While Bicep files themselves do not directly execute PowerShell, you can leverage this PowerShell module in your deployment process to generate secure passwords and pass them as parameters to your Bicep templates. Here’s how you can achieve this:

1. Import the PowerShell module

Ensure that you download the MSc365.Idp.Toolbox module and it is imported into your PowerShell session:

# Import the latest version from a specified path
$name = 'MSc365.Idp.Toolbox'
$params = @{
    Name            = ('.\src\{0}' -f $name)
    Force           = $true
}
Import-Module @params -ErrorAction Stop

# Verify the module is loaded
Get-Module -Name 'MSc365.Idp.Toolbox'

2. Prepare a Bicep file with a Secure parameter

Create (or update) a Bicep file to accept a secure password parameter.

This example demonstrates secure parameter handling in Bicep. For simplicity this template outputs the adminPassword, which should never be done in production environments.

// ---------- //
// PARAMETERS //
// ---------- //

@description('Required. This value should be passed.')
@secure()
param adminPassword string

// ------- //
// OUTPUTS //
// ------- //

#disable-next-line outputs-should-not-contain-secrets // Only for test purpose
output adminPassword string = adminPassword

3. Generate a Secure Password and Deploy the Bicep File

Create a PowerShell deployment script named Deploy-WithSecurePassword.ps1 that uses the MSc365.Idp.Toolbox module to generate a secure password and then deploys the Bicep template.

# Generate a default password as secure string
$secureString = New-PasswordAsSecureString

# Define deployment parameters
$params = @{
    Name          = 'dep-vmwinsecpwd-tst-123456'
    Location      = 'westeurope'
    TemplateFile  = 'main.bicep'
    adminPassword = $secureString
}

# Deploy the Bicep file with Azure PowerShell
$deployment = New-AzDeployment @params -Verbose

# Optional. Check your deployment output
$deployment.outputs.adminPassword

4. Execute the PowerShell Deployment Script

Run the PowerShell script to deploy your Bicep file while leveraging the secure password generation from the MSc365.Idp.Toolbox module.

.\Deploy-WithSecurePassword.ps1

Conclusion

This approach combines the declarative power of Bicep with the secure password generation capabilities of the MSc365.Idp.Toolbox PowerShell module, ensuring your Azure deployments follow security best practices with integrated secret management from the start.

This week I started to join a 5-week live course to sharpen my skills in platform engineering. It’s provided by Platform Engineering University and focuses on building Internal Developer Platforms (IDPs) using proven frameworks and tools. This isn’t a passive video course. It’s hands-on, with live sessions, homework, and real-world tasks. The goal is to learn how to design and build platforms that developers actually want to use.

Figure 1: Internal Developer Platform (IDP) example

This course covers

• Intro to platform engineering
• How to build an Internal Developer Platform
• Platform tooling 101
• The art of building golden paths
• Designing golden paths for developers
• Finding the right abstraction(s)
• Infrastructure platform engineering
• How to build your Minimum Viable Platform (MVP)
• How to sell your MVP to key stakeholders

There’s also a certification at the end, which helps show you understand the full scope of platform engineering, not just bits and pieces.

I am looking forward to applying what I learn to my work and future contracts. This course should help me design systems that scale and stay engineer and developer-friendly.

Figure 1: Mobile UX

Meeting customer requirements

The primary requirements for this project were clear:

• No extra license costs
• Data interaction without extra costs
• Low-code app logic
• Multi-device usability
• No IT department involvement

Introducing the Campaign Forecasts App

The result was the Campaign Forecasts App v1.0.0, a Power App designed specifically to meet these requirements while providing an intuitive user experience.

Key features

• Cost-efficiency
  By leveraging existing Microsoft E5 licenses, we ensured that there were no additional costs involved in using this app.

• Seamless data interaction
  We utilized standard connectors available within Microsoft Power Platform to interact with SharePoint data storage efficiently without needing premium connectors.

• User-friendly low-code logic
  One of our main goals was to empower business users to take over maintenance and further development effortlessly.

  • Simple drag-and-drop interfaces
  • Easy-to-understand logic
  • Governance and coding guidelines
     

• Responsive design
  Understanding that modern professionals need to access tools on the go, we ensured the app is fully responsive and works seamlessly across different display sizes, including mobile phones.

• Independence from IT Department
  The app was designed with simplicity in mind, allowing business users to manage and maintain it without needing IT department involvement. This was achieved through:

  • Comprehensive user guides and documentation
  • Hands-on training to adopt the app
  • Intuitive interface design
  • Built-in support features

User experience highlights

The Campaign Forecasts App offers a clean and intuitive interface. Users can easily navigate through various sections such as campaign lists, detailed campaign information, and editing interfaces. The app’s design ensures that all essential functions are accessible with minimal clicks, enhancing productivity and user satisfaction.

Conclusion

Delivering the Campaign Forecasts App was a rewarding experience. By focusing on cost-efficiency, seamless data interaction, user-friendly low-code logic, responsive design, and independence from IT department involvement, we created a solution that not only meets but exceeds customer expectations. This project is a testament to the power of Microsoft Power Apps in transforming business processes and empowering users.

Top Skills

• Low-code formulas
• Solution architecture
• Application Lifecycle Management
• Knowledge sharing

Top Keywords

• Power Fx
• Power Apps
• Power Automate
• Power Platform

Resources

• Power Apps Environment
• Power Automate Environment
• Canvas apps documentation
• Get your developer environment (preview)
• Power Fx formula reference
• Code readability

Introduction

In the world of Azure infrastructure as code, Bicep has emerged as a powerful language for defining and deploying resources. One of the key advantages of Bicep is its ability to create reusable modules, which can significantly streamline your deployment processes. In this article, we will explore user-defined functions that you can incorporate into your custom Bicep modules to enhance their functionality and maintainability.

User-defined functions in Bicep allow you to encapsulate logic that can be reused across multiple modules. This not only reduces redundancy but also ensures consistency in your deployments. Here we explore some custom functions that you might find useful:

Resource Abbreviation functions

The custom resource abbreviation functions in this article are designed to map abbreviations (e.g.: rg, vm, vmss) to resource and resource provider namespaces. This is particularly useful for maintaining clarity and consistency in your resource naming conventions.

Examples

Let’s take a look at an example of user-defined functions that you could include in your Bicep modules:

The user-defined function itself. (For clarity, only the getManagementAndGovernanceAbbr function is shown.)

// Management and Governance
@export()
@description('Returns the abbreviation recommendation for Azure management and 
              governance resources.')
@metadata({
  example: 'getManagementAndGovernanceAbbr("Resources/resourceGroups")'
  input: 'The provider name space without the `Microsoft` part due to template size 
          limitations e.g.: Resources/resourceGroups'
})
func getManagementAndGovernanceAbbr(providerNameSpace string) string =>
  {
    'AlertsManagement/actionRules': 'apr'
    'Automation/automationAccounts': 'aa'
    'Authorization/policyDefinitions': '<descriptive>'
    'Blueprint/blueprints': 'bp'
    'Blueprint/blueprints/artifacts': 'bpa'
    'Insights/actionGroups': 'ag'
    'Insights/components': 'appi'
    'Insights/dataCollectionEndpoints': 'dce'
    'Insights/dataCollectionRules': 'dcr'
    'Management/managementGroups': 'mg'
    'OperationalInsights/querypacks': 'pack'
    'OperationalInsights/workspaces': 'log'
    'Purview/accounts': 'pview'
    'Resources/resourceGroups': 'rg'
    'Resources/resourceGroups/subscriptions': 'sub'
    'Resources/templateSpecs': 'ts'
  }[providerNameSpace]

Usage example in a .bicep file.

metadata name = 'Import all user-defined functions'
metadata description = '''
This example imports all available user-defined functions of the given module.
Note: In your module you would import only the functions you need.
'''
metadata owner = 'platform-engineers'

// -------------- //
// TEST EXECUTION //
// -------------- //

import {
  getAIAndMachineLearningAbbr
  getAnalyticsAndIoTAbbr
  getComputeAndWebAbbr
  getContainerAbbr
  getDatabaseAbbr
  getDeveloperToolsAbbr
  getDevOpsAbbr
  getIntegrationAbbr
  getManagementAndGovernanceAbbr
  getMigrationAbbr
  getNetworkAbbr
  getSecurityAbbr
  getStorageAbbr
  getVirtualDesktopInfraAbbr
} from '../../../main.bicep'

