Bicep resource definition
The workspaces/fhirservices resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.HealthcareApis/workspaces/fhirservices resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.HealthcareApis/workspaces/fhirservices@2025-04-01-preview' = {
parent: resourceSymbolicName
etag: 'string'
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
kind: 'string'
location: 'string'
name: 'string'
properties: {
acrConfiguration: {
loginServers: [
'string'
]
ociArtifacts: [
{
digest: 'string'
imageName: 'string'
loginServer: 'string'
}
]
}
authenticationConfiguration: {
audience: 'string'
authority: 'string'
smartIdentityProviders: [
{
applications: [
{
allowedDataActions: [
'string'
]
audience: 'string'
clientId: 'string'
}
]
authority: 'string'
}
]
smartProxyEnabled: bool
}
corsConfiguration: {
allowCredentials: bool
headers: [
'string'
]
maxAge: int
methods: [
'string'
]
origins: [
'string'
]
}
encryption: {
customerManagedKeyEncryption: {
keyEncryptionKeyUrl: 'string'
}
}
exportConfiguration: {
storageAccountName: 'string'
}
implementationGuidesConfiguration: {
usCoreMissingData: bool
}
importConfiguration: {
enabled: bool
initialImportMode: bool
integrationDataStore: 'string'
}
publicNetworkAccess: 'string'
resourceVersionPolicyConfiguration: {
default: 'string'
resourceTypeOverrides: {
{customized property}: 'string'
}
}
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.HealthcareApis/workspaces/fhirservices
| Name |
Description |
Value |
| etag |
An etag associated with the resource, used for optimistic concurrency when editing it. |
string |
| identity |
Setting indicating whether the service has a managed identity associated with it. |
ServiceManagedIdentity |
| kind |
The kind of the service. |
'fhir-R4'
'fhir-Stu3' |
| location |
The geo-location where the resource lives |
string |
| name |
The resource name |
string
Constraints:
Min length = 3
Max length = 24 (required) |
| parent |
In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.
For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: workspaces |
| properties |
Fhir Service configuration. |
FhirServiceProperties |
| tags |
Resource tags |
Dictionary of tag names and values. See Tags in templates |
Encryption
EncryptionCustomerManagedKeyEncryption
| Name |
Description |
Value |
| keyEncryptionKeyUrl |
The URL of the key to use for encryption |
string |
FhirServiceAcrConfiguration
| Name |
Description |
Value |
| loginServers |
The list of the Azure container registry login servers. |
string[] |
| ociArtifacts |
The list of Open Container Initiative (OCI) artifacts. |
ServiceOciArtifactEntry[] |
FhirServiceAuthenticationConfiguration
| Name |
Description |
Value |
| audience |
The audience url for the service |
string |
| authority |
The authority url for the service |
string |
| smartIdentityProviders |
The array of identity provider configurations for SMART on FHIR authentication. |
SmartIdentityProviderConfiguration[] |
| smartProxyEnabled |
If the SMART on FHIR proxy is enabled |
bool |
FhirServiceCorsConfiguration
| Name |
Description |
Value |
| allowCredentials |
If credentials are allowed via CORS. |
bool |
| headers |
The headers to be allowed via CORS. |
string[] |
| maxAge |
The max age to be allowed via CORS. |
int
Constraints:
Max value = 99999 |
| methods |
The methods to be allowed via CORS. |
string[] |
| origins |
The origins to be allowed via CORS. |
string[] |
FhirServiceExportConfiguration
| Name |
Description |
Value |
| storageAccountName |
The name of the default export storage account. |
string |
FhirServiceImportConfiguration
| Name |
Description |
Value |
| enabled |
If the import operation is enabled. |
bool |
| initialImportMode |
