Merge pull request #190 from microsoftgraph/dkershaw10-sample-updates

Updated two quick starts and moved existing two to an archive folder

Author: dkershaw10

docs/media/client-apps-read-from-blob-storage-via-sg.jpg

@@ -0,0 +1,23 @@
+# Configure federated identity credential for GitHub Actions
+
+> **Note1**: Minimum Bicep version required to deploy this quickstart template is [v0.30.3](https://github.com/Azure/bicep/releases/tag/v0.30.3).
+
+> **Note2**: This template sample **only** configures the Microsoft Entra ID portion (to enable workload identity federation). Additional configuration steps are also required on the GitHub side, to ensure that the federation works end-to-end. See [Use GitHub Actions to connect to Azure](https://learn.microsoft.com/azure/developer/github/connect-from-azure?tabs=azure-cli%2Cwindows#use-the-azure-login-action-with-openid-connect), but skip the sections on "Create a Microsoft Entra application and service principal" and "Add federated credentials", as the following Bicep template replaces those sections.
+
+This template enables a GitHub Actions workflow to exchange a GitHub access token for a Microsoft Entra ID access token, so that the GitHub Actions workflow can access Azure resources. To enable this, the template creates an application (to represent the GitHub Action) and configures it with a federated identity credential. When the GitHub Actions workflow requests to exchange a GitHub access token for an access token, from the Microsoft identity platform, the values in the federated identity credential are checked against the provided GitHub token's `issuer` and `subject` claim values.
+
+* `subject` identifies the GitHub organization, repo, branch, and environment for your GitHub Actions workflow. Refer to [example subject claims](https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims) which describes the `subject` value options for different scenarios.
+
+For limitations on federated identity credentials, please refer to [Federated identity credentials considerations and limitations](https://learn.microsoft.com/entra/workload-id/workload-identity-federation-considerations).
+
+You can deploy the template with the following Azure CLI command (replace `<resource-group>` with name of your resource group, and `<github-actions-fic-subject>` with the `subject` based on your scenario.):
+
+```sh
+az deployment group create --resource-group <resource-group> --template-file main.bicep --parameter githubActionsFicSubject='<github-actions-fic-subject>'
+```
+
+To deploy the same template using Az Powershell, use:
+
+```powershell
+New-AzResourceGroupDeployment -ResourceGroupName <resource-group> -TemplateFile .\main.bicep -githubActionsFicSubject '<github-actions-fic-subject>'
+```

docs/media/github-action-deploys-web-app-to-azure-app-services.jpg

@@ -0,0 +1,9 @@
+{
+    "experimentalFeaturesEnabled": {
+        "extensibility": true
+    },
+    // specify an alias for the version of the v1.0 dynamic types package you want to use
+    "extensions": {
+      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview"
+    }
+}

quickstart-templates-archive/create-fic-for-github-actions/README.md

@@ -0,0 +1,40 @@
+extension microsoftGraphV1
+
+@description('Subject of the GitHub Actions workflow\'s federated identity credentials (FIC) that is checked before issuing an Entra ID access token to access Azure resources. GitHub Actions subject examples can be found in https://docs.github.com/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims')
+param githubActionsFicSubject string
+
+@description('Role definition ID to be assigned')
+param roleDefinitionId string = 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor
+
+var githubOIDCProvider = 'https://token.actions.githubusercontent.com'
+var microsoftEntraAudience = 'api://AzureADTokenExchange'
+
+resource githubActionsApp 'Microsoft.Graph/[email protected]' = {
+  uniqueName: 'githubActionsApp'
+  displayName: 'Github Actions App'
+
+  resource githubFic 'federatedIdentityCredentials' = {
+    name: '${githubActionsApp.uniqueName}/githubFic'
+    audiences: [microsoftEntraAudience]
+    description: 'FIC for Github Actions to access Entra protected resources'
+    issuer: githubOIDCProvider
+    subject: githubActionsFicSubject
+  }
+}
+
+resource githubActionsSp 'Microsoft.Graph/[email protected]' = {
+  appId: githubActionsApp.appId
+}
+
+// The service principal needs to be assigned the necessary role to access the resources
+// In this example, it is assigned with the `Contributor` role to the resource group
+// which will allow GitHub actions to access Azure resources in the resource group via Az PS/CLI
+var roleAssignmentName = guid('githubActions', roleDefinitionId, resourceGroup().id)
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: roleAssignmentName
+  properties: {
+    principalId: githubActionsSp.id
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+  }
+}

quickstart-templates-archive/create-fic-for-github-actions/bicepconfig.json

@@ -0,0 +1,15 @@
+# Assign an Azure role to a security group
+
+> **Note1**: Minimum Bicep version required to deploy this quickstart template is [v0.30.3](https://github.com/Azure/bicep/releases/tag/v0.30.3).
+
+> **Note2**: This template depends on a successful deployment of [security-group-create-with-owners-and-members](../security-group-create-with-owners-and-members)
+
+This template allows you to assign an Azure Reader role to an existing security group.
+
+* The Reader role definition ID is set as parameter in the template. You can find other Azure built-in roles [here](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)
+
+You can deploy the template with the following Azure CLI command (replace `<resource-group>` with the name of your resource group):
+
+```sh
+az deployment group create --resource-group <resource-group> --template-file main.bicep
+```

quickstart-templates-archive/create-fic-for-github-actions/main.bicep

@@ -0,0 +1,9 @@
+{
+    "experimentalFeaturesEnabled": {
+        "extensibility": true
+    },
+    // specify an alias for the version of the v1.0 dynamic types package you want to use
+    "extensions": {
+      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview"
+    }
+}

quickstart-templates-archive/security-group-assign-azure-role/README.md

@@ -0,0 +1,17 @@
+extension microsoftGraphV1
+
+@description('Specifies the Reader role definition ID used in the role assignment.')
+param readerRoleDefinitionID string = 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+
+resource group 'Microsoft.Graph/[email protected]' existing = {
+  uniqueName: 'ExampleGroup'
+}
+
+var roleAssignmentName = guid('ExampleGroup', readerRoleDefinitionID, resourceGroup().id)
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: roleAssignmentName
+  properties: {
+    principalId: group.id
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', readerRoleDefinitionID)
+  }
+}

quickstart-templates-archive/security-group-assign-azure-role/bicepconfig.json

@@ -4,6 +4,6 @@
     },
     // specify an alias for the version of the v1.0 dynamic types package you want to use
     "extensions": {
-      "microsoftGraphV1_0": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview"
+      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview"
     }
 }

quickstart-templates-archive/security-group-assign-azure-role/main.bicep

@@ -1,4 +1,4 @@
-extension microsoftGraphV1_0
+extension microsoftGraphV1
 
 @description('Id of the application role to add to the resource app')
 param appRoleId string