How to create an Azure Service Connection between Azure and Azure DevOps
The Azure Service Connection between Azure and Azure DevOps plays a crucial role in enabling secure, automated, and scalable deployments to Azure from your Azure DevOps pipelines.
Requirements:
- An Azure subscription, you can get started with Azure for free
- An Azure DevOps organization with access to parallel jobs
If your organization doesn’t have access to parallel jobs, you can request parallel jobs for free for public or private projects using this form. Your request takes 2–3 business days.
Why an Azure Service Connection is Important ?
With an Azure Service Connection, Azure DevOps can run CI/CD (Continuous Integration/Continuous Deployment) pipelines that automate deployments to Azure without manual intervention. It ensures that tasks such as:
- Deploying infrastructure using Terraform or Azure Resource Manager (ARM) templates.
- Running Azure CLI or PowerShell scripts that modify Azure resources.
- Pushing Docker containers to Azure Container Registry (ACR).
These actions can be executed automatically and securely without the need for user input during the process.
Use Cases of an Azure Service Connection in Azure DevOps
- CI/CD Pipelines
- Infrastructure as Code
- Automated Resource Management
- Secure Deployment
Security Benefits of Using a Service Connection
- No Hardcoded Credentials
- Scoped Permissions
- Automated Secret Management
If you’re using Azure DevOps to automate your processes, the service connection is a critical component that ensures your automation is secure, scalable, and compliant.
Let’s start:
Note: The step 1 is very important in this article. You can omit it ONLY if you have an active Azure DevOps account, an organization set up, and a project created in Azure DevOps.
Step 1: Create an account, organization, project in Azure DevOps.
Initial setup
If you prefer Microsoft official documentation:
If you prefer a video instead of the official documentation
Creating the service principal on Azure.
Step 2: Let’s open Cloud Shell
There, you will copy and paste the following two commands using
Ctrl + Shift + V
subscriptionId=$(az account show --query id --output tsv)
az ad sp create-for-rbac --name sp-devops-iac --role owner --scopes /subscriptions/$subscriptionId
Security tip: Be cautious with the “Owner” role — it’s very powerful. If you only need to deploy resources, consider using “Contributor” instead.
az ad sp create-for-rbac --name sp-devops-iac --role contributor --scopes /subscriptions/$subscriptionId
Let save the information, you will used later.
{
"appId": "3ac23de2-8a50-423e-b474-45c678d76a95",
"displayName": "sp-devops-iac",
"password": "ah~8Q~Hef~oo.ajmjQEgcmH7JdXAJyLupyXJJaFl",
"tenant": "187fd9f1-b91a-44a9-b312-219a6647cd95"
}
Step 3: I prefer to explain the code rather than just copy and paste it
So let do it:
Command 1: Get Azure Subscription ID
subscriptionId=$(az account show --query id --output tsv)
What it does:
- This command retrieves the current Azure subscription ID you’re logged into via the Azure CLI and stores it in a shell variable called subscriptionId.
Detailed breakdown:
- az account show: Displays details of the currently active subscription/account.
- --query id: Filters the output to only show the id field (which is the subscription ID).
- --output tsv: Outputs the result as Tab-Separated Values, which strips quotes and formatting—good for shell scripting.
Result: Your $subscriptionId variable now holds something like:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Command 2: Create a Service Principal with RBAC Role Assignment
az ad sp create-for-rbac --name sp-devops-iac --role owner --scopes /subscriptions/$subscriptionId
- az ad sp create-for-rbac: The main command to create a service principal and assign it a role (Role-Based Access Control).
- --name sp-devops-iac: Names the service principal (you can change this to anything unique).
- --role owner: Assigns the "Owner" role, which gives full access to all resources, including the ability to delegate access.
- --scopes /subscriptions/$subscriptionId: Restricts the permissions to the scope of the subscription identified by $subscriptionId.
Output Example:
When this runs successfully, you’ll get an output like:
{
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"displayName": "sp-devops-iac",
"password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
These values are used to authenticate from automation tools like Terraform, GitHub Actions, or Azure DevOps.
Creating the azure service connection in Azure DevOps
Step 4: Search your subscription
Get your subscription name and subscription id
SubscriptionName: Azure subscription 1
SubscriptionID: 2574216e-2497–8e62–3fcc-496e4fecdd42 FAKE EXAMPLE
Step 5: Let’s configure your Azure DevOps project, where you need to add the Azure service connection
Step 5.1: - In Azure DevOps, open your project and go to Pipelines > Project settings
Step 5.2: Search and select "Service Connections"
Step 5.3: Click on “New service conection”
Step 5.4: Select Azure Resource Manager
Recommended by LinkedIn
Step 5.5: Setup the following configuration:
Identity type: App registration or Managed identity (manual)
Credential: Secret
Environment: Azure Cloud
Scope level: Subscription
Subscription Id: get it from the json variable “SubscriptionId” of the step 4
Subscription name: get it from the json variable “SubscriptionName” of the step 4
Application (client) ID: get it from the json variable “appId” of the step 2
Directory (tenant) ID: get it from the json variable “tenant” of the step 2
Credential: Service principa key
Client secret: get it from the json variable “password” of the step 2
Click on Verify button : it should be Verification succeeded.
Service connection name: It must be representative , for this case will be:
azuredevops-iac-asc
This mean:
Azure DevOps — Infrastructure As Code — Azure Service Connection
Security: Check “Grant access permission to all pipelines”
Click on Verify and save
So the azure service connection resulting is: azuredevops-iac-asc
The following step is OPTIONAL, but it is intended for testing purposes.
Step 6: Let’s test the Service Connection that was created earlier in Azure DevOps.
You can omit the step 6.1 if you have an existing repository imported, because we only need to test the azure service connection.
Step 6.1: Import a GitHub repository into an azure repository
Click on Repos
Click on Import button
Step 6.2: Creating a pipeline for test
Step 6.3: Select an empty job
Step 6.4: Let’s configure the Pipeline
Name: Pipeline for test
Agent pool: Azure Pipelines
Agent Specification: ubuntu latest
Step 6.5: Let’s configure the Agent job 1
Agent pool: Azure Pipelines
Agent Specification: ubuntu latest
Step 6.6: Let’s add a task to the agent job 1
Display name: Azure CLI => Testing Azure Service Conection
Azure Resource Manager connection: azuredevops-iac-asc
Script Type: PowerShell Core (because is Ubuntu)
Script Location: Inline script
Inline Script: az group list — query “[].name” — output table
- What it does: Lists the names of all resource groups in your subscription.
- Why it’s secure: The --query "[].name" only returns the names of the resource groups and nothing sensitive (like IDs or subscription details).
If this works, the service principal has the read-only permissions necessary to interact with your Azure resources. If the service connection isn’t working properly, you’ll see an error indicating authentication failure or permission issues.
Save comment: Testing my new azure service connection
Everything is working as expected ✅✅.
Please, let me know your feedback because I can grow with it, thank you very much.
My apologies for any inadvertent errors in my English; I’m learning to speak my second language.
Azure DevOps Engineer with Zensar Technologies
3moThanks for sharing.
MBA & Senior Project Architect ⚙️ | Cofundadora • +5 años en operaciones Fintech & Energía | Ex-Entrenadora Pro de Fútbol ⚽️
5moQué bueno lo que compartes Javier