Create azure resource manager service connection for azure devops

Introduction:

In my previous post, I explained about creation of service principal using azure cli. In this post I’d explains creation of azure resource manager service connection for azure devops. Basically, Service connection allows to communicate with external systems like GitHub, SonarCloud, Bitbucket, Azure etc.

In order to deploy azure cloud based solution, you need azure resource manager service connection to connect to Microsoft Azure. This service connection would be used in Azure DevOps Release Pipelines to deploy application artifact(called as pipeline artifact) to target Azure service(Web App, Functions App, SQL Database etc.) or to Provision new azure resource(Virtual machine, Web App, Storage Account, AKS etc.)

Pre-requisite:

1. Azure Account with Service Principal
3. Azure DevOps Account

Get Started:

Before starting to create azure resource manager service connection for azure devops, Open the service principal details copied at time of creation.

1. Navigate to https://dev.azure.com/{Your organization name}
2. Select the Project where you want to create service connection
3. Select Project Settings
4. In Pipelines section find Service connections* and click on it


5. Click on New service connection button


6. Select Azure Resource Manager from available options and click on Next button


7. Select option Service principal(manual) and click on Next button


8. Now select correct options as shown in below snapshot and copy values from notepad and paste in text boxes


9. Click on verify button to make sure connection succeeds
10.If succeed, then enter the name of service connection with description(optional). For now allow grant a access permission to all pipelines option and click Verify and save option.


11. The new service connection would appear in your projects service connection list.

In this post, I explained how to create azure resource manager service connection. Here we allowed all pipelines to use this service connection. It is not recommended to allow all pipelines to use service connection due to security issues(as other teams can use it and ultimately you would be charged for it 🙂 )

Additional Tip to apply Service Connection Security:

If your team size is very small or you are working with smaller organization(without much processes) then I would advise you to follow below steps(without going too much in Azure DevOps in-built security groups, roles and permissions) to permit this service connection only to specific developers from other team(s).

Please note, by default, your project team has access to use service connection created by teams administrator.

1. Select the service connection where you want to permit only to limited developers


2. Click on three dots at right corner of service connection selected


3. Click on +Add button to allow other team member(s) or team(s) to use service connection. Make sure added member(s) has only “User” role to use service connection and not to administrator it.

In above snapshot, by default project team has access to use service connection(please don’t allow team role to be administrator except project administrator). I have added another teams developer to user this service connection and project administrator has administrator access to service connection. It also has endpoint administrator(Azure DevOps In-Built role as administrator access)

At Last,
In my next articles about Azure DevOps security I will explain Azure DevOps role based access security(RBAC). The series of post would explain security related to Pipelines, Repositories, Service connections etc.

Leave a Reply