// Common parameters
param ResourceName string = '${ResourceGroupsAbbr}-example-dev-weu'
output ResourceNameOutput string = ResourceName

// Management and governance
param ResourceGroupsAbbr string = getManagementAndGovernanceAbbr('Resources/resourceGroups')
output ResourceGroupsAbbrOutput string = ResourceGroupsAbbr

Usage example in a .bicepparam file.

metadata description = '''
This example imports only the functions you need.
Note: In your module you would import only the functions you need.
'''

using none

import {
  getManagementAndGovernanceAbbr
} from '../../../main.bicep'

param ResourceName string = '${ResourceGroupsAbbr}-example-dev-weu'

// Management and governance
param ResourceGroupsAbbr = getManagementAndGovernanceAbbr('Resources/resourceGroups')

Usage example in a .JSON parameter file.

{
  "$schema": "https://schema.management.azure.com/schemas/
              2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "ResourceName": {
      "value": "rg-example-dev-weu"
    },
    "ResourceGroupsAbbr": {
      "value": "rg"
    }
  }
}

Conclusion

By incorporating user-defined functions into your custom Bicep modules, you can enhance the readability, maintainability, and consistency of your Azure deployments. Whether you’re mapping resource abbreviations or defining reusable logic, these functions will help you achieve a more streamlined and efficient infrastructure as code experience.

Resources

• Azure Abbreviations
• Parameter in Bicep
• Imports in Bicep

Note: Use Connect-AzAccount to login to Azure before running this script.

To validate if Diagnostic Settings was correctly enabled for any specific management group, the following snippet (REST API GET call) can be used.

<#
.SYNOPSIS
    Get the diagnostic settings for a management group.

.DESCRIPTION
    Gets the active management group diagnostic settings for the specified resource.

.PARAMETER ManagementGroupId
    Mandatory. The management group id.

.PARAMETER DiagnosticSettingName
    Mandatory. The diagnostic setting name.

.NOTES
    Use Connect-AzAccount to login to Azure before running this script.

.EXAMPLE
    .\Get-ManagementGroupDiagnosticSettings.ps1 `
        -ManagementGroupId 'mg-msc-intermediate-sbx' `
        -DiagnosticSettingName 'tolaws'
#>
[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [string] $ManagementGroupId,

    [Parameter(Mandatory = $true)]
    [string] $DiagnosticSettingName
)

begin {
    Write-Debug ('{0} entered' -f $MyInvocation.MyCommand)

    $token = (Get-AzAccessToken).Token
    $accessToken = 'Bearer {0}' -f $token
}

process {
    try {

        $uriFormat = 'https://management.azure.com/providers/microsoft.management/' +
            'managementGroups/{0}/providers/microsoft.insights/' +
            'diagnosticSettings/{1}?api-version=2020-01-01-preview'

        $uri = ($uriFormat -f
            [uri]::EscapeDataString($ManagementGroupId),
            [uri]::EscapeDataString($DiagnosticSettingName))

        $methodInput = @{
            Method  = 'GET'
            Uri     = $uri
            Headers = @{
                'Accept'        = 'application/json'
                'Authorization' = $accessToken
            }
        }

        $response = Invoke-RestMethod @methodInput
        return $response

    } catch {
        if ($_.Exception.Response.StatusCode -eq 'NotFound') {
            Write-Error ($_.Exception.Message)
            return
        } else {
            throw $_
        }
    }
}

end {
    Write-Debug ('{0} exited' -f $MyInvocation.MyCommand)
}

Resources

• Get-AzAccessToken
• Invoke-RestMethod
• Management Group Diagnostic Settings - GET

Deliverables

• Support and Maintenance
  Ensuring the smooth operation and reliability of an existing business solution.

• Minor Application Enhancements and System Integrations
  Implementing small but impactful improvements and seamless integrations to enhance overall functionality.

• Redesign for Performance and UX
  Revamping current application to boost performance and provide an improved user experience.

• Modern Controls and Themes in Canvas Apps
  Introducing contemporary controls and themes to elevate the look and feel of the canvas app.

• Redesigned Power App and Power Automate Solution
  Overhauling existing solutions to leverage the full potential of Power Apps and Power Automate.

I am excited to embark on this journey and look forward to delivering exceptional results!

