Connect to Azure with an Azure Resource Manager service connection

Azure DevOps Server 2019

Note

We are rolling out the new Azure service connection creation experience. Receiving it in your organization depends on various factors, and you may still see the older user experience.

An Azure Resource Manager service connection allows you to connect to Azure resources like Azure Key Vault from your pipeline. This connection lets you use a pipeline to deploy to Azure resources, such as an Azure App Service app, without needing to authenticate each time.

1. In the Azure DevOps project, go to Project settings > Service connections.

   For more information, see Open project settings.

2. Select New service connection, then select Azure Resource Manager.

   

3. On the Add an Azure Resource Manager service connection dialog, fill in the fields as follows:

   

   1. Enter the Connection name.

   2. Select the Environment. If you select Azure Stack, enter the environment URL, which is something like https://management.local.azurestack.external.

   3. Select the Scope level, **Subscription, or Management Group. Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions.

      • For the Subscription scope, enter the following parameters:

        Parameter	Description
        Subscription Id	Required. Enter the Azure subscription ID.
        Subscription Name	Required. Enter the Azure subscription name.

      • For the Management Group scope, enter the following parameters:

        Parameter	Description
        Management Group Id	Required. Enter the Azure management group ID.
        Management Group Name	Required. Enter the Azure management group name.

   4. Enter the Service principal Id.

   5. Select the credential type:

      • Service principal key: Enter the Service principal key (password).
      • Certificate: Enter the contents of the .perm file including both the certificate and private key sections.

   6. Enter the Tenant Id.

   7. Select Verify connection to validate the service connection.

   8. Optionally, select Allow all pipelines to use this connection. If you don't select this option, you must manually grant access to each pipeline that uses this service connection.

   9. Select Save to create the service connection.

After the new service connection is created:

• If you use the service connection in the UI, select the connection name that you assigned in the Azure subscription setting of your pipeline.
• If you use the service connection in a YAML file, copy the connection name and paste it into your code as the value for azureSubscription.

If necessary, modify the service principal to expose the appropriate permissions.

For more information about authenticating by using a service principal, see Use role-based access control to manage access to your Azure subscription resources or the blog post Automate an Azure resource group deployment by using a service principal in Visual Studio.

For more information, see Troubleshoot Azure Resource Manager service connections.

Help and support

• Explore troubleshooting tips.
• Get advice on Stack Overflow.
• Post your questions, search for answers, or suggest a feature in the Azure DevOps Developer Community.
• Get support for Azure DevOps.