Connecting Azure DevOps with Azure
An article on using Azure service connection
Introduction
I recently had to set up a new Azure service connection in Azure DevOps and I couldn’t use the default authentication method because I wasn’t the owner of the Azure subscription. I had to, therefore, use the service principal route to get everything connected. I’ve recreated the scenario and have highlighted the steps in this article.
Creating a new service connection
Let’s start by creating a new service connection in Azure DevOps. Head to the service connections page using the URL https://dev.azure.com/<Organisation>/<Project>/_settings/adminservices. Replace <Organisation> and <Project> with the appropriate values.
Select Azure Resource Manager from the options listed and then select Service principal (manual). You should see something like this.
Now, let’s start by filing out this form. It’s a lengthy one, so I’ve split it into three sections to make it easier to understand.
Section #1: Subscription
Assuming the default Environment and Scope Level is what you’re after, you would only require to set the Subscription ID and Subscription Name in most cases.
To get these values, head to portal.azure.com and search for Subscriptions. Click the subscription that you want to connect Azure DevOps to. You should see the Subscription ID and Subscription Name in the Overview panel, as highlighted below.
Section #2: Authentication
Next, we need to fill out the service principal information. Think of this as entering the credentials of a virtual entity that exists in your Azure portal and has access to the Azure resources, so that Azure DevOps can have the same access as well.
Service Principal ID and Tenant ID
To get the credentials of this virtual entity, we would need to first create one. To do so, go to portal.azure.com and search for Active Directory. From the left blade, select App registrations. Then click New registration to open up a another blade.
Give this app a meaningful name so that you know what it’s used for. By default, you would select the single tenant option from the Support account types section. Click Register.
Now, from the Overview section, copy the Application (client) ID and paste it into the Service Principal ID input box. Copy the Directory (tenant) ID and copy it into the Tenant ID input box.
Service principal key
Now we need to generate this entity’s password, or secret, in this case, to be more precise. While still in the app you’ve just created, click on Certificates & secrets from the left blade. Add a New client secret. Give it a meaningful description and expiry and then click Add. Copy the value (hint: you won’t be able to see this value again) and paste it into the Service principal key input.
Verification
Okay, let’s test if Azure DevOps can make the connection to Azure and has all the right levels of permission it requires. Click the Verify button to test this out.
If you’ve followed everything so far, you would see an error message, similar to the one highlighted below. Hmm, we did add all the details correctly, then what must have gone wrong?
Failed to query service connection API: 'https://management.azure.com/subscriptions/*****?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '*****' with object id '*****' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/*****' or the scope is invalid. If access was recently granted, please refresh your credentials."}}'If you read the entire message, it tells you that it was trying to query the subscription but it failed to even perform a read operation. This tells me that the app/entity doesn’t actually have access to the Azure subscription.
Fair enough.
To resolve this, let’s head back to the subscription and click on Access control (IAM). Click on Add and then select Add role assignment. We’ll assign the entity a Contributor role. Search for the entity, i.e., the app you’ve registered earlier and then hit the Save button.
After it has successfully added the app as a contributor to the subscription, go back to the New Azure service connection blade in Azure DevOps and test the verification again. This time, it should succeed.
Section #3: General details
Give this connection a meaningful name. This name will appear in the list of Azure subscriptions in your release pipeline, so you want to ensure that your release pipeline contributors know exactly what this service connection is for.
After you’ve entered all the details, hit the Verify and save button.
Consuming this service connection
In the release pipeline, your contributors will see the newly created connection in the list of Azure subscriptions. Clicking that will give them access to the subscription you’ve created this connection for.
Summary
Alright, time for a quick recap —
- We started off with a quick introduction to what this article contained. We then dived into creating a new service connection using Azure Resource Manager using the service principal approach.
- We had to enter quite a few details, so we split that into three sections to make it easier to understand.
- Section #1 was about subscription. We looked at from where we would get the subscription ID and subscription name.
- Section #2 was about authentication. Here, we registered a new app and then added the app’s client ID and secret into the form. We also added the tenant ID. We also tried to verify the connection and encountered an error.
- To resolve the error, we added the app as a contributor to the Azure subscription. Re-verification of the connection was successful.
- Lastly, section #3 was about general details. We entered a meaningful name for this connection since this name will appear in the release pipeline. To save the connection, we clicked on the Verify and save button.
- From a consumption point of view, we seen that the newly created service connection shows up in the list of Azure subscriptions. Your release contributors can use that to be able to deploy applications in that particular subscription.
That’s it!
Thanks for reading. Give it a clap 👏 (tip: you can clap up to 50 times!) and share it with your network 🙏
