How to provision a new Azure Function with bicep pipeline and service principle?

Question

How to provision a new Azure Function with bicep pipeline and service principle?

Khalid Hajjouji 50

I have a new Azure subscription. I dont have access to the portal (portal.azure.com). I have only a service principal. How can I create a new Azure Function with a bicep pipeline with a service principal? I already have a bicep, yaml and azure function files.

Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-04-14T05:48:10.8266667+00:00

@Khalid Hajjouji

Just checking if you have some time to review the below Deepanshu katara answer and see if it helped to resolve your issue.

2 answers

Your answer

Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-04-14T05:48:10.8266667+00:00

@Khalid Hajjouji

Just checking if you have some time to review the below Deepanshu katara answer and see if it helped to resolve your issue.

Answer 1

Deepanshu katara 16,940 MVP Moderator

Hello , Welcome to MS Q&A

To create a new Azure Function using a Bicep pipeline with a service principal, you can follow these steps using Azure CLI:

Log in with the Service Principal: Use the following command to log in to Azure using your service principal credentials:

   az login --service-principal --username <appId> --password <password> --tenant <tenantId>

Deploy the Bicep Template: Once logged in, you can deploy your Bicep template to create the Azure Function. Use the following command:

   az deployment group create --resource-group <resourceGroup> --template-file <bicepFile> --parameters <parameters>

Replace <resourceGroup>, <bicepFile>, and <parameters> with your specific resource group name, Bicep file path, and any parameters required for your deployment.

These steps will help you deploy your Azure Function using the Bicep template with the service principal you have

Please let me know if you have ques

Kindly accept if it helps

Thanks

Deepanshu

Khalid Hajjouji 50

Hi @Deepanshu katara , will it be something like this as inline script in the Yaml file? Or do I need to add the service principal logic to the bicep file?

trigger:
  - none

pool:
  vmImage: 'ubuntu-latest'

variables:
  environment: 'dev'
  location: 'East US'
  functionAppName: 'myfunctionappCreatedFromBicepPipeLine-$(environment)'
  storageAccountName: 'storageaccountpipeline3'
  resourceGroupName: 'newResourceGroupManuelCreated2'
  appServicePlanName: 'myappserviceplan$(environment)'

stages:
- stage: Deploy_Infrastructure
  displayName: 'Deploy Azure Function Infrastructure'
  jobs:
  - job: DeployBicep
    steps:
    - task: AzureCLI@2
      inputs:
        azureSubscription: 'AZ TST'
        scriptType: 'bash'
        scriptLocation: 'inlineScript'
        inlineScript: |
		  az login --service-principal --username <appId> --password <password> --tenant <tenantId>
myServicePrincipalPassword
 --tenant myTenantGuid
          az storage account create \
            --name $(storageAccountName) \
            --resource-group $(resourceGroupName) \
            --location eastus \
            --sku Standard_RAGRS \
            --kind StorageV2 \
            --min-tls-version TLS1_2 \
            --allow-blob-public-access false
          az deployment group create \
            --resource-group $(resourceGroupName) \
            --template-file functionapp.bicep \
            --parameters functionAppName=$(functionAppName) storageAccountName=$(storageAccountName) appServicePlanName=$(appServicePlanName) environment=$(environment)

- stage: Deploy_FunctionCode
  displayName: 'Deploy Function Code'
  dependsOn: Deploy_Infrastructure
  jobs:
  - job: DeployCode
    steps:
    - task: AzureFunctionApp@1
      inputs:
        azureSubscription: 'AZ TST'
        appType: 'functionApp'
        appName: '$(functionAppName)'
        package: '$(System.DefaultWorkingDirectory)'

param location string = 'East US'
param functionAppName string
param storageAccountName string
param appServicePlanName string
param environment string

