How to Create a Service connection from Azure DevOps to your Azure account

Many a times, we want to deploy our built application to Azure. Such deployment can be done using a service connection from Azure DevOps to Azure.

We may have an Azure account and also an Azure DevOps account created at different times. If both the accounts are created using the same Microsoft account (with same email address) then the authentication and authorization is seamless. In this article, I am going to show you how we can create a service connection to Azure from Azure DevOps even if you have used different Microsoft accounts to create Azure and Azure DevOps accounts.

I am putting a scenario in front of you.

I have an Azure DevOps account named SubodhS66, created using my email address subodhs66[at]hotmail.com. I do not have an Azure account against this account.

My Azure account and subscription named SS-VSTS is against the email address subodhsohoni[at]hotmail.com. I have a Web App Service (PaaS) resource created under this account. The name of that app service is DemoWebApp. It uses the Azure Resource Manager model. The code for this app service is in a git repository in a Team Project named “SSGS EMS” on my Azure DevOps account.



I have created a build pipeline to build a WebDeploy package of the application. I want to deploy that to the DemoWebApp that is mentioned earlier.

We start by creating a new service connection from Azure DevOps to Azure. To do so, open the Project Settings of the team project. In the project settings now, select the setting of Service Connection under the Pipelines section of the settings.

image

Click the “New Service Connection” button to create a new service connection. From the dropdown that appears, select the option of Azure Resource Manager.

image

The default form for creation of new service connection to Azure to access resource that uses ARM, is as follows:

image

It does not populate the Subscription name since the account used are different. Now we need to use the “full version of service connection dialog” for which a link is shown in the default dialog.


imageWe will start by providing a name for the connection e.g. AzureConn. Environment is AzureCloud and set the Scope level to Subscription so that we can access any resource in the subscription that we are going to configure.

Now let us open the Azure portal using the URL https://portal.azure.com. In the portal, we will open the page of Subscriptions and select the subscription where the app service, where we want to do the deployment, exists.

Note the immediately obvious two details that are required are  Subscription ID and Subscription Name.

image


Let us now open the page of Azure Active Directory and select properties page of that. We will get the Directory ID. Note it as this is to be entered as Tenant ID in the service connection dialog box.

Let us now create a new service principle that will become the identity of Azure DevOps. We do that by opening the page of App Registrations under Azure Active Directory.

image
















Let us create a new app registration entry. Click the “New Registration” button. Provide an appropriate name to the app registration entry and click the “Register” button.

Once the app registration is complete, note the “Application (client) ID”. We will enter it as “Service Principle Client ID” in the service connection dialog box.



We now only need “Service Principle Key” in the service connection dialog box. For that click the “Certificates and Secrets” tab on the page of created app registration entry. On that page click the button of “New client secret”. Provide a name and expiration policy for that secret. Click the Add button. Copy the created Client Secret. We will enter it as “Service Principle Key”.

Fully filled dialog box for service connection creation will look like this:



We still have one last task to be done before we can verify that the connection works and save it.

We need to allow the service principle that we created to access the Azure resources under our subscription. To do so, open the page of Subscriptions and then select the subscription that we want to use. Click the button of “Access Control (IAM)”. We will create a new “Role Assignment”. To do so, click the button to “Add” role assignment.

image

Select the role of “Owner” and type the name of registered app (service principle) that we had created in the earlier steps.

Now we can verify the connection details and once verified, click “OK” button to save the connection. This connection can be used by all users of my Azure DevOps account to connect and deploy to the Azure account without knowing the credentials of Azure.


Will you give this article a +1 ? Thanks in advance


About The Author

Subodh Sohoni
Subodh is consultant and corporate trainer for the subjects of Azure DevOps. He has overall 32 years of experience in aircraft production, sales, marketing, software development, training and consulting. He is Microsoft Most Valuable Professional (MVP) – Azure DevOps since 2009, is Microsoft Certified Trainer (MCT) since 2003. He also is Microsoft Certified Azure DevOps Engineer Expert. He has conducted more than 350 corporate trainings and consulting assignments. He has executed trainings and consulting assignments on behalf of Microsoft at various customers and open workshops. Follow him on twitter @subodhsohoni.

No comments: