Microsoft.Search searchServices

Bicep resource definition

The searchServices resource type can be deployed with operations that target:

Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Search/searchServices resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Search/searchServices@2026-03-01-preview' = {
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    authOptions: {
      aadOrApiKey: {
        aadAuthFailureMode: 'string'
      }
      apiKeyOnly: any(...)
    }
    computeType: 'string'
    dataExfiltrationProtections: [
      'string'
    ]
    disableLocalAuth: bool
    encryptionWithCmk: {
      enforcement: 'string'
      serviceLevelEncryptionKey: {
        accessCredentials: {
          applicationId: 'string'
          applicationSecret: 'string'
        }
        identity: {
          @odata.type: 'string'
          // For remaining properties, see DataIdentity objects
        }
        keyVaultKeyName: 'string'
        keyVaultKeyVersion: 'string'
        keyVaultUri: 'string'
      }
    }
    endpoint: 'string'
    hostingMode: 'string'
    knowledgeRetrieval: 'string'
    networkRuleSet: {
      bypass: 'string'
      ipRules: [
        {
          value: 'string'
        }
      ]
    }
    partitionCount: int
    publicNetworkAccess: 'string'
    replicaCount: int
    semanticSearch: 'string'
    upgradeAvailable: 'string'
  }
  sku: {
    name: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

DataIdentity objects

Set the @odata.type property to specify the type of object.

For #Microsoft.Azure.Search.DataNoneIdentity, use:

{
  @odata.type: '#Microsoft.Azure.Search.DataNoneIdentity'
}

For #Microsoft.Azure.Search.DataUserAssignedIdentity, use:

{
  @odata.type: '#Microsoft.Azure.Search.DataUserAssignedIdentity'
  federatedIdentityClientId: 'string'
  userAssignedIdentity: 'string'
}

Property Values

Microsoft.Search/searchServices

Name	Description	Value
identity	The identity of the resource.	Identity
location	The geo-location where the resource lives	string (required)
name	The resource name	string Constraints: Pattern = `^(?=.{2,60}$)[a-z0-9][a-z0-9]+(-[a-z0-9]+)*$` (required)
properties	Properties of the search service.	SearchServiceProperties
sku	The SKU of the search service, which determines price tier and capacity limits. This property is required when creating a new search service.	Sku
tags	Resource tags	Dictionary of tag names and values. See Tags in templates

AzureActiveDirectoryApplicationCredentials

Name	Description	Value
applicationId	The application (client) ID of an App Registration in the tenant.	string
applicationSecret	An AAD client secret that was generated for the App Registration used to authenticate with Azure Key Vault.	string Constraints: Sensitive value. Pass in as a secure parameter.

DataIdentity

Name	Description	Value
@odata.type	Set to '#Microsoft.Azure.Search.DataNoneIdentity' for type DataNoneIdentity. Set to '#Microsoft.Azure.Search.DataUserAssignedIdentity' for type DataUserAssignedIdentity.	'#Microsoft.Azure.Search.DataNoneIdentity' '#Microsoft.Azure.Search.DataUserAssignedIdentity' (required)

DataNoneIdentity

Name	Description	Value
@odata.type	A URI fragment specifying the type of identity.	'#Microsoft.Azure.Search.DataNoneIdentity' (required)

DataPlaneAadOrApiKeyAuthOption

Name	Description	Value
aadAuthFailureMode	Describes what response the data plane API of a search service would send for requests that failed authentication.	'http401WithBearerChallenge' 'http403'

DataPlaneAuthOptions

Name	Description	Value
aadOrApiKey	Indicates that either the API key or an access token from a Microsoft Entra ID tenant can be used for authentication.	DataPlaneAadOrApiKeyAuthOption
apiKeyOnly	Indicates that only the API key can be used for authentication.	any