Redesign improved UX

Figure 1: Conceptual redesign for an improved user experience

Top Skills

• Power Apps
• Power Automate
• Power FX (Low-code)
• Custom Connectors
• Component Library
• Software Architecture

Top Keywords

• SQL (Azure SQL Database)
• Entra ID App Registration
• ALM (Application Lifecycle Management)

Looking forward to collaborating with the Microsoft Azure team for the next year to create meaningful Azure Multi-tenant SaaS solutions and secure deployments with accelerators for; Azure ISV Landing Zones and SaaS workloads like; Certificate Authority, Security Operations Center and Microsoft 365 Automation (DSC). I will also support the team to transform into an infrastructure as code organization using Bicep, PowerShell, and Azure DevOps CI/CD Pipelines.

Deliverables

• Infrastructure as Code for a Multi-tenant Azure platform and Landing Zone SaaS solutions
  Implementing Infrastructure as Code (IaC) to efficiently manage and provision a scalable, secure, and compliant multi-tenant Azure environment. This includes setting up Landing Zones tailored for SaaS solutions to ensure optimal performance and governance.

• Deployment acceleration using Bicep IaC, CI/CD Pipelines, and PowerShell
  Utilizing Bicep for IaC, along with Continuous Integration/Continuous Deployment (CI/CD) pipelines and PowerShell scripting, to streamline and expedite the deployment process. This approach reduces manual intervention, minimizes errors, and accelerates time-to-market.

• Team training and ongoing support to ensure success with DevOps practices
  Providing comprehensive training sessions and continuous support to teams, enabling them to adopt and excel in DevOps practices. This ensures that the team is well-equipped to handle the complexities of modern development and operations workflows.

• Self-serviced Azure DevOps automation for setting up new SaaS projects
  Developing automated, self-service solutions within Azure DevOps to facilitate the quick and efficient setup of new SaaS projects. This empowers teams to initiate projects independently, reducing dependency on centralized IT resources and speeding up project initiation.

Azure Landing zone architecture

Figure 1: Azure landing zone conceptual architecture

Top Skills

• Azure DevOps
• Azure Development
• IaC (Infrastructure as code)
• Application Lifecycle Management

Top Keywords

• ALZ (Azure Landing Zones)
• AVM (Azure Verified Modules)
• CAF (Microsoft Cloud Adoption Framework)
• WAF (Microsoft Azure Well-Architected Framework)

Deliverables

• Simplified Syntax
  Deliver a more concise and readable syntax with Bicep, replacing the often verbose and complex scripts in PowerShell.

• Modularity
  Provide modular templates through Bicep, making it easier to manage and reuse code across different projects.

• Better Integration
  Ensure better integration and support for Azure Resource Manager (ARM) templates by using Bicep, which is designed specifically for Azure.

• Error Handling
  Implement improved error handling and validation with Bicep, reducing the chances of deployment failures.

• Tooling Support
  Enhance the development experience with robust tooling support, including Visual Studio Code extensions that offer features like IntelliSense and syntax highlighting.

• Declarative Approach
  Adopt a declarative approach with Bicep, making it easier to understand and manage the desired state of the infrastructure without needing to write imperative scripts.

Team Adoption

• Training Sessions
  Conduct training sessions to familiarize engineers with Bicep syntax and best practices.

• Documentation
  Provide comprehensive documentation and examples to help engineers understand how to use Bicep effectively.

• Pilot Projects
  Start with pilot projects to allow engineers to gain hands-on experience with Bicep in a controlled environment.

• Mentorship
  Establish a mentorship program where experienced Bicep users can support and guide new adopters.

• Feedback Loop
  Create a feedback loop to gather input from engineers and continuously improve the adoption process.

• Incentives
  Offer incentives or recognition for engineers who successfully adopt and utilize Bicep in their projects.

Top Skills

• Azure CLI
• Azure DevOps
• PowerShell (Modules)
• IaC (Infrastructure as code)
• Application Lifecycle Management
• Knowledge sharing

Top Keywords

• CAF (Microsoft Cloud Adoption Framework)
• ARM (Azure Resource Manager)
• CARML (Common Azure Resource Module Library)

Meet customer requirements

The new plugin for endpoint application management should become more robust, resilient and self-serviced. The following areas were defined for improvements:

• Maintainability and manageability​
  Version 1.0 was hard to manage with up to 150+ pipelines, technical limitations, and it was hard to onboard new customers​ because of platform boundaries.