If the FHIR service is in InitialImportMode. |
bool |
| integrationDataStore |
The name of the default integration storage account. |
string |
FhirServiceProperties
ImplementationGuidesConfiguration
| Name |
Description |
Value |
| usCoreMissingData |
If US Core Missing Data requirement is enabled. |
bool |
ResourceVersionPolicyConfiguration
ResourceVersionPolicyConfigurationResourceTypeOverrides
ServiceManagedIdentity
| Name |
Description |
Value |
| type |
Type of identity being specified, currently SystemAssigned and None are allowed. |
'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required) |
| userAssignedIdentities |
The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. |
ServiceManagedIdentityUserAssignedIdentities |
ServiceManagedIdentityUserAssignedIdentities
ServiceOciArtifactEntry
| Name |
Description |
Value |
| digest |
The artifact digest. |
string |
| imageName |
The artifact name. |
string |
| loginServer |
The Azure Container Registry login server. |
string |
SmartIdentityProviderApplication
| Name |
Description |
Value |
| allowedDataActions |
The actions that are permitted to be performed on FHIR resources for the application. |
String array containing any of:
'Read' |
| audience |
The audience that will be used to validate bearer tokens against the given authority. |
string |
| clientId |
The application client id defined in the identity provider. This value will be used to validate bearer tokens against the given authority. |
string |
SmartIdentityProviderConfiguration
| Name |
Description |
Value |
| applications |
The array of identity provider applications for SMART on FHIR authentication. |
SmartIdentityProviderApplication[] |
| authority |
The identity provider token authority also known as the token issuing authority. |
string |
UserAssignedIdentity
Usage Examples
Bicep Samples
A basic example of deploying Healthcare FHIR (Fast Healthcare Interoperability Resources) Service.
param resourceName string = 'acctest0001'
param location string = 'westeurope'
resource workspace 'Microsoft.HealthcareApis/workspaces@2022-12-01' = {
name: resourceName
location: location
}
resource fhirService 'Microsoft.HealthcareApis/workspaces/fhirServices@2022-12-01' = {
parent: workspace
name: resourceName
location: location
kind: 'fhir-R4'
properties: {
acrConfiguration: {}
authenticationConfiguration: {
audience: 'https://acctestfhir.fhir.azurehealthcareapis.com'
authority: 'https://login.microsoftonline.com/deployer().tenantId'
smartProxyEnabled: false
}
corsConfiguration: {
allowCredentials: false
headers: []
methods: []
origins: []
}
}
}
resource fhirService2 'Microsoft.HealthcareApis/workspaces/fhirServices@2022-12-01' = {
parent: workspace
name: resourceName
location: location
kind: 'fhir-R4'
properties: {
acrConfiguration: {}
authenticationConfiguration: {
audience: fhirService.properties.authenticationConfiguration.audience
authority: fhirService.properties.authenticationConfiguration.authority
smartProxyEnabled: false
}
corsConfiguration: {
allowCredentials: false
headers: []
methods: []
origins: []
}
}
}
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File |
Description |
| Configure FHIR service to enable $import |
This template provisions FHIR service to enable $import for initial data loading |
| Deploy the MedTech service |
The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
| Deploy the MedTech service including an Azure IoT Hub |
The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
ARM template resource definition
The workspaces/fhirservices resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.HealthcareApis/workspaces/fhirservices resource, add the following JSON to your template.
