I have attempted to connect a service principle through azure devops using powershell scripts to deploy apis and manage updates on Azure APIM (Consumption SKU) and I get authorization failures. I have checked the service principle and the permissions associated with the resource group for the apim and everything appears to be correct. I am able to do this using the Developer SKU of the Azure APIM without issue but I am wondering if this is a limitation of the Consumption SKU
Use powershell to connect service principle is related to Azure AD authentication. But you can refer to this tutorial, it shows us APIM in Consumption SKU doesn't support Azure AD integration.
Found the issue was a malformed resource group name in the url posted. Resolved that and the Azure DevOps integration worked as expected.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I want to use the "ARM template deployment" task in Azure pipelines, and for this, I need to set up a service connection of type "Azure Resource Manager connection". So I head over to the Service connections pane. And it turns out that in order to configure this service connection, one of the authentication methods is using a service principal.
So I'v tried learning a little bit about service principals, and what I've understood so far is as such:
App registration is the process of registering applications which I want to delegate identity and access management to Azure AD for. A service principal is a concrete instantiation of the Application object that I create in my Azure AD tenant.
I didn't yet get my head around all these concepts well enough, but what I don't even start to understand is what does all that have to do with an authentication method for a Azure Resource Manager service connection in Azure DevOps??
Can someone please clear up the fog for me?
Azure Devops is not integrated with Azure portal by any means. Also, Azure Devops is not a trusted service even by Microsoft itself.
The Service Connection will help you to establish a connection between Azure portal and Azure Devops. Here, the service principal acts like a user account to establish the connection.
First of all, for using the task "ARM template deployment" in Azure DevOps pipeline, this task is used to deploy Azure Resource Manager templates at resource group deployment scope, subscription deployment scope and management group deployment scopes. The task is also used to create or update a resource group in Azure.
And you should select your Azure Resource and specified subscription which are the prerequisites of the task usage, then for connecting to a subscription which is associated with an Azure Active Directory tenant when building pipeline, it is needed to create a Service connection to help work between pipeline and connect to Azure Subscription. For more info, you can refer to doc:
Azure DevOps Connection Services. And you should also login authenticate via service principle instead of user, it is just like Azure log in.
Besides, you can also manage your Azure subscriptions at scale with management groups via this doc: Organize subscriptions into management groups and assign roles to users for Microsoft Defender for Cloud | Microsoft Learn .
Team,
I am using the CSP subscription. I need to create a cloud service within the azure portal. But it gave me an red line saying that the "subscription not allowed to register Microsoft.classiccompute".
Is this because its using the CSP subscription ? Is there any workaround ?
I tried to find the "provider to register" to my subscription but cannot be found in the list to register it.
How do we possibly include the provider to my subscription or is it that CSP subscription is not allowed to register?
Do I have to use a Non CSP subscription.? Please help
Azure CSP supports only the Azure Resource Manager model, the cloud service Microsoft.classiccompute is classic deployment model, you need to use another subscription, refer to this link.
For example, because Azure CSP supports only the Azure Resource Manager model, non-Azure Resource Manager services are not available in the program.
I have created a native application in an Azure AD in Azure General region. The application has been granted appropriate permissions (Sign in on user's behalf, execute Service Management API requests etc.). Using this application, I am able to connect to any Azure Subscription in Azure General region using this application.
However when I try to connect to an Azure Subscription in Azure China, after successful login, I am getting the following error:
AADSTS70001: Application with identifier '01234567-890a-bcde-ffff-fcc63fc150ea' was not
found in the directory 'xxx.yyy.onmschina.cn'.
So my questions are:
Is it possible to connect to an Azure Subscription in Azure China (or for that matter to any Azure Subscription in Azure Sovereign Cloud like Germany etc.) using an application created in Azure General region?
Or do I need to create a separate application for each Azure Sovereign region in an Azure AD in that region?
If I indeed need to create a separate application (i.e. answer is yes to above question), is it possible to create an Azure AD tenant in these Sovereign regions without having an Azure Subscription there?
I believe the answer to the last question is yes considering Azure AD and Azure Subscription are two different things, yet I would very much like to get a confirmation on the same.
No,
it is NOT possible to connect Azure "General" with any sovereign clouds - these are Azure US Government, Azure China, Azure Germany. All these clouds are completely separate deployments with their own Azure AD. You cannot use B2B inter clouds, you cannot use your multi-tenant applications across clouds.
For that case you have to have a subscription in every cloud you would like to support and separate application registration, and separate instructions for your users. Check for example how Azure CLI is handling this. You are always only connected to one cloud with cloud's specific account.
In Azure Germany you can create an Azure AD tenant - just create a free trial subscription and you will also get a tenant. For China and US Gov will be hard - they both have very strict requirements who can create subscriptions there.
How can I add an Azure Mobile Service to an Azure Resource Manager template? I cannot find any online templates nor guidance to do this. I cannot migrate to Azure App Service just yet, and MS claims that Azure Mobile Services remain fully supported.
Mobile Services are only supported in the Service Management API (ASM), not in Resource Manager.