Update quickstart examples and docs to include fic and v1 resources (#88)

* Update quickstart examples and docs to include fic and v1 resources

* Fix type and update v1.0 powershell script

* Update example and doc based on review

* Address comments

* Address comments

* Use a single string parameter for fic subject

* Update based on feedback

* minor update

Author: jason-dou

DEVELOPMENT.md

@@ -47,6 +47,6 @@ This document describes the steps to setup development tools and run Bicep types
     ```
 
 ## Adding New Types
-1. Update the definitions and paths for the new type in the swagger file [microsoftgraph-beta.json](swagger\specification\microsoftgraph\resource-manager\microsoftgraph\preview\2023-09-15-preview\microsoftgraph-beta.json). Currently only `beta` version resources are supported.
+1. Update the entities and properties in [config-beta.yml](src\swagger-generation\config-beta.yml) and [config-v1.0.yml](src\swagger-generation\config-beta.yml)
 
-1. Re-run generation using the command in [Running](#running), and new types will be available in [/generated](./generated)
+1. Follow steps in [Running Generation Locally](#running-generation-locally), and new types will be available in [/generated](./generated)

docs/getting-started.md

@@ -30,13 +30,14 @@ Now, when creating a Bicep resource, the available Microsoft.Graph resource type
 
 ![image](./VS%20code%20graph%20types%20in%20bicep.jpg)
 
-| Bicep type definitions | Microsoft Graph API (beta) reference |
-|--------------|-----------|
-| [applications](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphapplicationsbeta) | [application resource](https://learn.microsoft.com/graph/api/resources/application?view=graph-rest-beta) |
-| [servicePrincipals](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphserviceprincipalsbeta) | [servicePrincipal resource](https://learn.microsoft.com/graph/api/resources/serviceprincipal?view=graph-rest-beta) |
-| [groups](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphgroupsbeta) | [group resource](https://learn.microsoft.com/graph/api/resources/group?view=graph-rest-beta) |
-| [appRoleAssignedTo](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphapproleassignedtobeta) | [appRoleAssignment resource](https://learn.microsoft.com/graph/api/resources/approleassignment?view=graph-rest-beta) |
-| [oauth2PermissionGrants](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphoauth2permissiongrantsbeta) | [oauth2PermissionGrant resource](https://learn.microsoft.com/graph/api/resources/oauth2permissiongrant?view=graph-rest-beta) |
+| Bicep type (beta) definitions | Microsoft Graph API (beta) reference | Bicep type (v1.0) definitions | Microsoft Graph API (v1.0) reference |
+|--------------|-----------|--------------|-----------|
+| [applications](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphapplicationsbeta) | [application resource](https://learn.microsoft.com/graph/api/resources/application?view=graph-rest-beta) | [applications](../generated/microsoftgraph/microsoft.graph/v1.0/types.md#resource-microsoftgraphapplicationsv10) | [application resource](https://learn.microsoft.com/graph/api/resources/application?view=graph-rest-1.0) |
+| [servicePrincipals](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphserviceprincipalsbeta) | [servicePrincipal resource](https://learn.microsoft.com/graph/api/resources/serviceprincipal?view=graph-rest-beta) | [servicePrincipals](../generated/microsoftgraph/microsoft.graph/v1.0/types.md#resource-microsoftgraphserviceprincipalsv10) | [servicePrincipal resource](https://learn.microsoft.com/graph/api/resources/serviceprincipal?view=graph-rest-1.0) |
+| [groups](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphgroupsbeta) | [group resource](https://learn.microsoft.com/graph/api/resources/group?view=graph-rest-beta) | [groups](../generated/microsoftgraph/microsoft.graph/v1.0/types.md#resource-microsoftgraphgroupsv10) | [group resource](https://learn.microsoft.com/graph/api/resources/group?view=graph-rest-1.0) |
+| [appRoleAssignedTo](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphapproleassignedtobeta) | [appRoleAssignment resource](https://learn.microsoft.com/graph/api/resources/approleassignment?view=graph-rest-beta) | [appRoleAssignedTo](../generated/microsoftgraph/microsoft.graph/v1.0/types.md#resource-microsoftgraphapproleassignedtov10) | [appRoleAssignment resource](https://learn.microsoft.com/graph/api/resources/approleassignment?view=graph-rest-1.0) |
+| [oauth2PermissionGrants](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphoauth2permissiongrantsbeta) | [oauth2PermissionGrant resource](https://learn.microsoft.com/graph/api/resources/oauth2permissiongrant?view=graph-rest-beta) | [oauth2PermissionGrants](../generated/microsoftgraph/microsoft.graph/v1.0/types.md#resource-microsoftgraphoauth2permissiongrantsv10) | [oauth2PermissionGrant resource](https://learn.microsoft.com/graph/api/resources/oauth2permissiongrant?view=graph-rest-1.0) |
+| [applications/federatedIdentityCredentials](../generated/microsoftgraph/microsoft.graph/beta/types.md#resource-microsoftgraphoauth2permissiongrantsbeta) | [federatedidentitycredential resource](https://learn.microsoft.com/graph/api/resources/federatedidentitycredential?view=graph-rest-beta) | Coming soon | Coming soon |
 
 ## Deploying Bicep templates
 
@@ -50,9 +51,10 @@ Make sure that you've updated Azure CLI and/or Azure PS to use the latest Bicep
 We've created some quick-start templates to get you started.  
 
 1. [Create an applications and service principals for a client and resource application](../quickstart-templates/application-serviceprincipal-create-client-resource/)
-2. [Create an application and service principal for a client app using a key vault certificate](../quickstart-templates/create-client-app-sp-with-kv-cert/)
-3. [Grant a client application access (via an app role) to a resource application](../quickstart-templates/resource-application-access-grant-to-client-application/)
-4. [Create a security group with owners and members](../quickstart-templates/security-group-create-with-owners-and-members/)
-5. [Assign an Azure role to a security group](../quickstart-templates/security-group-assign-azure-role/)
+1. [Create an application and service principal for a client app using a key vault certificate](../quickstart-templates/create-client-app-sp-with-kv-cert/)
+1. [Configure federated identity credential for GitHub Actions](../quickstart-templates/create-fic-for-github-actions/)
+1. [Grant a client application access (via an app role) to a resource application](../quickstart-templates/resource-application-access-grant-to-client-application/)
+1. [Create a security group with owners and members](../quickstart-templates/security-group-create-with-owners-and-members/)
+1. [Assign an Azure role to a security group](../quickstart-templates/security-group-assign-azure-role/)
 
 Feel free to contribute and share your own samples too, by creating some PRs for template examples!

docs/use-existing-resources.md

@@ -26,20 +26,20 @@ Let's use an example with an existing group, created through the Entra Portal, t
 ### PowerShell
 
 ```powershell
-Import-Module Microsoft.Graph.Beta.Groups
+Import-Module Microsoft.Graph.Groups
 
 $params = @{
     uniqueName = "TestGroup-2023-10-10"
 }
 $groupId = "056b6fdc-ab19-4e91-9180-fa1f14c8f4fa"
 
-Update-MgBetaGroup -GroupId $groupId -BodyParameter $params
+Update-MgGroup -GroupId $groupId -BodyParameter $params
 ```
 
 ### HTTP request
 
 ```http
-PATCH https://graph.microsoft.com/beta/groups/056b6fdc-ab19-4e91-9180-fa1f14c8f4fa
+PATCH https://graph.microsoft.com/v1.0/groups/056b6fdc-ab19-4e91-9180-fa1f14c8f4fa
 Content-type: application/json
 ```
 
@@ -59,7 +59,7 @@ provider microsoftGraph
 @description('Group to use')
 param groupName string = 'TestGroup-2023-10-10'
 
-resource group 'Microsoft.Graph/groups@beta' existing = {
+resource group 'Microsoft.Graph/groups@v1.0' existing = {
   name: groupName
 }
 

quickstart-templates/application-serviceprincipal-create-client-resource/main.bicep

