Edit

Share via

Manually set an Azure Resource Manager workload identity service connection

  • Article

When you troubleshoot an Azure Resource Manager workload identity service connection, you might need to manually configure the connection instead of using the automated tool that's available in Azure DevOps.

We recommend that you try the automated approach before you begin a manual configuration.

There are two options for authentication: use a managed identity or use a service principal. The advantage of the managed identity option is that you can use it if you don't have permissions to create service principals or if you're using a different Microsoft Entra tenant than your Azure DevOps user.

Set a workload identity service connection to use managed identity authentication

You might need to manually create a managed identity that uses federated credentials, and then grant the required permissions. You can also use the REST API for this process.

Create a managed identity

  1. Sign in to the Azure portal.

  2. In the search box, enter Managed Identities.

  3. Select Create.

  4. In the Create User Assigned Managed Identity pane, enter or select values for the following items:

    • Subscription: Select the subscription in which to create the user-assigned managed identity.
    • Resource group: Select a resource group to create the user-assigned managed identity in, or select Create new to create a new resource group.
    • Region: Select a region to deploy the user-assigned managed identity, for example, East US.
    • Name: Enter the name for your user-assigned managed identity, for example, UADEVOPS.

  5. Copy the Subscription ID and Client ID values for your managed identity to use later.

  6. Go to Settings > Properties.

  7. Copy the Tenant Id value to use later.

  8. Go to Settings > Federated credentials.

  9. Select Add credentials.

  10. Select the Other issuer scenario.

  11. Enter values for Issuer and Subject identifier. You will replace these values later when you create a service connection.

    Field Description
    Issuer Enter https://vstoken.dev.azure.com/<unique-identifier>. The unique-identifier is the GUID of your Azure DevOps organization.
    Subject identifier Specify sc://<Azure DevOps organization>/<project name>/<service connection name>. The service connection doesn't need to be already created.

  12. Select Save.

  13. Keep this window open. Later in the process, you return to the window and update your app registration federated credentials.

Grant permissions to the managed identity

  1. In the Azure portal, go to the Azure resource that you want to grant permissions for (for example, a resource group).

  2. Select Access control (IAM).

    Screenshot that shows selecting Access control in the resource menu.

  3. Select Add role assignment. Assign the required role to your managed identity (for example, Contributor).

  4. Select Review and assign.

Create a service connection for managed identity authentication

  1. In Azure DevOps, open your project and go to > Pipelines > Service connections.

  2. Select New service connection.

  3. Select Azure Resource Manager, and then select Next.

  4. Select Workload Identity federation (manual), and then select Next.

    Screenshot that shows selecting the Workload Identity service connection.

  5. For Service connection name, enter the value that you used for Subject identifier when you created your federated credentials.

  6. For Subscription ID and Subscription Name, enter the values for the subscription in your Azure portal account.

    Screenshot that shows federated subscription credentials.

  7. In the authentication section:

    1. For Service Principal Id, enter the value of Client Id from your managed identity.

    2. For Tenant ID, enter the value of Tenant Id from your managed identity.

      Screenshot that shows Azure portal managed identity values.

  8. In Azure DevOps, copy the generated values for Issuer and Subject identifier.

    Screenshot that shows DevOps credentials for federated authentication.

  9. In the Azure portal, return to your app registration federated credentials.

  10. Paste the values for Issuer and Subject identifier that you copied from your Azure DevOps project into your federated credentials in the Azure portal.

    Screenshot that shows a comparison of federated credentials in Azure DevOps and the Azure portal.

  11. In the Azure portal, select Update to save the updated credentials.

  12. In Azure DevOps, select Verify and save.

Set a workload identity service connection to use service principal authentication

You might need to manually create a service principal that has federated credentials, and then grant the required permissions. You can also use the REST API for this process.

Create an app registration and federated credentials

  1. In the Azure portal, go to app registrations.

  2. Select New registration.

    Screenshot that shows a new app registration.

  3. For Name, enter a name for your app registration, and then select Who can use this application or access this API.

  4. Copy the values for Application (client) ID and Directory (tenant) ID from your app registration to use later.

    Screenshot that shows the app registration client ID and tenant ID.

  5. Go to Manage > Certificates & secrets.

  6. Select Federated credentials.

    Screenshot that shows the federated credentials tab.

  7. Select Add credentials.

  8. Select the Other issuer scenario.

    Screenshot that shows selecting a federated credentials scenario.

  9. Enter values for Issuer and Subject identifier. You will replace these values later when you create a service connection.

    Field Description
    Issuer Enter https://vstoken.dev.azure.com/<unique-identifier>. The unique-identifier is the GUID of your Azure DevOps organization.
    Subject identifier Specify sc://<Azure DevOps organization>/<project name>/<service connection name>. Your service connection doesn't need to already be created.

  10. Select Save.

  11. Keep this window open. Later in the process, you return to the window and update your app registration federated credentials.

Grant permissions to the app registration

  1. In the Azure portal, go to the Azure resource that you want to grant permissions for (for example, a resource group).

  2. Select Access control (IAM).

    Screenshot that shows selecting Access control in the resource menu.

  3. Select Add role assignment. Assign the required role to the app registration (for example, Contributor).

  4. Select Review and assign.

Create a service connection for service principal authentication

  1. In Azure DevOps, open your project and go to > Pipelines > Service connections.

  2. Select New service connection.

  3. Select Azure Resource Manager, and then select Next.

  4. Select Workload Identity federation (manual), and then select Next.

    Screenshot that shows selecting the workload identity service connection.

  5. For Service connection name, enter the value of Subject identifier from your federated credentials.

  6. For Subscription ID and Subscription Name, enter the values for the subscription in your Azure portal account.

    Screenshot that shows federated subscription credentials.

  7. In the authentication section:

    1. For Service Principal Id, enter the value of Application (client) ID from your app registration.

    2. For Tenant Id, enter the value of Directory (tenant) ID from your app registration.

  8. Copy the generated values for Issuer and Subject identifier.

    Screenshot that shows DevOps credentials for federated authentication.

  9. In the Azure portal, return to your app registration federated credentials.

  10. Paste the values for Issuer and Subject identifier that you copied from your Azure DevOps project into your federated credentials in the Azure portal.

    Screenshot comparison of federated credentials in Azure DevOps and the Azure portal.

  11. In the Azure portal, select Update to save the updated credentials.

  12. In Azure DevOps, select Verify and save.