DataUserAssignedIdentity

Name	Description	Value
@odata.type	A URI fragment specifying the type of identity.	'#Microsoft.Azure.Search.DataUserAssignedIdentity' (required)
federatedIdentityClientId	Optional for Multi-tenant User-Assigned Managed Identity CMK Support: The client id (as a UUID) of the multi-tenant App Registration that has been configured to federate with the userAssignedIdentity.	string
userAssignedIdentity	The fully qualified Azure resource Id of a user assigned managed identity typically in the form "/subscriptions/12345678-1234-1234-1234-1234567890ab/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId" that should have been assigned to the search service.	string (required)

EncryptionWithCmk

Name	Description	Value
enforcement	Describes how a search service should enforce compliance if it finds objects that aren't encrypted with the customer-managed key.	'Disabled' 'Enabled' 'Unspecified'
serviceLevelEncryptionKey	Describes the customer-managed key configuration for encrypting the search service.	SearchResourceEncryptionKey

Identity

Name	Description	Value
type	The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an identity created by the system and a set of user assigned identities. The type 'None' will remove all identities from the service.	'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required)
userAssignedIdentities	The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name	Description	Value

IpRule

Name	Description	Value
value	Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed.	string

NetworkRuleSet

Name	Description	Value
bypass	Possible origins of inbound traffic that can bypass the rules defined in the 'ipRules' section.	'AzurePortal' 'AzureServices' 'None'
ipRules	A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method.	IpRule[]

SearchResourceEncryptionKey

Name	Description	Value
accessCredentials	Optional Azure Active Directory credentials used for accessing your Azure Key Vault. Not required if using managed identity instead.	AzureActiveDirectoryApplicationCredentials
identity	An explicit managed identity to use for this encryption key. If not specified and the access credentials property is null, the system-assigned managed identity is used. On update to the resource, if the explicit identity is unspecified, it remains unchanged. If "none" is specified, the value of this property is cleared.	DataIdentity
keyVaultKeyName	The name of your Azure Key Vault key to be used to encrypt your data at rest.	string
keyVaultKeyVersion	The version of your Azure Key Vault key to be used to encrypt your data at rest.	string
keyVaultUri	The URI of your Azure Key Vault, also referred to as DNS name, that contains the key to be used to encrypt your data at rest. An example URI might be `https://my-keyvault-name.vault.azure.net`.	string

SearchServiceProperties

Name	Description	Value
authOptions	Defines the options for how the data plane API of a search service authenticates requests. This cannot be set if 'disableLocalAuth' is set to true.	DataPlaneAuthOptions
computeType	Configure this property to support the search service using either the Default Compute or Azure Confidential Compute.	'Confidential' 'Default'
dataExfiltrationProtections	A list of data exfiltration scenarios that are explicitly disallowed for the search service. Currently, the only supported value is 'All' to disable all possible data export scenarios with more fine grained controls planned for the future.	String array containing any of: 'BlockAll'
disableLocalAuth	When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'dataPlaneAuthOptions' are defined.	bool
encryptionWithCmk	Specifies any policy regarding encryption of resources (such as indexes) using customer manager keys within a search service.	EncryptionWithCmk
endpoint	The endpoint of the Azure AI Search service.	string
hostingMode	Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'Default' or 'HighDensity'. For all other SKUs, this value must be 'Default'.	'Default' 'HighDensity'
knowledgeRetrieval	Specifies the billing plan for agentic retrieval on the Azure AI Search service. This configuration is only available for certain pricing tiers in certain regions.	'free' 'standard'
networkRuleSet	Network specific rules that determine how the Azure AI Search service may be reached.	NetworkRuleSet
partitionCount	The number of partitions in the dedicated search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3.	int Constraints: Min value = 1 Max value = 12
publicNetworkAccess	This value can be set to 'Enabled' to avoid breaking changes on existing customer resources and templates. If set to 'Disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method.	'Disabled' 'Enabled' 'SecuredByPerimeter'
replicaCount	The number of replicas in the dedicated search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.	int Constraints: Min value = 1 Max value = 12
semanticSearch	Specifies the availability and billing plan for semantic search on the Azure AI Search service. This configuration is only available for certain pricing tiers in certain regions.	'disabled' 'free' 'standard'
upgradeAvailable	Indicates if the search service has an upgrade available.	'available' 'notAvailable'

