Share via


Azure DevOps : Integrate with an Azure Subscription or Management Group


Introduction

Before you deploy resources within an Azure subscription using Azure DevOps Release Pipeline, you should establish a service connection between Azure Subscription and Azure DevOps. You also need to Authorize Azure DevOps to deploy resources within that subscription or Management Group.

In this article, we will see how to establish that connection and Authorize Azure DevOps.


Access Requirement

In order to perform below mentioned steps, you should have below access:

• Owner access to the Azure subscription. If you want to establish connection with a Management Group, then you should have appropriate access on that Management Group.

• Appropriate access in the Azure Active Directory tenant to create app registration and configure secret.

Note:  Azure subscription and Azure DevOps organization should trust same Azure AD tenant.


The Approach

  1. A Client ID and Client Secret will be created.
  2. The Client ID will be given Contributor role in Azure Subscription, so that it has enough privilege to deploy resources within Azure subscription.
  3. Next, we will configure Azure DevOps to use this Client ID and Client Secret, so that Azure DevOps can authenticate against Azure AD.
  4. Once authentication is done , it will display all subscriptions connected to that Azure AD where this Client ID has appropriate access.
  5. Once the Client ID (Service Principle) is then authorized to deploy resources in listed Azure Subscription(s), then the integration is complete.

Section 1: Create New Application

  1. Login to Azure Portal.
  2. Go to Azure Active Directory, and navigate to App registrations section.
  3. Click + New Registration and create an Application ID (Client ID)

Once you click on the new application, you will get below details:

  • Application (client) ID
  • Directory (tenant) ID
  • Object ID


Section 2: Create Client Secret

Go to Certificates & Secrets > New Client Secret.

Copy the new client secret value to somewhere else. This would be shown only one time, and you would not be able to retrieve it after you leave this blade.


Section 3: Assign Contributor Role to the Application

  • Go to your subscription > Access Control (IAM) > Role.
  • Open Contributor role.
  • Add the DevOps application ID to Contributor role. (To perform this step, your account should have Owner role.)


Section 4: Configure DevOps Settings

1. Login to Azure DevOps, Go to Release and create a New release pipeline.

  1. Let’s start with an Empty job.

  1. Go to Agent Job and add Azure resource group deployment.

  1. In Azure Deployment agent job, click on Manage.

5. In the new window, click on + New service connection> Select ***Azure Resource Manager.


***A New window will open. Click “use the full version of the service connection dialog”.

Select “Service Principle Authentication”.

Fill-up required values : 

Scope: In this case, we will select Subscription as Scope. 

Note: You can also select Management Group if you want to establish a connection with Azure Management Group. The advantage of selecting Management Group over Subscription is, this will be an one time effort, and once done, you do not need to perform these steps for each subscription under that Management Group. However, to do that you should have enough privilage to the Management Group.

Service principle client ID : Application ID which we have registered in Azure AD.

Service principle key : The key which we have created for this application.

Tenant ID : Azure AD tenant ID.

Finally, click on Verify connection.

If all entries are correct, the verification should be successful.

Once the verification is successful, return to previous screen. The subscription name should now be listed in the drop down menu.

However, Azure DevOps needs Authorization to deploy resources within this subscription. For this, click the Authorize button. It may again ask for the login credential to the subscription. 

Once done, the Authorize button should be gone, and you should see a message stating that “Scoped to subscription <subscription name>”. It means, now you can deploy resources within this subscription using DevOps pipeline.

In this way, you can integrate multiple Azure subscriptions with Azure DevOps. 

If there are multiple subscriptions linked with an Azure Management Group, you can also linked Azure DevOps with that Management Group. That way, you do not need to repeat these steps for each subscription within that Management Group.


See Also