{
"type": "Microsoft.HealthcareApis/workspaces/fhirservices",
"apiVersion": "2025-04-01-preview",
"name": "string",
"etag": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"kind": "string",
"location": "string",
"properties": {
"acrConfiguration": {
"loginServers": [ "string" ],
"ociArtifacts": [
{
"digest": "string",
"imageName": "string",
"loginServer": "string"
}
]
},
"authenticationConfiguration": {
"audience": "string",
"authority": "string",
"smartIdentityProviders": [
{
"applications": [
{
"allowedDataActions": [ "string" ],
"audience": "string",
"clientId": "string"
}
],
"authority": "string"
}
],
"smartProxyEnabled": "bool"
},
"corsConfiguration": {
"allowCredentials": "bool",
"headers": [ "string" ],
"maxAge": "int",
"methods": [ "string" ],
"origins": [ "string" ]
},
"encryption": {
"customerManagedKeyEncryption": {
"keyEncryptionKeyUrl": "string"
}
},
"exportConfiguration": {
"storageAccountName": "string"
},
"implementationGuidesConfiguration": {
"usCoreMissingData": "bool"
},
"importConfiguration": {
"enabled": "bool",
"initialImportMode": "bool",
"integrationDataStore": "string"
},
"publicNetworkAccess": "string",
"resourceVersionPolicyConfiguration": {
"default": "string",
"resourceTypeOverrides": {
"{customized property}": "string"
}
}
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.HealthcareApis/workspaces/fhirservices
| Name |
Description |
Value |
| apiVersion |
The api version |
'2025-04-01-preview' |
| etag |
An etag associated with the resource, used for optimistic concurrency when editing it. |
string |
| identity |
Setting indicating whether the service has a managed identity associated with it. |
ServiceManagedIdentity |
| kind |
The kind of the service. |
'fhir-R4'
'fhir-Stu3' |
| location |
The geo-location where the resource lives |
string |
| name |
The resource name |
string
Constraints:
Min length = 3
Max length = 24 (required) |
| properties |
Fhir Service configuration. |
FhirServiceProperties |
| tags |
Resource tags |
Dictionary of tag names and values. See Tags in templates |
| type |
The resource type |
'Microsoft.HealthcareApis/workspaces/fhirservices' |
Encryption
EncryptionCustomerManagedKeyEncryption
| Name |
Description |
Value |
| keyEncryptionKeyUrl |
The URL of the key to use for encryption |
string |
FhirServiceAcrConfiguration
| Name |
Description |
Value |
| loginServers |
The list of the Azure container registry login servers. |
string[] |
| ociArtifacts |
The list of Open Container Initiative (OCI) artifacts. |
ServiceOciArtifactEntry[] |
FhirServiceAuthenticationConfiguration
| Name |
Description |
Value |
| audience |
The audience url for the service |
string |
| authority |
The authority url for the service |
string |
| smartIdentityProviders |
The array of identity provider configurations for SMART on FHIR authentication. |
SmartIdentityProviderConfiguration[] |
| smartProxyEnabled |
If the SMART on FHIR proxy is enabled |
bool |
FhirServiceCorsConfiguration
| Name |
Description |
Value |
| allowCredentials |
If credentials are allowed via CORS. |
bool |
| headers |
The headers to be allowed via CORS. |
string[] |
| maxAge |
The max age to be allowed via CORS. |
int
Constraints:
Max value = 99999 |
| methods |
The methods to be allowed via CORS. |
string[] |
| origins |
The origins to be allowed via CORS. |
string[] |
FhirServiceExportConfiguration
| Name |
Description |
Value |
| storageAccountName |
The name of the default export storage account. |
string |
FhirServiceImportConfiguration
| Name |
Description |
Value |
| enabled |
If the import operation is enabled. |
bool |
| initialImportMode |
If the FHIR service is in InitialImportMode. |
bool |
| integrationDataStore |
The name of the default integration storage account. |
string |
FhirServiceProperties
ImplementationGuidesConfiguration
| Name |
Description |
Value |
| usCoreMissingData |
If US Core Missing Data requirement is enabled. |
bool |
ResourceVersionPolicyConfiguration
ResourceVersionPolicyConfigurationResourceTypeOverrides
ServiceManagedIdentity
| Name |
Description |
Value |
| type |
Type of identity being specified, currently SystemAssigned and None are allowed. |
'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required) |
| userAssignedIdentities |
The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. |
ServiceManagedIdentityUserAssignedIdentities |
ServiceManagedIdentityUserAssignedIdentities
ServiceOciArtifactEntry
| Name |
Description |