Sku

Name	Description	Value
name	The SKU of the search service. Valid values include: 'free': Shared service. 'basic': Dedicated service with up to 3 replicas. 'standard': Dedicated service with up to 12 partitions and 12 replicas. 'standard2': Similar to standard, but with more capacity per search unit. 'standard3': The largest Standard offering with up to 12 partitions and 12 replicas (or up to 3 partitions with more indexes if you also set the hostingMode property to 'highDensity'). 'storage_optimized_l1': Supports 1TB per partition, up to 12 partitions. 'storage_optimized_l2': Supports 2TB per partition, up to 12 partitions. 'serverless': Serverless tier with auto-scaling capabilities.	'basic' 'free' 'serverless' 'standard' 'standard2' 'standard3' 'storage_optimized_l1' 'storage_optimized_l2'

TrackedResourceTags

Name	Description	Value

UserAssignedIdentity

Name	Description	Value

Usage Examples

Bicep Samples

A basic example of deploying Search Service.

param resourceName string = 'acctest0001'
param location string = 'westeurope'

resource searchService 'Microsoft.Search/searchServices@2022-09-01' = {
  name: resourceName
  location: location
  properties: {
    authOptions: {
      apiKeyOnly: {}
    }
    disableLocalAuth: false
    encryptionWithCmk: {
      enforcement: 'Disabled'
    }
    hostingMode: 'default'
    networkRuleSet: {
      ipRules: []
    }
    partitionCount: 1
    publicNetworkAccess: 'Enabled'
    replicaCount: 1
  }
  sku: {
    name: 'standard'
  }
  tags: {
    environment: 'staging'
  }
}

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module	Description
Search Service	AVM Resource Module for Search Service

Azure Quickstart Samples

The following Azure Quickstart templates contain Bicep samples for deploying this resource type.

Bicep File	Description
Azure AI Foundry Network Restricted	This set of templates demonstrates how to set up Azure AI Foundry with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure Cognitive Search service	This template creates an Azure Cognitive Search service
Network Secured Agent with User Managed Identity	This set of templates demonstrates how to set up Azure AI Agent Service with virtual network isolation using User Managed Identity authetication for the AI Service/AOAI connection and private network links to connect the agent to your secure data.
Standard Agent Setup	This set of templates demonstrates how to set up Azure AI Agent Service with the standard setup, meaning with managed identity authentication for project/hub connections and public internet access enabled. Agents use customer-owned, single-tenant search and storage resources. With this setup, you have full control and visibility over these resources, but you will incur costs based on your usage.

ARM template resource definition

The searchServices resource type can be deployed with operations that target:

Resource groups - See resource group deployment commands

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Search/searchServices resource, add the following JSON to your template.

{
  "type": "Microsoft.Search/searchServices",
  "apiVersion": "2026-03-01-preview",
  "name": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "authOptions": {
      "aadOrApiKey": {
        "aadAuthFailureMode": "string"
      },
      "apiKeyOnly": {}
    },
    "computeType": "string",
    "dataExfiltrationProtections": [ "string" ],
    "disableLocalAuth": "bool",
    "encryptionWithCmk": {
      "enforcement": "string",
      "serviceLevelEncryptionKey": {
        "accessCredentials": {
          "applicationId": "string",
          "applicationSecret": "string"
        },
        "identity": {
          "@odata.type": "string"
          // For remaining properties, see DataIdentity objects
        },
        "keyVaultKeyName": "string",
        "keyVaultKeyVersion": "string",
        "keyVaultUri": "string"
      }
    },
    "endpoint": "string",
    "hostingMode": "string",
    "knowledgeRetrieval": "string",
    "networkRuleSet": {
      "bypass": "string",
      "ipRules": [
        {
          "value": "string"
        }
      ]
    },
    "partitionCount": "int",
    "publicNetworkAccess": "string",
    "replicaCount": "int",
    "semanticSearch": "string",
    "upgradeAvailable": "string"
  },
  "sku": {
    "name": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

DataIdentity objects

Set the @odata.type property to specify the type of object.

