Azure DevOps, pipelines, releases, Service Principals and Azure…..a nice mix that can sometimes become tricky to configure and to understand what is required to make it work properly.
Context
Releases on Azure can cover fields like:
- create the target platform (IaC)
- configure permissions and security (RBAC)
- deploy the applicative packages
These tasks require an Azure DevOps Service Connection. One of the ways of creating one of them is through Service Principals.
If you create your Service Principal in a regular way (Azure Portal, az ad sp create, etc), you will probably need to check the settings in the next section.
These settings being quite common, the Azure CLI team has created a command to help with all this:
az ad sp create-for-rbac
Settings to check
In order your Service Principal has the right configuration to work with RABC configurations, you need to check the settings below:
- At AAD level
Check the Service Principal API Permission has an AAD MS Graph (read all), application mode - At Azure Subscription level
At IAM settings, check the Service Principal has a User Access Administrator role assignment
That’s all :).