Tuesday, May 22, 2018

Creating an Azure Service Principal for Visual Studio

When you need to deploy from VSTS (VisualStudio.com) either via a build or via the release pipeline, you need a service principal that allows VSTS to access your Azure subscription. When the Azure subscription is connected directly to your VSTS account, you can use the simple version of the “New Service Endpoint” dialog. But, if the VSTS or Azure subscriptions are disconnected, then you need to use the full version of the “New Service Endpoint” dialog. This post goes into how you can manually do that:

What you need on the Azure side:

  1. Azure Active Directory instance. If you dont have one, create it. The free tier will do.
    1. After you create the AAD instance, open the AAD resource and select “Properties”. Copy the value for “Directory Id”.
  2. Make sure “Microsoft Visual Studio Team Services” is registered as an Enterprise Application:
    1. Go to Azure Active Directory >> Enterprise Application.
    2. If “Microsoft Visual Studio Team Services” does not appear in the list of “All Applications”, click on “New Application” and then search for “Microsoft Visual Studio Team Services” and add it. This will add “Microsoft Visual Studio Team Services (Microsoft Visual Studio Online)” to the list of APIs you can authorize your SP to have access to (used below in step 3-8)
  3. The Service Principal is created by creating an “App Registration”.
    1. Click on “App Registrations” and then “New Application Registration”.
    2. Enter a name for the App Registration. You need to remember this name.
    3. Leave type as “web app/API”
    4. Enter a sign-on URL (it just needs to start with http:// or https://. Doesnt matter and can be any fake URL).
    5. Open the newly created “App Registration”
    6. Copy the “Application ID” value.
    7. Click on settings.
    8. Click on Required permissions and then, “Add”
      1. Select “Microsoft Visual Studio Team Services (Microsoft Visual Studio Online)”.
      2. The permission should be “Have full access to Visual Studio Team Services REST APIs”.
    9. Click Save.
    10. Click on Key
      1. Enter anything for “Key Description”
      2. Duration can be “Never Expirer”
      3. When you save, you will see a string value in the “Value” box. Copy and save this value (this is the client secret).
  4. Provide the service principal you created in step (2) access to your subscription.
    1. Go to your subscription in Azure portal.
    2. Choose Access Control
    3. Click Add and you can provide the SP direct access as a contributor to your subscription. Alternatively:
    4. You can provide access just to a specific Resource Group, which you can do by opening the RG and then updating the Access Control by providing access to the SP to that RG.
      1. Note: in a production or a lock down environment, I would provide access to the Service Principal either to a resource group or the resource directly. Providing access directly to the subscription, may allow anybody to deploy and create resources directly in production, which may or may not be ideal for your use-case.
    5. Also, go to the “Overview” section of your Azure Subscription and copy the “Subscription Id” and Subscription Name


In Visual Studio:

  1. Open your VSTS project.
  2. Click on the gear icon at the top and choose “Services”
  3. Click “New Service Endpoint” and then “Azure Resource Manager”
  4. At the bottom choose “use the full version of the endpoint dialog”. You should see this dialog:
    image
    1. Subscription Id: from 3.5
    2. Subscription Name: from 3.5
    3. Service Principal Client Id: from 2.6
    4. Service Principal Key: from 2.10.3
    5. Tenant Id: from 1.1

Now click on “Verify Connection” and it should come back with a value of “verified”.

No comments: