployment: 6:18:17 PM - Error: Code=ResourceNotFound; Message=Cannot find requested resource.
New-AzResourceGroupDeployment: The deployment validation failed

[TakeshiKovacs]

We observe a similar issue as your second issue. We cannot reference existing groups, the existing keyname only seems to work with groups we create via bicep. We've tried both display name and mail nickname.

[jikuja]

We cannot reference existing groups, the existing keyname only seems to work with groups we create via bicep.

That might be the login I did not see when testing.

[dkershaw10]

Hey @jikuja and @TakeshiKovacs - thanks for reporting this.

1. The name property in Bicep actually maps to a brand new uniqueName property in the Group resource type. This is completely separate from a group's displayName property. We couldn't use displayName for uniquely identifying resources, because it's not unique. That's why we added this new property to allow for (uniquely named) client-provide keys.
2. What we can do for this scenario (and I'll add a short doc on this scenario to the repo), is you can call Microsoft Graph via something like Graph Explorer (https://aka.ms/ge) or Microsoft Graph PS (Update-MgBetaGroup) to "backfill" the uniqueName property on to existing Group resources. So say you set a group's uniqueName to groupName1, then @jikuja, your Bicep script above should work.

So basically, if you want to use Bicep with any previously created resources (i.e, resources that have not been created using Bicep), you'll first need to perform a one-off backfill of uniqueName for any resources that you want to track and manage through Bicep template. uniqueName is immutable - so once set, it cannot be changed.

LMK if this works for you.

[TakeshiKovacs]

@dkershaw10 Brilliant, I figured it would be something like that, will uniqueName be exposed in the Get-AzADGroup and similar cmdlets in future? (This is what we used to compare the new and existing groups looking for differences) Good to know of the work around, we will give it a try. Cheers Mat

[dkershaw10]

@TakeshiKovacs - yeah - not sure if it will be exposed in Az PS. It's exposed in Update-MgBetaGroup (and when the uniqueName property hits GA, it'll be in Update-MgGroup).

I'll follow up and find an owner in Az PS, to see if this is automagically exposed or if it needs some work, and report back.

[jikuja]

@TakeshiKovacs - yeah - not sure if it will be exposed in Az PS. It's exposed in Update-MgBetaGroup (and when the uniqueName property hits GA, it'll be in Update-MgGroup).

I'll follow up and find an owner in Az PS, to see if this is automagically exposed or if it needs some work, and report back.

Portal experience coming for a new property? This sounds like every tooling should support this sooner or later. Otherwise there will be really weird issues and misunderstandings.

[dkershaw10]

Yes it will - but I'm unfamiliar with the cross-over from Graph to Az PS, where only a few limited Graph resources show up in Az PS.

@jikuja I was just re-reading your first post, and realize that we need to file a bug and try and repro your edge case issue. That should not be happening. Thanks for reporting this.

[dkershaw10]

@jikuja We investigating the edge case. Based on telemetry, it looks like you created the middle Group (in your list of 3 Groups) using Bicep and gave it the uniqueName of test-group. Thus your Bicep existing keyword picked out that group. In your second test, none of those group resources were created using Bicep, so the existing keyword failed to find anything. Hope this helps.

[dkershaw10]

@jikuja and @TakeshiKovacs, I created this short topic: Use existing Microsoft Graph resources in Bicep templates. Does that work for you?

[jikuja]

@jikuja We investigating the edge case. Based on telemetry, it looks like you created the middle Group (in your list of 3 Groups) using Bicep and gave it the uniqueName of test-group. Thus your Bicep existing keyword picked out that group. In your second test, none of those group resources were created using Bicep, so the existing keyword failed to find anything. Hope this helps.

Everything is working now as it should. New documentation/comments helped to understand why template was "misbehaving"

Trying scripts later.