For #Microsoft.Azure.Search.DataNoneIdentity, use:

{
  "@odata.type": "#Microsoft.Azure.Search.DataNoneIdentity"
}

For #Microsoft.Azure.Search.DataUserAssignedIdentity, use:

{
  "@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity",
  "federatedIdentityClientId": "string",
  "userAssignedIdentity": "string"
}

Property Values

Microsoft.Search/searchServices

Name	Description	Value
apiVersion	The api version	'2026-03-01-preview'
identity	The identity of the resource.	Identity
location	The geo-location where the resource lives	string (required)
name	The resource name	string Constraints: Pattern = `^(?=.{2,60}$)[a-z0-9][a-z0-9]+(-[a-z0-9]+)*$` (required)
properties	Properties of the search service.	SearchServiceProperties
sku	The SKU of the search service, which determines price tier and capacity limits. This property is required when creating a new search service.	Sku
tags	Resource tags	Dictionary of tag names and values. See Tags in templates
type	The resource type	'Microsoft.Search/searchServices'

AzureActiveDirectoryApplicationCredentials

Name	Description	Value
applicationId	The application (client) ID of an App Registration in the tenant.	string
applicationSecret	An AAD client secret that was generated for the App Registration used to authenticate with Azure Key Vault.	string Constraints: Sensitive value. Pass in as a secure parameter.

DataIdentity

Name	Description	Value
@odata.type	Set to '#Microsoft.Azure.Search.DataNoneIdentity' for type DataNoneIdentity. Set to '#Microsoft.Azure.Search.DataUserAssignedIdentity' for type DataUserAssignedIdentity.	'#Microsoft.Azure.Search.DataNoneIdentity' '#Microsoft.Azure.Search.DataUserAssignedIdentity' (required)

DataNoneIdentity

Name	Description	Value
@odata.type	A URI fragment specifying the type of identity.	'#Microsoft.Azure.Search.DataNoneIdentity' (required)

DataPlaneAadOrApiKeyAuthOption

Name	Description	Value
aadAuthFailureMode	Describes what response the data plane API of a search service would send for requests that failed authentication.	'http401WithBearerChallenge' 'http403'

DataPlaneAuthOptions

Name	Description	Value
aadOrApiKey	Indicates that either the API key or an access token from a Microsoft Entra ID tenant can be used for authentication.	DataPlaneAadOrApiKeyAuthOption
apiKeyOnly	Indicates that only the API key can be used for authentication.	any

DataUserAssignedIdentity

Name	Description	Value
@odata.type	A URI fragment specifying the type of identity.	'#Microsoft.Azure.Search.DataUserAssignedIdentity' (required)
federatedIdentityClientId	Optional for Multi-tenant User-Assigned Managed Identity CMK Support: The client id (as a UUID) of the multi-tenant App Registration that has been configured to federate with the userAssignedIdentity.	string
userAssignedIdentity	The fully qualified Azure resource Id of a user assigned managed identity typically in the form "/subscriptions/12345678-1234-1234-1234-1234567890ab/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId" that should have been assigned to the search service.	string (required)

EncryptionWithCmk

Name	Description	Value
enforcement	Describes how a search service should enforce compliance if it finds objects that aren't encrypted with the customer-managed key.	'Disabled' 'Enabled' 'Unspecified'
serviceLevelEncryptionKey	Describes the customer-managed key configuration for encrypting the search service.	SearchResourceEncryptionKey

Identity

Name	Description	Value
type	The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an identity created by the system and a set of user assigned identities. The type 'None' will remove all identities from the service.	'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required)
userAssignedIdentities	The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name	Description	Value

IpRule

Name	Description	Value
value	Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed.	string

NetworkRuleSet

Name	Description	Value
bypass	Possible origins of inbound traffic that can bypass the rules defined in the 'ipRules' section.	'AzurePortal' 'AzureServices' 'None'
ipRules	A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method.	IpRule[]

