SignalR with Managed Identity using bicep

signalr-role-assignment.bicep

param signalrName string
param principalId string
param role ('SignalR App Server' | 'SignalR REST API Owner')

var signalRAppServerRoleDefinitionId = '420fcaa2-552c-430f-98ca-3264be4806c7' // required for authentication / negotiation
var signalRRestApiOwnerRoleDefinitionId = 'fd53cd77-2268-407a-8f46-7e7863d0f521' // required to send messages over REST

var roleId = role == 'SignalR App Server' ? signalRAppServerRoleDefinitionId : signalRRestApiOwnerRoleDefinitionId

resource signalRService 'Microsoft.SignalRService/signalR@2023-02-01' existing = {
  name: signalrName
}

resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
  scope: subscription()
  name: roleId
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroup().id, principalId, roleDefinition.id, signalrName)
  scope: signalRService
  properties: {
    roleDefinitionId: roleDefinition.id
    principalId: principalId
  }
}

signalr.bicep

param location string
param tags object

param signalRServiceName string
param signalRServiceSKU string
param allowedOrigins string[]

resource signalRService 'Microsoft.SignalRService/signalR@2023-02-01' = {
  name: signalRServiceName
  tags: union(tags, {
    Purpose: 'SignalR Service for frontend user notifications'
  })
  location: location
  properties: {
    features: [
      {
        flag: 'ServiceMode'
        value: 'Serverless'
      }
    ]
    cors: {
      allowedOrigins: allowedOrigins
    }
  }
  sku: {
    name: signalRServiceSKU
  }
}

output name string = signalRService.name
output connectionString string = 'Endpoint=https://${signalRService.properties.hostName};AuthType=azure.msi;Version=1.0;'