Adding a new Azure Service Principal connection to Azure DevOps

Let’s say I want to add a new Azure connection to my Azure DevOps account; the service principal must have the bare minimum set of permissions required for DevOps to function, ideally only to those resources it works with.

One can do this using the Role-based access control (RBAC) which is available through the Access control (IAM) panel in the Azure portal. Alright, the steps are the following.

1. Add a new application registration.

Here enter the name. The rest could be left as it is.

2. Go to the newly created registration and add a new client secret. Write down the secret which the portal generates for you, we’ll use it later.

3. Go back to the registration’s overview page and write down the client ID and the tenant ID.

4. You’ll need the subscription ID/name to complete the service registration process. Find your subscription in Azure (you may use the search field).

5. Now it’s time to give the service account some permissions. Otherwise you’ll get an error on registration step. For instance if you want to deploy to the web app or a slot it makes sense to go directly to this app or slot and configure the permissions there.

6. Now go to the Azure DevOps portal and register the service connection there.

Click the use the full version of the service connection dialog link and fill the fields in the dialog with the data you already have.

Click the Verify link to check that everything is correct. Now this connection should be available in the build steps editor and it should have access to only these resources you explicitly gave the permission to.