@@ -7,7 +7,7 @@ param appRoleId string
 @description('Value of the key credential')
 param certKey string
 
-resource resourceApp 'Microsoft.Graph/applications@beta' = {
+resource resourceApp 'Microsoft.Graph/applications@v1.0' = {
   uniqueName: 'ExampleResourceApp'
   displayName: 'Example Resource Application'
   appRoles: [
@@ -22,11 +22,11 @@ resource resourceApp 'Microsoft.Graph/applications@beta' = {
   ]
 }
 
-resource resourceSp 'Microsoft.Graph/servicePrincipals@beta' = {
+resource resourceSp 'Microsoft.Graph/servicePrincipals@v1.0' = {
   appId: resourceApp.appId
 }
 
-resource clientApp 'Microsoft.Graph/applications@beta' = {
+resource clientApp 'Microsoft.Graph/applications@v1.0' = {
   uniqueName: 'ExampleClientApp'
   displayName: 'Example Client Application'
   keyCredentials: [
@@ -39,6 +39,6 @@ resource clientApp 'Microsoft.Graph/applications@beta' = {
   ]
 }
 
-resource clientSp 'Microsoft.Graph/servicePrincipals@beta' = {
+resource clientSp 'Microsoft.Graph/servicePrincipals@v1.0' = {
   appId: clientApp.appId
 }

quickstart-templates/create-client-app-sp-with-kv-cert/README.md

@@ -13,6 +13,6 @@ az deployment group create --resource-group <resource-group> --parameter main.bi
 
 To deploy the same template using Az Powershell, use:
 
