How to create a new Azure Service Connection in Azure DevOps
This is the 4th post in the category Azure DevOps Fundamentals
of the blog post series on working with Azure DevOps
. In this post the I will demonstrate how to create an
Azure Service Connection in an Azure DevOps Project.
Since it much more fun to do research and play with technology in collaboration with others, Wesley Camargo will be covering some of the topics on he’s blog , while other topics are covered by my here. Naturally the all related posts will be referenced between the two blogs.
What is an Azure Service Connection
An Azure Service Connection or officially called ‘Azure Resource Manager Service Connection’ allows for Pipelines in Azure DevOps to connect to Azure for the purpose of executing Azure Resource Manager related tasks. For example, to deploy infrastructure using the Infrastructure as Code method. There are 4 authentication methods available to choose from when creating an Azure Service Connection. Each method allows Pipelines in Azure DevOps to connect to Azure using its own authentication approach.
- Service principal (automatic)
- Service principal (manual)
- Managed identity
- Publishing Profile
Since the Service principal (automatic) method is marked as recommended in Azure DevOps I will cover this method as it would fit best in being part of the Azure DevOps Fundamentals
When used, this method creates a n Azure Service connection that is composed of two parts. One part resides in Azure DevOps and the other one resides in Azure Active Directory.
The first part contains all the necessary configuration to be able to use the service connection as part of Pipelines in Azure DevOps. The second part is actually an App registration (see it as a traditional service account). This app registration is created in the background during the Azure Service Connection creation process. The next chapters depict and explain both the first and the second part.
How to create a new Azure Service Connection in Azure DevOps
Before jumping in, lets get the prerequisites clear.
- In the Azure DevOps Project you need to be signed in as the owner of the Azure Pipelines Organization
- In Azure you need to be signed in as the owner of an Azure Subscription (the one you want the service connection connect to)
- If multiple accounts are used for the previous two points make sure you sign-in with both accounts in the same browser instance
- In Azure Active Directory the user in question must have Directory Read role assigned
- In Azure Active Directory the user in question must have at least one of the following roles, which role is needed depends on the type of user and the
Users can register applicationssetting.
- Application Administrator
- Application Developer
- Cloud Application Administrator
- Make sure you are on the landing page of the Azure DevOps project in question. Click in the top left bottom corner on
- In the left hand navigation menu click on
- Now click on the
Create service connectionbutton in the middle of the screen.
- On the
New service connectionpage select the
Azure Resource Manageroption, then scroll all teh way down and click
- Make sure the
Service principal (automatic)option is selected and click next.
- Leave the scope set to
- In the
Subscriptiondropdown select the desired subscription.
- Leave the
Resource groupdropdown empty to set the Service Connection permission scope at whole subscription level or if lesser scope is desired select an appropriate resource group.
- Give the service connection a logical name and provide a proper description.
- Uncheck the checkbox
Grant access permission to all pipelinesas if left the service connection will be usable by all pipelines which can be a security risk.
- Ensure that the results from steps 6 to 10 look similar to the following image and click the
- The Azure Service Connection is now created and is visible on the main screen.
The two parts of an Azure Service Connection
With the service connection present lets have a look at the earlier mentioned ’two parts’ that make up an Azure Service Connection.
First part - Azure DevOps Configuration
- Repeat step 1. and 2. from the previous steps and navigate to
- Click on the service connection that was created during previous steps, you should see a similar screen as show below.
- In the top right corner click on
- The in the previous chapter mentioned ‘first part’ that resides in Azure DevOps is now shown. As mentioned it contains the configuration settings.
Verifybutton. This button is used to verify that the credentials used to connect this Service Connection to Azure are still valid. Keep this button in the back on your mind as it has an additional function which I will explain further on in this post.
- Close the
Edit service connectionview to exit the first part of the Azure Service Connection.
Second part - Azure Active Directory App Registration
- Click on the
Manage Service Principallink under the Service connection details.
- This links directly to the App registration that is the ‘second part" of an Azure Service Connection. Result is shown in the following image.
- Whats is show here is the actual identity that is granted permissions to the Subscription, as you can see in the following image this identity has Contributor permissions to the Azure Subscription in question. In case you are wondering how to quickly check permissions. From the Azure Service Connection screen use the
Manage service connection roleslocated above the
Manage Service Principallink.
- Notice it’s dreadfully awful name. This name is composed of the name of the Azure DevOps Organization, followed by the Azure DevOps Project and finally the guid of the subscription. The problem with this combination is that it is reused. So when you create multiple Azure Service Connections to the same subscription they will all have the same name and will be impossible to keep apart. So I strongly recommend renaming the App registration by navigating to the
Branding & propertiesoption, adapting the
Namefield to something more unique, for example the name of the service connection and saving the changes.
- Now navigate to the
Certificates & secretsoption. You should find the client secret that has been created to authenticate the Azure Service Connection. By default this secret is valid for 2 years. Now remember the
Verifybutton from the previous chapter? This is the moment to use it. In case this secret is already expired or is close to becoming expired, simply navigate to the settings where the
Verifybutton and click it to refresh the service connection secret for another two years.
And there you have it, How to create a new Azure Service Connection in Azure DevOps. If you are interested in the reference material used to make this post, please visit the following links.
- Connect to Microsoft Azure
- Manage service connections
- Change application connection & security policies for your organization
- Azure AD built-in roles
As always, a big thanks for reading this post. If you liked it, don’t be shy and have a look at my other posts .