SearchResourceEncryptionKey

Name	Description	Value
accessCredentials	Optional Azure Active Directory credentials used for accessing your Azure Key Vault. Not required if using managed identity instead.	AzureActiveDirectoryApplicationCredentials
identity	An explicit managed identity to use for this encryption key. If not specified and the access credentials property is null, the system-assigned managed identity is used. On update to the resource, if the explicit identity is unspecified, it remains unchanged. If "none" is specified, the value of this property is cleared.	DataIdentity
keyVaultKeyName	The name of your Azure Key Vault key to be used to encrypt your data at rest.	string
keyVaultKeyVersion	The version of your Azure Key Vault key to be used to encrypt your data at rest.	string
keyVaultUri	The URI of your Azure Key Vault, also referred to as DNS name, that contains the key to be used to encrypt your data at rest. An example URI might be `https://my-keyvault-name.vault.azure.net`.	string

SearchServiceProperties

Name	Description	Value
authOptions	Defines the options for how the data plane API of a search service authenticates requests. This cannot be set if 'disableLocalAuth' is set to true.	DataPlaneAuthOptions
computeType	Configure this property to support the search service using either the Default Compute or Azure Confidential Compute.	'Confidential' 'Default'
dataExfiltrationProtections	A list of data exfiltration scenarios that are explicitly disallowed for the search service. Currently, the only supported value is 'All' to disable all possible data export scenarios with more fine grained controls planned for the future.	String array containing any of: 'BlockAll'
disableLocalAuth	When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'dataPlaneAuthOptions' are defined.	bool
encryptionWithCmk	Specifies any policy regarding encryption of resources (such as indexes) using customer manager keys within a search service.	EncryptionWithCmk
endpoint	The endpoint of the Azure AI Search service.	string
hostingMode	Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'Default' or 'HighDensity'. For all other SKUs, this value must be 'Default'.	'Default' 'HighDensity'
knowledgeRetrieval	Specifies the billing plan for agentic retrieval on the Azure AI Search service. This configuration is only available for certain pricing tiers in certain regions.	'free' 'standard'
networkRuleSet	Network specific rules that determine how the Azure AI Search service may be reached.	NetworkRuleSet
partitionCount	The number of partitions in the dedicated search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3.	int Constraints: Min value = 1 Max value = 12
publicNetworkAccess	This value can be set to 'Enabled' to avoid breaking changes on existing customer resources and templates. If set to 'Disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method.	'Disabled' 'Enabled' 'SecuredByPerimeter'
replicaCount	The number of replicas in the dedicated search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.	int Constraints: Min value = 1 Max value = 12
semanticSearch	Specifies the availability and billing plan for semantic search on the Azure AI Search service. This configuration is only available for certain pricing tiers in certain regions.	'disabled' 'free' 'standard'
upgradeAvailable	Indicates if the search service has an upgrade available.	'available' 'notAvailable'

Sku

Name	Description	Value
name	The SKU of the search service. Valid values include: 'free': Shared service. 'basic': Dedicated service with up to 3 replicas. 'standard': Dedicated service with up to 12 partitions and 12 replicas. 'standard2': Similar to standard, but with more capacity per search unit. 'standard3': The largest Standard offering with up to 12 partitions and 12 replicas (or up to 3 partitions with more indexes if you also set the hostingMode property to 'highDensity'). 'storage_optimized_l1': Supports 1TB per partition, up to 12 partitions. 'storage_optimized_l2': Supports 2TB per partition, up to 12 partitions. 'serverless': Serverless tier with auto-scaling capabilities.	'basic' 'free' 'serverless' 'standard' 'standard2' 'standard3' 'storage_optimized_l1' 'storage_optimized_l2'

TrackedResourceTags

Name	Description	Value

UserAssignedIdentity

Name	Description	Value

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template	Description
Azure AI Foundry Network Restricted	This set of templates demonstrates how to set up Azure AI Foundry with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure Cognitive Search service	This template creates an Azure Cognitive Search service
Azure Cognitive Search service with private endpoint	This template creates an Azure Cognitive Search service with a private endpoint.
Network Secured Agent with User Managed Identity	This set of templates demonstrates how to set up Azure AI Agent Service with virtual network isolation using User Managed Identity authetication for the AI Service/AOAI connection and private network links to connect the agent to your secure data.
Standard Agent Setup	This set of templates demonstrates how to set up Azure AI Agent Service with the standard setup, meaning with managed identity authentication for project/hub connections and public internet access enabled. Agents use customer-owned, single-tenant search and storage resources. With this setup, you have full control and visibility over these resources, but you will incur costs based on your usage.
Web App with a SQL Database, Azure Cosmos DB, Azure Search	This template provisions a Web App, a SQL Database, Azure Cosmos DB, Azure Search and Application Insights.

