DevOps service connection using existing service principal

William Bell 16 Reputation points
2022-05-05T15:28:29.39+00:00

Hi,

I am involved in teaching students to use Azure. As mentioned in another question of mine, the Azure student subscriptions are associated with the university's production Active Directory. Therefore, they cannot automatically create their own service principal for their own student subscription, since they do not have access rights to do this. They cannot manually create their own service principal either. Therefore, the Azure student accounts cannot be used with DevOps at our university. (I could write a script to generate service principals, but I do not have the Owner role for the production tenancy.)

To allow students to create resources and use DevOps, we have other commercial subscriptions for teaching purposes. To retain some control of billing, the students have been given limited rights within specific resource groups. This implies that they cannot automatically create their own service principal from DevOps, since they do not have the "Owner" role within the subscription. Giving them the "Owner" role would not be a good idea, since they may create very expensive resources. When we generate accounts for them, a service principal is generated too. This service principal can be used to allow DevOps to access their resources, in a similar manner as discussed in the video https://www.youtube.com/watch?v=zQp_NCsYYwc . However, it is not possible to use service principals with DevOps unless the yaml editor is directly used. Currently:

  • One can create a service connection in DevOps using an existing service principal.
  • When using the Python Web Service GUI option to generate a build pipeline, the service principal is ignored and the build configuration fails due to a lack of an Owner role.
  • The only solution appears to be to create the pipeline directly using YAML, rather than use the GUI options.

Is there something that I am missing? Would it be possible for the GUI pipeline configuration options to allow authentication using an existing service connection?

Thanks and best regards,

Will

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,719 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Monalla-MSFT 12,846 Reputation points
    2022-05-05T16:54:24.933+00:00

    @William Bell - Welcome to Microsoft Q&A and thanks for reaching out.

    Devops is not currently supported here on Microsoft QnA.
    The Community Members and Engineers are actively answering questions in dedicated forums here. Please post your question in that forum:
    https://developercommunity.visualstudio.com/spaces/21/index.html
    https://azure.microsoft.com/en-in/support/devops/

    Hope this helps. and please feel free to reach out if you have any further questions.

    ------------------------------------------------------------------

    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.

    0 comments No comments