• Team collaboration on PowerShell code​
  There were large PowerShell scripts with a lot of embedded functions, no code testing, no code conventions​, which was really hard for team collaboration.

• Troubleshooting​
  There were too many processes, no insights available and no alert mechanism​, which made it hard to troubleshoot.

• Customer interactions
  An Azure DevOps pipeline approval step, for approving a deployment to production devices, was done by an internal Customer Landscape Owner (CLO)​, and was not accessible for external users.

• Ops adoption​
  All customer and application configurations were stored in 1 XML-file, which was hard to adopt by operations, mistakes were easily made or were not noticed.

Features

To provide Microsoft Intune as a service you need to manually:

• Create application packages
• Manage package versions for pilot and production
• Publish packages from pilot to production​
• Check for new application versions and recreate packages ​- Manage software inventory groups​
• Manage already installed software on end points for pilot and production

The EAM 1.0 plugin, automated all of these processes.

Delivery

The team delivered the following improvements:

• PowerShell Modules​
  I developed a new PowerShell Module template with embedded Pester tests and coding guidelines. All scrips were reviewed, optimized and migrated into reusable and distributable PowerShell modules​, ready to publish as Azure Artifacts.

  

  Build status badges on Azure DevOps

• Maintainable Azure DevOps Pipelines​
  We implemented CI/CD to build, test and deploy the PowerShell modules as Azure artifacts​. We also reduced the number of pipelines to only 1 pipeline for the entire process, and 1 pipeline per customer.

• Azure Automation​
  We configured Azure Runbooks and Azure DevOps repositories to use the latest PowerShell modules​, to run the automated download and package process.

  

  Release pipeline on Azure DevOps

• Microsoft Dataverse​
  We replaced the XML configuration file with a structured and managed database, and used with triggers to run Power Automate flows and integrate with Intune and DevOps APIs.

• Microsoft Power Platform​
  I developed an model-driven ‘Operator’ app, a customer accessible approval workflow with Power Automate, and deployed it as a solution to different staged environments (best practice Application Lifecycle Management).

  

  Model-driven app on Microsoft Power Platform

Tools and technologies

• Microsoft Intune
• Azure Runbooks, Logic Apps, Blob Storage, Key Vault, Web Applications, and Kubernetes Services
• Dataverse REST APIs, DevOps REST APIs, and Intune REST APIs
• Azure DevOps Boards, Repos, Pipelines, Artifacts, Wiki, and Custom Agents
• Microsoft Power Platform, Power Apps, Power Automate, Dataverse, ALM Solutions, Business Process Flows (BPF)
• Microsoft PowerShell

Third-party resources

• Evergreen
  Evergreen is a PowerShell module that retrieves the latest version numbers and download URLs for various software products directly from the vendor source.

PDF preview

The tool can be used on a Windows x64 machine as executable or as downloadable artifact in an Azure DevOps pipeline, which allows you to implement a CI/CD process to publish your documentation.

Pipeline preview

Features

Currently this utility supports:

• Conversion of all wiki (sub) pages based on .order file(s)
• Default wiki styles and formatting
• Pictures with remote and relative URLs
• Page bookmarks for easier PDF navigation
• Hyperlinks to other wiki pages
• Azure DevOps Markdown syntax
• Emojis
• Mermaid Diagrams
• Mathematical notation and characters
• Telemetry with Application Insights

It is self-contained; members can download the .exe file, set arguments, run, done!

Requirements

The utility is developed as a .NET 5.0 console application and requires the runtime to be installed. Currently it requires the x64 runtime.

Telemetry

The utility uses Application Insights for basic telemetry:

• The duration of the export and the count of wiki pages will be submitted.
• In case of an error, the exception is submitted.
• No wiki content is or will be submitted.

Tools and technologies

• Microsoft .NET 5.0
• Microsoft PowerShell
• Microsoft Graph API
• Azure DevOps (CI/CD, Build Pipelines, Source Control)

Third-party resources

This utility is a wrapper, originally created by Max Mecher (version 3.3.0), which uses open source libraries that do the actual work.

• CommandLineParser – 2.8.0
• DinkToPdf.Standard – 1.1.0
• Markdig – 0.26.0
• PuppeteerSharp – 5.0.0