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
}

resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = {
  name: appServicePlanName
  location: location
  sku: {
    name: 'Y1' // Consumption Plan
  }
  kind: 'functionapp'
}

resource functionApp 'Microsoft.Web/sites@2021-02-01' = {
  name: functionAppName
  location: location
  kind: 'functionapp'
  properties: {
    serverFarmId: appServicePlan.id
    siteConfig: {
      appSettings: [
        { name: 'AzureWebJobsStorage', value: storageAccount.properties.primaryEndpoints.blob }
        { name: 'FUNCTIONS_WORKER_RUNTIME', value: 'powershell' }
        { name: 'APP_ENVIRONMENT', value: environment }
      ]
    }
  }
}

output functionAppName string = functionApp.name

Khalid Hajjouji 50 Reputation points

2025-04-24T11:38:08.3133333+00:00

Hi @Deepanshu katara , could you please answer my last question?
Sai Prabhu Naveen Parimi 2,590 Reputation points Microsoft External Staff Moderator

2025-04-28T08:00:55.99+00:00

@Deepanshukatara-6769

Just checking if you can review the Khalid Hajjouji follow-up question.
Madugula Jahnavi 495 Reputation points Microsoft External Staff Moderator

2025-04-29T12:56:36.7933333+00:00

Khalid Hajjouji, We haven't heard any response from you. Could you confirm that the above solution worked in your environment?
Madugula Jahnavi 495 Reputation points Microsoft External Staff Moderator

2025-05-05T10:17:30.15+00:00

I have worked with the same template and successfully deployed in my environment with the service principal contributor role. Make sure that you have a "contributor" permission to the specific service principal which you are using to login and trying to deploy the bicep configuration via pipeline.

Answer 2

@Khalid Hajjouji

You don't need to manually include the az login command if you are using AzureCli task, as this task does az login in the background already, using the details of the ARM Service Connection, determined by the value of the azureSubscription you have passed. The details of the service connections includes the service principal configured when setting it up.

Meaning you can remove the entire az login line as it is unnecessary having already authenticated using service connection (ultimately using the underlying service principal) and start with your deployment command to get your bicep template deployment running.

You don't need to have the az storage account create if you have already included this in the bicep template. This would attempt to deploy the storage account twice.

You can update your azure-pipeline YAML, to remove the reductant entries:

trigger:
  - none

pool:
  vmImage: 'ubuntu-latest'

variables:
  environment: 'dev'
  location: 'East US'
  functionAppName: 'myfunctionappCreatedFromBicepPipeLine-$(environment)'
  storageAccountName: 'storageaccountpipeline3'
  resourceGroupName: 'newResourceGroupManuelCreated2'
  appServicePlanName: 'myappserviceplan$(environment)'

stages:
- stage: Deploy_Infrastructure
  displayName: 'Deploy Azure Function Infrastructure'
  jobs:
  - job: DeployBicep
    steps:
    - task: AzureCLI@2
      inputs:
        azureSubscription: 'AZ TST'
        scriptType: 'bash'
        scriptLocation: 'inlineScript'
        inlineScript: |

          az deployment group create \
            --resource-group $(resourceGroupName) \
            --template-file functionapp.bicep \
            --parameters functionAppName=$(functionAppName) storageAccountName=$(storageAccountName) appServicePlanName=$(appServicePlanName) environment=$(environment)

- stage: Deploy_FunctionCode
  displayName: 'Deploy Function Code'
  dependsOn: Deploy_Infrastructure
  jobs:
  - job: DeployCode
    steps:
    - task: AzureFunctionApp@1
      inputs:
        azureSubscription: 'AZ TST'
        appType: 'functionApp'
        appName: '$(functionAppName)'
        package: '$(System.DefaultWorkingDirectory)'

As others have mentioned, make sure the service principal has the required permission to manage Azure deployment. At least a contributor role at the resource group level.

Please review the document to setup an ARM Azure DevOps Service Connection for deployment within Azure. Also review the documentation on AzureCli task for more information.

Let me know if you have any question.

Regards, Iheanacho Chukwu

Share via

How to provision a new Azure Function with bicep pipeline and service principle?

2 answers

Your answer