Value |
| digest |
The artifact digest. |
string |
| imageName |
The artifact name. |
string |
| loginServer |
The Azure Container Registry login server. |
string |
SmartIdentityProviderApplication
| Name |
Description |
Value |
| allowedDataActions |
The actions that are permitted to be performed on FHIR resources for the application. |
String array containing any of:
'Read' |
| audience |
The audience that will be used to validate bearer tokens against the given authority. |
string |
| clientId |
The application client id defined in the identity provider. This value will be used to validate bearer tokens against the given authority. |
string |
SmartIdentityProviderConfiguration
| Name |
Description |
Value |
| applications |
The array of identity provider applications for SMART on FHIR authentication. |
SmartIdentityProviderApplication[] |
| authority |
The identity provider token authority also known as the token issuing authority. |
string |
UserAssignedIdentity
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template |
Description |
Configure FHIR service to enable $import
 |
This template provisions FHIR service to enable $import for initial data loading |
Deploy the MedTech service
|
The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
Deploy the MedTech service including an Azure IoT Hub
|
The MedTech service is one of the Azure Health Data Services designed to ingest device data from multiple devices, transform the device data into FHIR Observations, which are then persisted in the Azure Health Data Services FHIR service. |
The workspaces/fhirservices resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.HealthcareApis/workspaces/fhirservices resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.HealthcareApis/workspaces/fhirservices@2025-04-01-preview"
name = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = [
"string"
]
}
location = "string"
tags = {
{customized property} = "string"
}
body = {
etag = "string"
kind = "string"
properties = {
acrConfiguration = {
loginServers = [
"string"
]
ociArtifacts = [
{
digest = "string"
imageName = "string"
loginServer = "string"
}
]
}
authenticationConfiguration = {
audience = "string"
authority = "string"
smartIdentityProviders = [
{
applications = [
{
allowedDataActions = [
"string"
]
audience = "string"
clientId = "string"
}
]
authority = "string"
}
]
smartProxyEnabled = bool
}
corsConfiguration = {
allowCredentials = bool
headers = [
"string"
]
maxAge = int
methods = [
"string"
]
origins = [
"string"
]
}
encryption = {
customerManagedKeyEncryption = {
keyEncryptionKeyUrl = "string"
}
}
exportConfiguration = {
storageAccountName = "string"
}
implementationGuidesConfiguration = {
usCoreMissingData = bool
}
importConfiguration = {
enabled = bool
initialImportMode = bool
integrationDataStore = "string"
}
publicNetworkAccess = "string"
resourceVersionPolicyConfiguration = {
default = "string"
resourceTypeOverrides = {
{customized property} = "string"
}
}
}
}
}
Property Values
Microsoft.HealthcareApis/workspaces/fhirservices
| Name |
Description |
Value |
| etag |
An etag associated with the resource, used for optimistic concurrency when editing it. |
string |
| identity |
Setting indicating whether the service has a managed identity associated with it. |
ServiceManagedIdentity |
| kind |
The kind of the service. |
'fhir-R4'
'fhir-Stu3' |
| location |
The geo-location where the resource lives |
string |
| name |
The resource name |
string
Constraints:
Min length = 3
Max length = 24 (required) |
| parent_id |
The ID of the resource that is the parent for this resource. |
ID for resource of type: workspaces |
| properties |
Fhir Service configuration. |
FhirServiceProperties |
| tags |
Resource tags |
Dictionary of tag names and values. |
| type |
The resource type |
"Microsoft.HealthcareApis/workspaces/fhirservices@2025-04-01-preview" |
Encryption
EncryptionCustomerManagedKeyEncryption
| Name |
Description |
Value |
| keyEncryptionKeyUrl |
The URL of the key to use for encryption |
string |
FhirServiceAcrConfiguration
| Name |
Description |
Value |
| loginServers |
The list of the Azure container registry login servers. |
string[] |
| ociArtifacts |
The list of Open Container Initiative (OCI) artifacts. |
ServiceOciArtifactEntry[] |
FhirServiceAuthenticationConfiguration
| Name |
Description |
Value |
| audience |
The audience url for the service |
string |
| authority |
The authority url for the service |
string |