Terraform (AzAPI provider) resource definition

The searchServices resource type can be deployed with operations that target:

Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Search/searchServices resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Search/searchServices@2026-03-01-preview"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      authOptions = {
        aadOrApiKey = {
          aadAuthFailureMode = "string"
        }
        apiKeyOnly = ?
      }
      computeType = "string"
      dataExfiltrationProtections = [
        "string"
      ]
      disableLocalAuth = bool
      encryptionWithCmk = {
        enforcement = "string"
        serviceLevelEncryptionKey = {
          accessCredentials = {
            applicationId = "string"
            applicationSecret = "string"
          }
          identity = {
            @odata.type = "string"
            // For remaining properties, see DataIdentity objects
          }
          keyVaultKeyName = "string"
          keyVaultKeyVersion = "string"
          keyVaultUri = "string"
        }
      }
      endpoint = "string"
      hostingMode = "string"
      knowledgeRetrieval = "string"
      networkRuleSet = {
        bypass = "string"
        ipRules = [
          {
            value = "string"
          }
        ]
      }
      partitionCount = int
      publicNetworkAccess = "string"
      replicaCount = int
      semanticSearch = "string"
      upgradeAvailable = "string"
    }
    sku = {
      name = "string"
    }
  }
}

DataIdentity objects

Set the @odata.type property to specify the type of object.

For #Microsoft.Azure.Search.DataNoneIdentity, use:

{
  @odata.type = "#Microsoft.Azure.Search.DataNoneIdentity"
}

For #Microsoft.Azure.Search.DataUserAssignedIdentity, use:

{
  @odata.type = "#Microsoft.Azure.Search.DataUserAssignedIdentity"
  federatedIdentityClientId = "string"
  userAssignedIdentity = "string"
}

Property Values

Microsoft.Search/searchServices

Name	Description	Value
identity	The identity of the resource.	Identity
location	The geo-location where the resource lives	string (required)
name	The resource name	string Constraints: Pattern = `^(?=.{2,60}$)[a-z0-9][a-z0-9]+(-[a-z0-9]+)*$` (required)
properties	Properties of the search service.	SearchServiceProperties
sku	The SKU of the search service, which determines price tier and capacity limits. This property is required when creating a new search service.	Sku
tags	Resource tags	Dictionary of tag names and values.
type	The resource type	"Microsoft.Search/searchServices@2026-03-01-preview"

AzureActiveDirectoryApplicationCredentials

Name	Description	Value
applicationId	The application (client) ID of an App Registration in the tenant.	string
applicationSecret	An AAD client secret that was generated for the App Registration used to authenticate with Azure Key Vault.	string Constraints: Sensitive value. Pass in as a secure parameter.

DataIdentity

Name	Description	Value
@odata.type	Set to '#Microsoft.Azure.Search.DataNoneIdentity' for type DataNoneIdentity. Set to '#Microsoft.Azure.Search.DataUserAssignedIdentity' for type DataUserAssignedIdentity.	'#Microsoft.Azure.Search.DataNoneIdentity' '#Microsoft.Azure.Search.DataUserAssignedIdentity' (required)

DataNoneIdentity

Name	Description	Value
@odata.type	A URI fragment specifying the type of identity.	'#Microsoft.Azure.Search.DataNoneIdentity' (required)

DataPlaneAadOrApiKeyAuthOption

Name	Description	Value
aadAuthFailureMode	Describes what response the data plane API of a search service would send for requests that failed authentication.	'http401WithBearerChallenge' 'http403'

DataPlaneAuthOptions

Name	Description	Value
aadOrApiKey	Indicates that either the API key or an access token from a Microsoft Entra ID tenant can be used for authentication.	DataPlaneAadOrApiKeyAuthOption
apiKeyOnly	Indicates that only the API key can be used for authentication.	any

