How to associate Azure deployments to the users? - azure

I am working on deploying resources in to Azure using ARM Templates. I am one of five in my team. After deploying any resource into Azure portal, we need to know which user has deployed specific resource deployment into Azure including time. Because the deployment process has done randomly into Azure by the users.
How to find the details of specific user after deployment?

No way can associate the Azure deployments to the users smoothly. Seems you want to check the deployment logs.
In VSTS you can create a notification subscription for the deployments, thus you will receive the notifications once a deployment is triggered and you can check the deploy logs...
Another workaround is checking the Activity Logs in Azure. Please see View activity logs to audit actions on resources for details. You can also try the REST API:Activity Logs - List
You can also view the operations for a deployment through the Azure portal. Please seeView deployment operations with Azure Resource Manager for details.

Related

Azure Devops: securing deployments to on-premise servers at webapp level

It's clear that you can set which roles can deploy to a certain on-premise server thanks to the security settings in Deployment Groups and Agent pools. But, any way of restrict access at webapp level?
The only ways I found are:
Creating a specific account, giving it deploying permissions in target server's IIS in required webapps only and provide this credentials to developers on charge of creating the pipelines for deploying those webapps (they will put them as custom environment vars or similar in pipelines)
Same than 1 but using the created account as a service account for an agent. Access to this agent will be restricted to developers on charge of creating the pipelines for deploying those webapps.
Both cases require to create new accounts and to give permissions on server's IIS. No way of doing this from Azure DevOps on the same way that access to whole servers can be restricted?
Regards.
It's clear that you can set which roles can deploy to a certain
on-premise server thanks to the security settings in Deployment Groups
and Agent pools. But, any way of restrict access at webapp level?
Sorry but as I know Azure Devops Service doesn't support such out-of-box feature.
We can manage the access in Organization level(Organization settings), Project Level(Project settings), Feature Level(Security of Pipelines/Deployment Groups feature...) and even the 'instance Level' (Set security for one specific pipeline/deployment group/one specific git repo).
But the 'instance level' is the lowest level, we can only manage the access in specific pipeline or specific deployment group but not one webapp which will be deployed by pipeline/deploymentGroup.
The webapp is not an option hosted by Azure Devops Service, it's just something to be deployed by pipelines(hosted by Azure Devops Service). So Azure Devops Service avtually have no knowledge about the webapp(it also won't have UI that represents one webapp), that's why we can manage the access in pipeline but not webapp in that pipeline...
Update 1
Once you have only one deployment group for the specific target server, you can determine who can access the deployment group here:
The person who is assigned with reader permission can't use the deployment group to do the deploy.
Ok, following the suggestion from #Lance and after some research, this is what I´m planning to do:
Creating a custom service connection where following fields can be set: IIS Server where the WebApp is, Webapp name, User (with permissions to deployment) and Password.
Together with the Custom Service connection I will provide a custom task where developer team can select the service connection against they want to do the deployment (obviously, server admins will only configure service connections to webapps which this team is allowed to deploy).
Agent will run with a low-privileged account (no way of affecting any app) and the custom task will use internally the creds provided on service connection to perform the deploying.
I think that approach is the best workaround to the initial problem and can be extensible to fix the granularity problem in other kinds of resources (like DB´s, Shared Folders, ...) just simply adding another specific custom service connection (to specify the resource and the deployment credentials) and a linked Custom task which allows deployments only against that resource.
The only drawback is the fact that, if you want to set a deployment approval, you have to do it at resource level (for every webapp, for every DB, ...) and that means that approvers will have to approve resource by resource when deploying also (instead of a single approval for the whole application deployment as, in my understanding, should be)
What do you think guys? Any remark before start coding this?
Regards.

Azure Analysis service deployment using Azure DevOps

I am working on Azure Analysis service directly from portal.azure.com. Instead i want AAS be save as some file in git repo and deployed is managed through Azure DevOps. Not sure if this possible? How to proceed further on this
Currently, Azure Analysis Service don’t support implementing using Azure Devops.
I would request you to provide the feedback here:
https://feedback.azure.com/forums/556165-azure-analysis-services
All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
You could have a script task make a REST call to Azure from Azure DevOps, building the URL and payload from code, say passing in parameters, or by utilising a variable group.

Azure Portal - ResourceGroup linked to App Service doesnt work

I am new here and in MS Azure as well so sorry in advance for any misunderstanding.
I have a question related to the Azure Portal and Resource Group.
I have successfully built an image, created a container where the image has been pushed and no I have ResourceGroup That I can see available on the Azure Portal.
I also successfully start App Service and I can see the attribut ResourceGroup on the AppService heading right to my correctly build on the Azure Portal.
And here is the issue...
On the AppService, there is provided URL, where your cloud app is running and I cant see anything on the URL, just bluescreen which telling me to deploy the code. BUT, the resourceGroup with the code has been linked to the App Service.
I am so confused by Azure Portal Gui... and maybe I missed some tutorial or hint on the net. Does anybody has any experiences with Azure Cloud and uploading Web App ?
I am using Trial-Account.
BR
Michal.
The "Resource Group" in Azure is a way to organize related resources together. An "App Service Plan", a "Web App", etc are individual Resources. You organize multiple individual resources into Resource Groups by placing resources that are create and/or managed together in the same Resource Group. This is generally done to organize all the resources for a particular workload to be in the same Resource Group.
To publish your application code, you need to publish the code to the App Service Web App. Resource Groups don't host code, they are just for organization. You will deploy your application code and host it within the App Service Web App.
Please refer to the documentation for further explanation on how to deploy your code to App Service, manage it, and host it there:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-get-started-dotnet

Can I connect VSTS to multiple Azure Accounts using Service Connections?

I want to deploy a web app using CI/CD from VSTS to multiple (customer) Azure accounts. So not multiple subscriptions within the same Azure account, but multiple different Azure accounts owned by customers.
The app is a managed app from the Azure Marketplace so I have full access to the resource group in which the app resides.
Is there an easy way to do this using service connections and the web deploy task or should I be using Powershell to do this and script it myself?
Please create multiple Service Connections in your VSTS which used to connect to these Azure account first.
Then please create a Release pipeline with multiple environments. Then add Deploy task for every environment and choose different Azure Service Connections in different environment. Then you could deploy one app to different Azure environment through one release pipeline.
It turns out that with a Managed App, for every customer deployment a resource group is created that I own and therefore shows up in my Azure account.
So from VSTS I can just use Service Connections to those resource groups, no need to connect to these other Azure accounts.

In azure, is there any way to know who and when an app was published?

We have an azure web app that we deploy with a publish profile and webdeploy. What I'd like to know is if there is any log about this deployment activity ? I read the logs but I can't find any trace of my deployments.
Note : we're not using git automated deployment
In the Azure Management Portal (manage.windowsazure.com), select Management Services and then the Operation Logs tab.
Or, in the Azure Preview Portal (portal.azure.com), select Browse All and then Audit Logs.

Resources