| smartIdentityProviders |
The array of identity provider configurations for SMART on FHIR authentication. |
SmartIdentityProviderConfiguration[] |
| smartProxyEnabled |
If the SMART on FHIR proxy is enabled |
bool |
FhirServiceCorsConfiguration
| Name |
Description |
Value |
| allowCredentials |
If credentials are allowed via CORS. |
bool |
| headers |
The headers to be allowed via CORS. |
string[] |
| maxAge |
The max age to be allowed via CORS. |
int
Constraints:
Max value = 99999 |
| methods |
The methods to be allowed via CORS. |
string[] |
| origins |
The origins to be allowed via CORS. |
string[] |
FhirServiceExportConfiguration
| Name |
Description |
Value |
| storageAccountName |
The name of the default export storage account. |
string |
FhirServiceImportConfiguration
| Name |
Description |
Value |
| enabled |
If the import operation is enabled. |
bool |
| initialImportMode |
If the FHIR service is in InitialImportMode. |
bool |
| integrationDataStore |
The name of the default integration storage account. |
string |
FhirServiceProperties
ImplementationGuidesConfiguration
| Name |
Description |
Value |
| usCoreMissingData |
If US Core Missing Data requirement is enabled. |
bool |
ResourceVersionPolicyConfiguration
ResourceVersionPolicyConfigurationResourceTypeOverrides
ServiceManagedIdentity
| Name |
Description |
Value |
| type |
Type of identity being specified, currently SystemAssigned and None are allowed. |
'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required) |
| userAssignedIdentities |
The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. |
ServiceManagedIdentityUserAssignedIdentities |
ServiceManagedIdentityUserAssignedIdentities
ServiceOciArtifactEntry
| Name |
Description |
Value |
| digest |
The artifact digest. |
string |
| imageName |
The artifact name. |
string |
| loginServer |
The Azure Container Registry login server. |
string |
SmartIdentityProviderApplication
| Name |
Description |
Value |
| allowedDataActions |
The actions that are permitted to be performed on FHIR resources for the application. |
String array containing any of:
'Read' |
| audience |
The audience that will be used to validate bearer tokens against the given authority. |
string |
| clientId |
The application client id defined in the identity provider. This value will be used to validate bearer tokens against the given authority. |
string |
SmartIdentityProviderConfiguration
| Name |
Description |
Value |
| applications |
The array of identity provider applications for SMART on FHIR authentication. |
SmartIdentityProviderApplication[] |
| authority |
The identity provider token authority also known as the token issuing authority. |
string |
UserAssignedIdentity
Usage Examples
A basic example of deploying Healthcare FHIR (Fast Healthcare Interoperability Resources) Service.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
azurerm = {
source = "hashicorp/azurerm"
}
}
}
provider "azurerm" {
features {
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
data "azurerm_client_config" "current" {
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "workspace" {
type = "Microsoft.HealthcareApis/workspaces@2022-12-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "fhirService" {
type = "Microsoft.HealthcareApis/workspaces/fhirServices@2022-12-01"
parent_id = azapi_resource.workspace.id
name = var.resource_name
location = var.location
body = {
kind = "fhir-R4"
properties = {
acrConfiguration = {
}
authenticationConfiguration = {
audience = "https://acctestfhir.fhir.azurehealthcareapis.com"
authority = "https://login.microsoftonline.com/${data.azurerm_client_config.current.tenant_id}"
smartProxyEnabled = false
}
corsConfiguration = {
allowCredentials = false
headers = [
]
methods = [
]
origins = [
]
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "fhirService2" {
type = "Microsoft.HealthcareApis/workspaces/fhirServices@2022-12-01"
parent_id = azapi_resource.workspace.id
name = var.resource_name
location = var.location
body = {
kind = "fhir-R4"
properties = {
acrConfiguration = {
}
authenticationConfiguration = {
audience = azapi_resource.fhirService.output.properties.authenticationConfiguration.audience
authority = azapi_resource.fhirService.output.properties.authenticationConfiguration.authority
smartProxyEnabled = false
}
corsConfiguration = {
allowCredentials = false
headers = [
]
methods = [
]
origins = [
]
}
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}