-```sh
+```powershell
 New-AzResourceGroupDeployment -ResourceGroupName bicep-deployments -TemplateFile .\main.bicep -TemplateParameterFile .\main.bicepparam -Verbose
 ```

quickstart-templates/create-client-app-sp-with-kv-cert/main.bicep

@@ -163,7 +163,7 @@ resource createAddCertificate 'Microsoft.Resources/deploymentScripts@2020-10-01'
 }
 
 // Create a client application, setting its credential to the X509 cert public key.
-resource clientApp 'Microsoft.Graph/applications@beta' = {
+resource clientApp 'Microsoft.Graph/applications@v1.0' = {
   uniqueName: clientAppName
   displayName: 'Example Client Application'
   keyCredentials: [
@@ -179,7 +179,7 @@ resource clientApp 'Microsoft.Graph/applications@beta' = {
 }
 
 // Create a service principal for the client app
-resource clientSp 'Microsoft.Graph/servicePrincipals@beta' = {
+resource clientSp 'Microsoft.Graph/servicePrincipals@v1.0' = {
   appId: clientApp.appId
 }
 

quickstart-templates/create-fic-for-github-actions/README.md

@@ -0,0 +1,21 @@
+# Configure federated identity credential for GitHub Actions
+
+> **Note**: This template sample **only** configures the Microsoft Entra ID portion (to enable workload identity federation). Additional configuration steps are also required on the GitHub side, to ensure that the federation works end-to-end. See [Use GitHub Actions to connect to Azure](https://learn.microsoft.com/azure/developer/github/connect-from-azure?tabs=azure-cli%2Cwindows#use-the-azure-login-action-with-openid-connect), but skip the sections on "Create a Microsoft Entra application and service principal" and "Add federated credentials", as the following Bicep template replaces those sections.
+
+This template enables a GitHub Actions workflow to exchange a GitHub access token for a Microsoft Entra ID access token, so that the GitHub Actions workflow can access Azure resources. To enable this, the template creates an application (to represent the GitHub Action) and configures it with a federated identity credential. When the GitHub Actions workflow requests to exchange a GitHub access token for an access token, from the Microsoft identity platform, the values in the federated identity credential are checked against the provided GitHub token's `issuer` and `subject` claim values.
+
+* `subject` identifies the GitHub organization, repo, branch, and environment for your GitHub Actions workflow. Refer to [example subject claims](https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims) which describes the `subject` value options for different scenarios.
+
+For limitations on federated identity credentials, please refer to [Federated identity credentials considerations and limitations](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-considerations).
+
+You can deploy the template with the following Azure CLI command (replace `<resource-group>` with name of your resource group, and `<github-actions-fic-subject>` with the `subject` based on your scenario.):
+
+```sh
+az deployment group create --resource-group <resource-group> --template-file main.bicep --parameter githubActionsFicSubject='<github-actions-fic-subject>'
+```
+
+To deploy the same template using Az Powershell, use:
+
+```powershell
+New-AzResourceGroupDeployment -ResourceGroupName <resource-group> -TemplateFile .\main.bicep -githubActionsFicSubject '<github-actions-fic-subject>'
+```

quickstart-templates/create-fic-for-github-actions/bicepconfig.json

@@ -0,0 +1,6 @@
+{
+    "experimentalFeaturesEnabled": {
+        "extensibility": true,
+        "microsoftGraphPreview": true
+    }
+}

quickstart-templates/create-fic-for-github-actions/main.bicep

@@ -0,0 +1,40 @@
+provider microsoftGraph
+
+@description('Subject of the GitHub Actions workflow\'s federated identity credentials (FIC) that is checked before issuing an Entra ID access token to access Azure resources. GitHub Actions subject examples can be found in https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims')
+param githubActionsFicSubject string
+
+@description('Role definition ID to be assigned')
+param roleDefinitionId string = 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor
+
+var githubOIDCProvider = 'https://token.actions.githubusercontent.com'
+var microsoftEntraAudience = 'api://AzureADTokenExchange'
+
+resource githubActionsApp 'Microsoft.Graph/applications@v1.0' = {
+  uniqueName: 'githubActionsApp'
+  displayName: 'Github Actions App'
+
+  resource githubFic 'federatedIdentityCredentials@beta' = {
+    name: '${githubActionsApp.uniqueName}/githubFic'
+    audiences: [microsoftEntraAudience]
+    description: 'FIC for Github Actions to access Entra protected resources'
+    issuer: githubOIDCProvider
+    subject: githubActionsFicSubject
+  }
+}
+
+resource githubActionsSp 'Microsoft.Graph/servicePrincipals@v1.0' = {
+  appId: githubActionsApp.appId
+}
+
+// The service principal needs to be assigned the necessary role to access the resources
+// In this example, it is assigned with the `Contributor` role to the resource group
+// which will allow GitHub actions to access Azure resources in the resource group via Az PS/CLI
+var roleAssignmentName = guid('githubActions', roleDefinitionId, resourceGroup().id)
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: roleAssignmentName
+  properties: {
+    principalId: githubActionsSp.id
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+  }
+}

quickstart-templates/resource-application-access-grant-to-client-application/main.bicep

@@ -3,23 +3,23 @@ provider microsoftGraph
 @description('Id of the application role to add to the resource app')
 param appRoleId string
 
-resource resourceApp 'Microsoft.Graph/applications@beta' existing = {
+resource resourceApp 'Microsoft.Graph/applications@v1.0' existing = {
   uniqueName: 'ExampleResourceApp'
 }
 
-resource resourceSp 'Microsoft.Graph/servicePrincipals@beta' existing = {
+resource resourceSp 'Microsoft.Graph/servicePrincipals@v1.0' existing = {
   appId: resourceApp.appId
 }
 
-resource clientApp 'Microsoft.Graph/applications@beta' existing = {
+resource clientApp 'Microsoft.Graph/applications@v1.0' existing = {
   uniqueName: 'ExampleClientApp'
 }
 
-resource clientSp 'Microsoft.Graph/servicePrincipals@beta' existing = {
+resource clientSp 'Microsoft.Graph/servicePrincipals@v1.0' existing = {
   appId: clientApp.appId
 }
 
-resource appRoleAssignment 'Microsoft.Graph/appRoleAssignedTo@beta' = {
+resource appRoleAssignment 'Microsoft.Graph/appRoleAssignedTo@v1.0' = {
   principalId: clientSp.id
   resourceId: resourceSp.id
   appRoleId: appRoleId