How to provision a new Azure Function with bicep pipeline and service principle?

Khalid Hajjouji 50 Reputation points
2025-04-09T07:42:38.38+00:00

I have a new Azure subscription. I dont have access to the portal (portal.azure.com). I have only a service principal. How can I create a new Azure Function with a bicep pipeline with a service principal? I already have a bicep, yaml and azure function files.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,936 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Deepanshu katara 16,940 Reputation points MVP Moderator
    2025-04-09T08:06:39.9433333+00:00

    Hello , Welcome to MS Q&A

    To create a new Azure Function using a Bicep pipeline with a service principal, you can follow these steps using Azure CLI:

    1. Log in with the Service Principal: Use the following command to log in to Azure using your service principal credentials:
       az login --service-principal --username <appId> --password <password> --tenant <tenantId>
       
    
    1. Deploy the Bicep Template: Once logged in, you can deploy your Bicep template to create the Azure Function. Use the following command:
       az deployment group create --resource-group <resourceGroup> --template-file <bicepFile> --parameters <parameters>
       
    

    Replace <resourceGroup>, <bicepFile>, and <parameters> with your specific resource group name, Bicep file path, and any parameters required for your deployment.

    These steps will help you deploy your Azure Function using the Bicep template with the service principal you have

    Please let me know if you have ques

    Kindly accept if it helps

    Thanks

    Deepanshu

    1 person found this answer helpful.

  2. Iheanacho Chukwu 1,025 Reputation points MVP
    2025-05-06T17:02:13.7633333+00:00

    @Khalid Hajjouji

    You don't need to manually include the az login command if you are using AzureCli task, as this task does az login in the background already, using the details of the ARM Service Connection, determined by the value of the azureSubscription you have passed. The details of the service connections includes the service principal configured when setting it up.

    Meaning you can remove the entire az login line as it is unnecessary having already authenticated using service connection (ultimately using the underlying service principal) and start with your deployment command to get your bicep template deployment running.

    You don't need to have the az storage account create if you have already included this in the bicep template. This would attempt to deploy the storage account twice.

    You can update your azure-pipeline YAML, to remove the reductant entries:

    trigger:
      - none
    
    pool:
      vmImage: 'ubuntu-latest'
    
    variables:
      environment: 'dev'
      location: 'East US'
      functionAppName: 'myfunctionappCreatedFromBicepPipeLine-$(environment)'
      storageAccountName: 'storageaccountpipeline3'
      resourceGroupName: 'newResourceGroupManuelCreated2'
      appServicePlanName: 'myappserviceplan$(environment)'
    
    stages:
    - stage: Deploy_Infrastructure
      displayName: 'Deploy Azure Function Infrastructure'
      jobs:
      - job: DeployBicep
        steps:
        - task: AzureCLI@2
          inputs:
            azureSubscription: 'AZ TST'
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: |
    
              az deployment group create \
                --resource-group $(resourceGroupName) \
                --template-file functionapp.bicep \
                --parameters functionAppName=$(functionAppName) storageAccountName=$(storageAccountName) appServicePlanName=$(appServicePlanName) environment=$(environment)
    
    - stage: Deploy_FunctionCode
      displayName: 'Deploy Function Code'
      dependsOn: Deploy_Infrastructure
      jobs:
      - job: DeployCode
        steps:
        - task: AzureFunctionApp@1
          inputs:
            azureSubscription: 'AZ TST'
            appType: 'functionApp'
            appName: '$(functionAppName)'
            package: '$(System.DefaultWorkingDirectory)'
    
    

    As others have mentioned, make sure the service principal has the required permission to manage Azure deployment. At least a contributor role at the resource group level.

    Please review the document to setup an ARM Azure DevOps Service Connection for deployment within Azure. Also review the documentation on AzureCli task for more information.

    Let me know if you have any question.

    Regards, Iheanacho Chukwu

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.