Thursday, 9 May 2019

Azure DevOps Service Connection for an Azure Subscription in Another Azure AD

Adding Azure Subscription to Azure DevOps  as service connection is really simple when you have the same account you are using for Azure DevOps associated with your Azure Subscription. However, this may not be the case always and you may want to deploy to resources in a Azure Subscription which is not related to your Azure DevOps organization. Let’s see how to create a service connection in such situation to utilize it in a deployment pipeline.

1. The solution for allowing access is to create a service principle and allow it to contribute to required resources in the foreign Azure Subscription. Use foreign Azure Subscription (could be your clients Azure Subscription) credentials log onto the Azure Portal and open up the cloud shell or use az login in PowerShell in a machine where Azure CLI is enabled.
2. List the Azure subscriptions in the account using below command and take a note of the required subscription id and the name of the subscription.
az account list
3. To test the connectivity lets create a resource group in Azure.
az group create -n 'azdo-cnect-blog-rg' -l centralus --subscription "subscriptionid"
4. To create the service principle in Azure scoped to the resource group you can use below command.
az ad sp create-for-rbac -n "MyApp" --role contributor --scopes /subscriptions/{SubID}/resourceGroups/{ResourceGroup1} /subscriptions/{SubID}/resourceGroups/{ResourceGroup2}

az ad sp create-for-rbac -n "AzDO-chamindac-free-testP" --role contributor --scopes /subscriptions/subscriptionid/resourceGroups/azdo-cnect-blog-rg

Save the output from service principal creation as these information are required for making the service connection from Azure DevOps.
5. If you inspect the resource group role assignment you would be able to see the contributor permission assigned for the service principal.
6. Let’s create the service connection by selecting Azure Resource Manager Service Connection. <image 4>
7. Click on use the full version of the service connection dialog link. <i5>
8. Provide a connection name of you preference. The subscription id and name of the foreign (client) Azure subscription should be added to relevant fields. Service Principal Client Id is the appId of the output shown to you when you create the service principle with Azure CLI. Password shown is the value that should be entered to Service principal key. Tenant id shown is the Tenant ID. (check numbered mapping in images). Verify the service connection and it should be connected. As we have created the service principal allowing contribution on a single resource group the deployments are possible only to that resource group. You can create service principal with different scope such as multiple resource groups or subscription level scope.<img6>
9. Let’s test the connection created by trying to create an Azure Web app via release management of Azure DevOps using the service connection. For that create a release definition and add an Azure Resource Group Deployment task. Select the service connection as Azure Subscription and you would be able to select the resource group which has contributor permissions for the service principal. Select action as Create or update resource group. Location parameter would be ignored as the resource group is already existing. <img 7>
9. In the template section of the task provide Azure Resource Manger (ARM) quick start sample link for web app available in You can find the information on this ARM template in here. As specified in the documentation we have to provide webAppName, sku (store keeping unit or pricing tier), and location for the web app.<i8>
10. Setup variables and values for three parameters mentioned above in the release dfintion. <i9>
11. Create a release and you will see it is getting completed successfully. <10>
12. The new web app would be created in the resource group.
13. If you test the web app the created web app is ready and you can add further steps in release management to deploy your application to Azure web app.
This post has taken you through steps required to create a service principal in Azure to create a service connection from Azure DevOps to do deployments to Azure resources in a client/foreign/another Azure subscription which is not connected to the user of the Azure DevOps organization.

No comments:

Popular Posts