This is a follow up to this question (Is it possible to use DevOps to deploy to an Azure App Service if I don't have access to Azure Active Directory?) where I can't create a service connection if I don't have access to Azure AD for my tenant.
The standard Service Connection creates a service principal which can't be done if there is no access to Azure AD. So I'm trying to see if I can create an Azure Classic Service Connection instead.
I seem to be able to create the service connection and I've verified and saved it okay.
However, it doesn't appear in the dropdown list in the Deploy Azure App Services task.
Am I doing something wrong? I'm trying this on a free trial tenant where I do definitely have access to Azure AD. I can't find any documentation to say Service Connections can't be Azure Classic.
If this is a restrictions for Pipelines, is it possible to deploy to an App Service in Azure without Azure AD access?
No, the Azure App Service Deploy task doesn't support classic service connections.
From the docs:
The task does not work with the Azure Classic service connection, and it will not list these connections in the settings of the task.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I want to use the "ARM template deployment" task in Azure pipelines, and for this, I need to set up a service connection of type "Azure Resource Manager connection". So I head over to the Service connections pane. And it turns out that in order to configure this service connection, one of the authentication methods is using a service principal.
So I'v tried learning a little bit about service principals, and what I've understood so far is as such:
App registration is the process of registering applications which I want to delegate identity and access management to Azure AD for. A service principal is a concrete instantiation of the Application object that I create in my Azure AD tenant.
I didn't yet get my head around all these concepts well enough, but what I don't even start to understand is what does all that have to do with an authentication method for a Azure Resource Manager service connection in Azure DevOps??
Can someone please clear up the fog for me?
Azure Devops is not integrated with Azure portal by any means. Also, Azure Devops is not a trusted service even by Microsoft itself.
The Service Connection will help you to establish a connection between Azure portal and Azure Devops. Here, the service principal acts like a user account to establish the connection.
First of all, for using the task "ARM template deployment" in Azure DevOps pipeline, this task is used to deploy Azure Resource Manager templates at resource group deployment scope, subscription deployment scope and management group deployment scopes. The task is also used to create or update a resource group in Azure.
And you should select your Azure Resource and specified subscription which are the prerequisites of the task usage, then for connecting to a subscription which is associated with an Azure Active Directory tenant when building pipeline, it is needed to create a Service connection to help work between pipeline and connect to Azure Subscription. For more info, you can refer to doc:
Azure DevOps Connection Services. And you should also login authenticate via service principle instead of user, it is just like Azure log in.
Besides, you can also manage your Azure subscriptions at scale with management groups via this doc: Organize subscriptions into management groups and assign roles to users for Microsoft Defender for Cloud | Microsoft Learn .
I have created a release pipeline for an azure function that I developed. But to publish the artifact to the azure resource, is there a way I can deploy it through PAT (like how we publish VSS extensions to the marketplace). Because the subscription belongs to another person but I want to be able to deploy. If not PAT is there an alternate way to deploy when I don't have the subscription? Thanks
Don't know if it makes sense because I am new to this :)
You can use Service Connection to Azure Resource Manager with Service Principal in "Manual mode".
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that will be
available over the connection. Use this approach when you need to
connect to an Azure account using different credentials from those you
are currently logged on with in Azure Pipelines or TFS. This is also a
useful way to maximize security and limit access.
First ask an owner of the subscription to create a Service Principal (app registration) with access to subscription, then it will be just a matter of creating service connection in DevOps (project settings -> pipelines -> service connections) with proper service principal id, key, subscription id, name etc.
You can find really good tutorial for that here
In my organization, we have setup of master branch of asp.net core app targeting to azure app service and other braches targeting to slots of same azure app service.
We have a requirement block any user in azure portal or any azure devops YAML pipeline's service connection to swap a slot of any azure app service.
Is there an azure policy which can enforce this rule.
If not then can we create service connection that can only either target azure app service or a slot in that app service
Azure Policy is not user aware, so you can not block. This should be possible using RBAC.
I want to deploy a web app using CI/CD from VSTS to multiple (customer) Azure accounts. So not multiple subscriptions within the same Azure account, but multiple different Azure accounts owned by customers.
The app is a managed app from the Azure Marketplace so I have full access to the resource group in which the app resides.
Is there an easy way to do this using service connections and the web deploy task or should I be using Powershell to do this and script it myself?
Please create multiple Service Connections in your VSTS which used to connect to these Azure account first.
Then please create a Release pipeline with multiple environments. Then add Deploy task for every environment and choose different Azure Service Connections in different environment. Then you could deploy one app to different Azure environment through one release pipeline.
It turns out that with a Managed App, for every customer deployment a resource group is created that I own and therefore shows up in my Azure account.
So from VSTS I can just use Service Connections to those resource groups, no need to connect to these other Azure accounts.