Azure Resource Manager service connection special cases

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

While the recommended option for Azure Resource Manager service connections is to use workload identity federation with an app registration or managed identity, there are times when you might need to use an agent-assigned managed identity or a publish profile instead. In this article, you'll learn how to create an Azure Resource Manager service connection that uses an app registration with a secret, one that connects to a self-hosted agent on an Azure virtual machine, and a service connection that uses a publish profile to connect to an Azure App Service app.

You can also use Azure Resource Manager to connect to Azure Government Cloud and Azure Stack.

Create an app registration with a secret (automatic)

With this selection, Azure DevOps automatically queries for the subscription, management group, or Machine Learning workspace that you want to connect to and creates a secret for authentication.

Warning

Using a secret requires manual rotation and management and is not recommended. Workload identity federation is the preferred credential type.

You can use this approach if all the following items are true for your scenario:

  • You're signed in as the owner of the Azure Pipelines organization and the Azure subscription.
  • You don't need to further limit permissions for Azure resources that users access through the service connection.
  • You're not connecting to the Azure Stack or the Azure US Government environments.
  • You're not connecting from Azure DevOps Server 2019 or earlier versions of Team Foundation Server.
  1. In the Azure DevOps project, go to Project settings > Service connections.

    For more information, see Open project settings.

  2. Select New service connection, then select Azure Resource Manager and Next.

    Screenshot that shows choosing Azure Resource Manager selection.

  3. Select App registration (automatic) with the credential Secret.

    Screenshot of Workload Identity federation app registration (automatic) authentication method selection.

  4. Select a Scope level. Select Subscription, Management Group, or Machine Learning Workspace. Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. A Machine Learning Workspace is place to create machine learning artifacts.

    • For the Subscription scope, enter the following parameters:

      Parameter Description
      Subscription Required. Select the Azure subscription.
      Resource group Required. Select the Azure resource group.
    • For the Management Group scope, select the Azure management group.

    • For the Machine Learning Workspace scope, enter the following parameters:

      Parameter Description
      Subscription Required. Select the Azure subscription.
      Resource Group Required. Select the resource group containing the workspace.
      Machine Learning Workspace Required. Select the Azure Machine Learning workspace.
  5. Enter a Service connection name.

  6. Optionally, enter a description for the service connection.

  7. Select Grant access permission to all pipelines to allow all pipelines to use this service connection. If you don't select this option, you must manually grant access to each pipeline that uses this service connection.

  8. Select Save.

Create an Azure Resource Manager service connection to a VM that uses a managed identity

Note

To use a managed identity to authenticate, you must use a self-hosted agent on an Azure virtual machine (VM).

You can configure self-hosted agents on Azure VMs to use an Azure managed identity in Microsoft Entra ID. In this scenario, you use the agent-assigned managed identity to grant the agents access to any Azure resource that supports Microsoft Entra ID, such as an instance of Azure Key Vault.

  1. In the Azure DevOps project, go to Project settings > Service connections.

    For more information, see Open project settings.

  2. Select New service connection, then select Azure Resource Manager.

    Screenshot that shows choosing a service connection type.

  3. Select Managed identity (agent assigned) for the identity type.

  4. For Environment, select the environment name (Azure Cloud, Azure Stack, or Government cloud options).

  5. Select the Scope level. Select Subscription, Management Group, or Machine Learning Workspace. Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. A Machine Learning Workspace is place to create machine learning artifacts.

    • For the Subscription scope, enter the following parameters:

      Parameter Description
      Subscription Id Required. Enter the Azure subscription ID.
      Subscription Name Required. Enter the Azure subscription name.
    • For the Management Group scope, enter the following parameters:

      Parameter Description
      Management Group Id Required. Enter the Azure management group ID.
      Management Group Name Required. Enter the Azure management group name.
    • For the Machine Learning Workspace scope, enter the following parameters:

      Parameter Description
      Subscription Id Required. Enter the Azure subscription ID.
      Subscription Name Required. Enter the Azure subscription name.
      Resource Group Required. Select the resource group containing the workspace.
      ML Workspace Name Required. Enter the name of the existing Azure Machine Learning workspace.
      ML Workspace Location Required. Enter the location of the existing Azure Machine Learning workspace.
  6. Enter the Tenant Id.

  7. Enter the Service connection name.

  8. Optionally, enter a description for the service connection.

  9. Select Grant access permission to all pipelines to allow all pipelines to use this service connection. If you don't select this option, you must manually grant access to each pipeline that uses this service connection.

  10. Select Save.

  11. After the new service connection is created:

    • If you use the service connection in the UI, select the connection name that you assigned in the Azure subscription setting of your pipeline.
    • If you use the service connection in a YAML file, copy the connection name into your code as the value for azureSubscription.
  12. Ensure that the VM (agent) has the appropriate permissions.

    For example, if your code needs to call Azure Resource Manager, assign the VM the appropriate role by using role-based access control (RBAC) in Microsoft Entra ID.

    For more information, see How can I use managed identities for Azure resources? and Use role-based access control to manage access to your Azure subscription resources.

For more information about the process, see Troubleshoot Azure Resource Manager service connections.

Create an Azure Resource Manager service connection using a publish profile

You can create a service connection by using a publish profile. You can use a publish profile to create a service connection to an Azure App Service.

  1. In the Azure DevOps project, go to Project settings > Service connections.

    For more information, see Open project settings.

  2. Select New service connection, then select Azure Resource Manager and Next.

    Screenshot of Azure Resource Manager selection.

  3. Select Publish profile for the identity type.

  4. Enter the following parameters:

    Parameter Description
    Subscription Required. Select an existing Azure subscription. If no Azure subscriptions or instances appear, see Troubleshoot Azure Resource Manager service connections.
    WebApp Required. Enter the name of the Azure App Service app.
    Service connection Name Required. The name that you use to refer to this service connection in task properties. Not the name of your Azure subscription.
    Description Optional. The description of the service connection.
  5. Select Grant access permission to all pipelines to allow all pipelines to use this service connection. If you don't select this option, you must manually grant access to each pipeline that uses this service connection.

  6. Select Save.

After the new service connection is created:

  • If you use the service connection in the UI, select the connection name that you assigned in the Azure subscription setting of your pipeline.
  • If you use the service connection in a YAML file, copy the connection name and paste it into your code as the value for azureSubscription.

Connect to an Azure Government Cloud

For information about connecting to an Azure Government Cloud, see Connect from Azure Pipelines (Azure Government Cloud).

Connect to Azure Stack

For information about connecting to Azure Stack, see these articles:

For more information, see Troubleshoot Azure Resource Manager service connections.

Help and support