DataUserAssignedIdentity

Name	Description	Value
@odata.type	A URI fragment specifying the type of identity.	'#Microsoft.Azure.Search.DataUserAssignedIdentity' (required)
federatedIdentityClientId	Optional for Multi-tenant User-Assigned Managed Identity CMK Support: The client id (as a UUID) of the multi-tenant App Registration that has been configured to federate with the userAssignedIdentity.	string
userAssignedIdentity	The fully qualified Azure resource Id of a user assigned managed identity typically in the form "/subscriptions/12345678-1234-1234-1234-1234567890ab/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myId" that should have been assigned to the search service.	string (required)

EncryptionWithCmk

Name	Description	Value
enforcement	Describes how a search service should enforce compliance if it finds objects that aren't encrypted with the customer-managed key.	'Disabled' 'Enabled' 'Unspecified'
serviceLevelEncryptionKey	Describes the customer-managed key configuration for encrypting the search service.	SearchResourceEncryptionKey

Identity

Name	Description	Value
type	The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an identity created by the system and a set of user assigned identities. The type 'None' will remove all identities from the service.	'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required)
userAssignedIdentities	The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.	IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name	Description	Value

IpRule

Name	Description	Value
value	Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed.	string

NetworkRuleSet

Name	Description	Value
bypass	Possible origins of inbound traffic that can bypass the rules defined in the 'ipRules' section.	'AzurePortal' 'AzureServices' 'None'
ipRules	A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method.	IpRule[]

SearchResourceEncryptionKey

Name	Description	Value
accessCredentials	Optional Azure Active Directory credentials used for accessing your Azure Key Vault. Not required if using managed identity instead.	AzureActiveDirectoryApplicationCredentials
identity	An explicit managed identity to use for this encryption key. If not specified and the access credentials property is null, the system-assigned managed identity is used. On update to the resource, if the explicit identity is unspecified, it remains unchanged. If "none" is specified, the value of this property is cleared.	DataIdentity
keyVaultKeyName	The name of your Azure Key Vault key to be used to encrypt your data at rest.	string
keyVaultKeyVersion	The version of your Azure Key Vault key to be used to encrypt your data at rest.	string
keyVaultUri	The URI of your Azure Key Vault, also referred to as DNS name, that contains the key to be used to encrypt your data at rest. An example URI might be `https://my-keyvault-name.vault.azure.net`.	string

SearchServiceProperties

Name	Description	Value
authOptions	Defines the options for how the data plane API of a search service authenticates requests. This cannot be set if 'disableLocalAuth' is set to true.	DataPlaneAuthOptions
computeType	Configure this property to support the search service using either the Default Compute or Azure Confidential Compute.	'Confidential' 'Default'
dataExfiltrationProtections	A list of data exfiltration scenarios that are explicitly disallowed for the search service. Currently, the only supported value is 'All' to disable all possible data export scenarios with more fine grained controls planned for the future.	String array containing any of: 'BlockAll'
disableLocalAuth	When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if 'dataPlaneAuthOptions' are defined.	bool
encryptionWithCmk	Specifies any policy regarding encryption of resources (such as indexes) using customer manager keys within a search service.	EncryptionWithCmk
endpoint	The endpoint of the Azure AI Search service.	string
hostingMode	Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either 'Default' or 'HighDensity'. For all other SKUs, this value must be 'Default'.	'Default' 'HighDensity'
knowledgeRetrieval	Specifies the billing plan for agentic retrieval on the Azure AI Search service. This configuration is only available for certain pricing tiers in certain regions.	'free' 'standard'
networkRuleSet	Network specific rules that determine how the Azure AI Search service may be reached.	NetworkRuleSet
partitionCount	The number of partitions in the dedicated search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For 'standard3' services with hostingMode set to 'highDensity', the allowed values are between 1 and 3.	int Constraints: Min value = 1 Max value = 12
publicNetworkAccess	This value can be set to 'Enabled' to avoid breaking changes on existing customer resources and templates. If set to 'Disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method.	'Disabled' 'Enabled' 'SecuredByPerimeter'
replicaCount	The number of replicas in the dedicated search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.	int Constraints: Min value = 1 Max value = 12
semanticSearch	Specifies the availability and billing plan for semantic search on the Azure AI Search service. This configuration is only available for certain pricing tiers in certain regions.	'disabled' 'free' 'standard'
upgradeAvailable	Indicates if the search service has an upgrade available.	'available' 'notAvailable'

