Connecting to Azure Devops with a Service Principal

Alternative posts:

I see a lot of blogs and examples on the internet that shows you how to connect to environments using a username and password. This is all well and good for testing, but I believe it is bad for real world scenarios.

I’m a contractor, and my time at the job is defined, after I leave the contract and move onto the next one, the company should disable my account. What happens next? Everything I have built using a username/password, stops working. Yes, I could argue, it ensures I get a call back, but most contracts I’ve been involved in have a clause that any bugs found will be fixed for free up to 3-6 months after the job is done. Also, I like to leave a place with them thinking “That guy is awesome, lets get him back for the next project!”.

This post is going to show you how to set up a Service Principal for your Azure Devops CI/CD. At the end, I will give a very basic deployment that creates a Resource Group in Azure. Please note, this example is to show how to set up when your Azure Devops is not part of the same Directory as your Azure Resource Tenant. When it is part of the same tenant.

First, we need to start in Azure and create a Service Principal. The Service Principal will need to be a contributor on the Subscription or the Resource group that your Devops project is going to manage.

Create Service Principal

  • Open Azure Portal
  • Navigate to Azure Active Directory
  • Click App registration
  • Click New Registration
    • Name: Devops-<Company>-<ProjectName> (E.g, Devops-CFCode-OperationsDemo)
    • Supported account types: Accounts in this organizational directory only (Single Tenant)
    • Redirect URI: (Leave blank)
    • Click Register
  • Make a note of Application (client) ID and your Directory (tenant) ID.

Create a Secret for the Service Principal

  • In the App Registration for the above app, click Certificates & secrets.
  • Under Client secrets, click New client secret
    • Description: DEVOPS
    • Expires: Never
    • Click Add
  • Make note of the secret

Assign Service Principal permission to Subscription

  • Open Azure Portal
  • Navigate to Subscriptions and select your subscription
  • Click Access control (IAM)
  • Click Add -> Add role assignment
    • Role: Contributor
    • Assign access to: Azure AD user, group, or service principal
    • Select: <Name of service Principal>
    • Click Save
  • From the Overview blade, grab the Subscription ID and Subscription Name.

You can also add API permissions, such as Graph, and then make direct calls to Graph API using PowerShell using this service principal within the pipeline. Now this side has all been set up, we can head over to our Devops.

Create Service Connection in Devops

  • Go into your project.
  • At the bottom left of your screen click Project Settings
  • Within Project settings, underneath Pipelines click Service connections*. If you have a star next to the Service connections word, it means that you are viewing the preview version. I’m going to show the following screens using a preview version.
  • Click Create service connection
  • Select Azure Resource Manager, click Next
  • Select Service principal (manual), click Next
  • On the New Azure service connection blade, (replace values with your values you grabbed earlier)
    • Environment: Azure Cloud
    • Scope Level: Subscription
    • Subscription Id: <SubscriptionID>
    • Subscription Name: <Subscription Name>
    • Service Principal Id: <Application (client) ID>
    • Credential: Service principal key
    • Service Principal Key: <Secret>
    • Tenant ID: <Directory (tenant) ID>
    • Details (This section is your choice)
      • Service connection name: <Name of Tenant>-<SubscriptionName>
      • Description:
    • Security: Tick – Grant access permission to all pipelines.
  • Click Verify, a Verification Succeeded should show if all the details are correct, and the service account has permission.
  • Click Verify and save

The Service Principle is now connected

Proving the Service Principal connections works

Within your Dev Ops project, click on Pipelines and select releases. We are going to create a Resource Group within our subscription.

  • Add an Azure CLI task.
    • Task verison: 2*
    • Azure Resource Manager connection: Pick the subscription you have created in the previous section.
    • Script Type: PowerShell
    • Inline script: Inline Script
    • Inline script: az group create –name “Demo-rg” –location uksouth
  • Click Save and create a release. After the release has run, and you have received success, an empty resource group should have been created within the subscription.