Scenario: Setup a CI/CD of deploying Azure Resource Group App via Visual Studio Online Build/Release Management.
Azure Resource Group deployment in VSO Build/Release relies on ARM (Azure Resource Manager) APIs. ARM supports Resource Groups, Deployment templates and RBAC (Role Based Access Control).
Using Azure Resource Manager, you can grant access to a service principal and authenticate it, so it can perform the permitted management actions on resources that exist in the subscription or as a tenant.
You can find Azure deployment templates from Azure Gallery or GitHub quickstart-templates
This topic shows you how to setup an Azure service end-point in VSO using Service Principal
1: Create an Azure Active Directory application
a. Login to your Azure account through the classic portal.
b. Select Active Directory from the left pane.
c. Select the directory that you want to use for creating the new application.
d. To add a new application in your directory, click on Applications and click on Add
e. Choose “Add an application that my organization is developing”.
Though we intend to automate Azure Resource Group deployment from VSO, we will have to create a Web App and use its service principal to authenticate with Azure Resource Manager.
g. Enter a recognizable URL as we will need it later for role assignment.
h. Congratulations, you now have an AAD Application. Click on the CONFIGURE tab:
2: Create your service principal password
a. From CONFIGURE tab, find Client ID and copy it. This will be your Service Principal user name
b. From the “keys” section, from the drop-down select 1 or 2 year duration
After you hit save at the bottom, it will display your key, which is basically your Service Principal account password. Copy and store the key value. You won’t be able to retrieve it later.
c. Retrieve Tenant ID for your Azure account. Click “View End-Points” on the bottom panel.
Copy any of the URLs displayed in the pop-up dialog, The GUID in there is your tenant ID, which you’ll need later
Now we have Service Principal account username, password and tenant id.
Client ID: a63e0985-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Tenant ID: 72921e51-521b-439d-8412-XXXXXXXXXXXX
3: Assign roles to your Service Principal
You have now created a service principal in the directory, but the service does not have any permissions or scope assigned. You will need to explicitly grant the service principal permissions to perform operations at some scope.
Log in as your Microsoft identity in order to grant roles to your Service Principal identity
<code class="cplusplus"> PS C:>Switch-AzureMode -Name AzureResourceManager<br /> PS C:>Add-AzureAccount # This will pop up a login dialog<br /> </code>
Assign roles to your Service Principal. For now, giving it access to the whole subscription. You can limit the access by providing the scope parameter.
You can use either App ID Uri or Client ID as the value for the -ServicePrincipalName parameter.
<code class="js"> PS C:>New-AzureRoleAssignment -ServicePrincipalName <a href="http://RNWebAppforVSO">http://RNWebAppforVSO</a> -RoleDefinitionName Contributor</code>
If you run Get-AzureRoleAssignment, you should see the assignment.
4: Setup Azure Service End-Point in VSO
a. From your Visual Studio Account, navigate to your Team Project and click on gear icon
b. Click Services tab and click on ‘New Service Endpoint’ in the left pane.
c. From the drop-down, select ‘Azure’ option. Select Service Principal radio choice and enter the details
We are now able to add the Service Principal account.
d. From Build/Release hub, now you add “Resource Group Deployment Task” and use the subscription.
- Create new Azure Service Principal using Azure Portal
- Role-based access control in the Microsoft Azure portal