Sku

Name	Description	Value
name	The SKU of the search service. Valid values include: 'free': Shared service. 'basic': Dedicated service with up to 3 replicas. 'standard': Dedicated service with up to 12 partitions and 12 replicas. 'standard2': Similar to standard, but with more capacity per search unit. 'standard3': The largest Standard offering with up to 12 partitions and 12 replicas (or up to 3 partitions with more indexes if you also set the hostingMode property to 'highDensity'). 'storage_optimized_l1': Supports 1TB per partition, up to 12 partitions. 'storage_optimized_l2': Supports 2TB per partition, up to 12 partitions. 'serverless': Serverless tier with auto-scaling capabilities.	'basic' 'free' 'serverless' 'standard' 'standard2' 'standard3' 'storage_optimized_l1' 'storage_optimized_l2'

TrackedResourceTags

Name	Description	Value

UserAssignedIdentity

Name	Description	Value

Usage Examples

Terraform Samples

A basic example of deploying Search Service.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "searchService" {
  type      = "Microsoft.Search/searchServices@2022-09-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      authOptions = {
        apiKeyOnly = {
        }
      }
      disableLocalAuth = false
      encryptionWithCmk = {
        enforcement = "Disabled"
      }
      hostingMode = "default"
      networkRuleSet = {
        ipRules = [
        ]
      }
      partitionCount      = 1
      publicNetworkAccess = "Enabled"
      replicaCount        = 1
    }
    sku = {
      name = "standard"
    }
    tags = {
      environment = "staging"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module	Description
Search Service	AVM Resource Module for Search Service

Feedback

Was this page helpful?

Last updated on 2026-04-06

Share via

Microsoft.Search searchServices

Bicep resource definition

Resource format

DataIdentity objects

Property Values

Microsoft.Search/searchServices

AzureActiveDirectoryApplicationCredentials

DataIdentity

DataNoneIdentity

DataPlaneAadOrApiKeyAuthOption

DataPlaneAuthOptions

DataUserAssignedIdentity

EncryptionWithCmk

Identity

IdentityUserAssignedIdentities

IpRule

NetworkRuleSet

SearchResourceEncryptionKey

SearchServiceProperties

Sku

TrackedResourceTags

UserAssignedIdentity

Usage Examples

Bicep Samples

Azure Verified Modules

Azure Quickstart Samples

ARM template resource definition

Resource format

DataIdentity objects

Property Values

Microsoft.Search/searchServices

AzureActiveDirectoryApplicationCredentials

DataIdentity

DataNoneIdentity

DataPlaneAadOrApiKeyAuthOption

DataPlaneAuthOptions

DataUserAssignedIdentity

EncryptionWithCmk

Identity

IdentityUserAssignedIdentities

IpRule

NetworkRuleSet

SearchResourceEncryptionKey

SearchServiceProperties

Sku

TrackedResourceTags

UserAssignedIdentity

Usage Examples

Azure Quickstart Templates

Terraform (AzAPI provider) resource definition

Resource format

DataIdentity objects

Property Values

Microsoft.Search/searchServices

AzureActiveDirectoryApplicationCredentials

DataIdentity

DataNoneIdentity

DataPlaneAadOrApiKeyAuthOption

DataPlaneAuthOptions

DataUserAssignedIdentity

EncryptionWithCmk

Identity

IdentityUserAssignedIdentities

IpRule

NetworkRuleSet

SearchResourceEncryptionKey

SearchServiceProperties

Sku

TrackedResourceTags

UserAssignedIdentity

Usage Examples

Terraform Samples

Azure Verified Modules

Feedback

Additional resources