Creating and Managing Azure DevOps Service Connections

Creating and managing service connections in Azure DevOps is a crucial step in integrating your projects with external services. This allows you to access and utilize their features, such as APIs, databases, and more, directly from your projects.

To create a service connection, you can use the Azure DevOps portal or the Azure DevOps CLI. The portal provides an intuitive interface for setting up connections, while the CLI offers a more programmatic approach.

A service connection can be created for various services, including Azure Key Vault, Azure Storage, and Azure SQL Database. Each connection type has its own configuration requirements and settings.

Service connections can be used across multiple projects, making it easy to reuse and share them.

When you want to deploy from Azure DevOps, but also from another CI/CD platform, you'll need a connection to your Azure tenant.

This connection is called a service connection in Azure DevOps, and it's not smart to use your own credentials for this setup.

You should use machine credentials instead, which is what a service connection provides.

Azure DevOps has many possible connection types, including Azure, which is the one you'll normally use for any deployments to Azure.

The Azure Classic option is mainly for backward compatibility, and you'll usually use Azure Resource Manager for any deployments to Azure.

To set up a service connection in Azure DevOps, you have three options: automated, manual, or managed identity. The automated method is the quickest, but it doesn't give you control over the service principal name. You can use the manual method to create and manage the service principal, but you'll need to handle the authentication credentials yourself.

To create a service connection using the automated method, sign into your Azure DevOps organization and select the project where the service connection should live. Then, select Project settings, under Pipelines, and choose Service connections. If this is your first service connection, choose Create service connection; otherwise, select New service connection.

There are two automated methods: service principal (automatic) and workload identity federation (automatic). To use the service principal method, select Azure Resource Manager and click Next. On the Authentication method page, select Service principal (automatic) and click Next. You'll need to select the service principal's scope level and enter a Service connection name and optional description.

Alternatively, you can use the workload identity federation method. To do this, select Workload Identity federation (automatic) and click Next. You'll need to select the Scope level, Subscription, and optional Resource group, and enter a Service connection name and security option for pipeline access.

Here's a summary of the automated methods:

The manual method requires creating an existing service principal in your Entra ID tenant. You'll need to set the service principal name to your naming standard, manage the authentication mechanism, and assign permissions for the service principal to the management group, subscription, or resource group for deployments.

To create a service connection with a service principal using the manual method, sign into your Azure DevOps organization and select the project where the service connection should live. Then, select Project settings, under Pipelines, and choose Service connections. If this is your first service connection, choose Create service connection; otherwise, select New service connection. In the New service connection flyout, select Azure Resource Manager and click Next.

On the Authentication method page, select Service principal (manual) and click Next. You'll need to specify the Application (client) ID and Directory (tenant) ID of the service principal, as well as the secret value and expiration date. You'll also need to assign the service principal permissions to the resource scope where your deployments will occur.

The biggest takeaway from the manual method is that you're responsible for managing and renewing the authentication credentials, such as creating a new secret key or certificate. You'll then need to modify the service connection with this new information.

In the next section, we'll explore the benefits and drawbacks of using each method, as well as some best practices for setting up service connections in Azure DevOps.

To create an Azure DevOps service connection, you'll need to register an app in the Azure portal. This requires your Azure account to have the ability to create app registrations.

The app registration process involves creating a new registration, entering a name for the app, and selecting the type of access it will have. You'll also need to copy the values for the Application (client) ID and Directory (tenant) ID, which you'll use later to create the service connection.

Here are the steps to register an app in the Azure portal:

The automated method of creating a service principal is a convenient way to set up a service connection in Azure DevOps. This method eliminates the need to manually create the service principal, configure the secret credential, and assign permissions to a subscription or resource group.

To use the automated method, sign into your Azure DevOps organization and select the project where the service connection should live. Then, select the Project settings icon in the lower left and choose Service connections. If this is your first service connection, choose Create service connection; otherwise, select New service connection.

The automated method creates a service principal in your Entra ID tenant with an auto-generated name based on the Azure DevOps organization name, the project name, and a unique identifier. You can view this service principal by selecting the service connection name on the Service connections page and then selecting the link for Manage Service Principal.

Azure DevOps also configures a secret credential in the generated service principal, which is automatically managed and renewed by Azure DevOps. This reduces manual administration for you to renew the secret before it expires.

Here are the benefits of using the automated method:

However, the automated method has some drawbacks, including the auto-generated name of the service principal, which may not meet your naming standards. You may also want to use fewer permissions than the Contributor role, but this can be changed manually after deployment.

To create a service connection, your Azure account needs to be able to create app registrations.

You'll need an Azure account with the necessary permissions to create app registrations. This is a requirement for setting up app registration authentication.

To create an app registration, you'll need to have an Azure account that can create app registrations. This will allow you to set up the necessary credentials for app registration authentication.

Here are the prerequisites for app registration authentication:

In the Azure portal, you can search for app registrations and create a new one. This will allow you to set up the necessary credentials for app registration authentication.

To create an app registration, follow these steps:

1. Search for app registrations in the Azure portal.

2. Select New registration.

3. Enter a name for your app registration and select Who can use this application or access this API.

4. Select Register.

5. Copy the values for Application (client) ID and Directory (tenant) ID to use later.