Skip to main content

Azure Resource Manager Service Connections in Azure DevOps

Table of Contents

Introduction #

An Azure Resource Manager service connection lets an Azure DevOps pipeline connect to Azure resources without manually signing in every time the pipeline runs. It is commonly used when a pipeline needs to deploy or manage Azure resources such as App Service, Key Vault, resource groups, management groups, or Azure Machine Learning workspaces.

For new service connections, workload identity federation is the preferred authentication method. It avoids long-lived secrets, reduces secret rotation work, and lowers the risk of leaked credentials.

The recommended options are:

  • App registration with workload identity federation using automatic setup.
  • Existing user-assigned managed identity with a workload identity federation credential.
  • Manual app registration or managed identity setup with workload identity federation, or a secret only when needed.

The automatic app registration option is the simplest recommended path when you have enough Azure permissions. Azure DevOps can query the Azure scope, create the app registration, and configure the federated credential for the service connection.

The managed identity option is useful when an organization does not allow you to create app registrations. In that case, you can connect Azure DevOps to an existing user-assigned managed identity and let Azure DevOps create the workload identity federation credential for it.

Manual setup is available, but it takes more work and is best used only after the automatic options are not suitable.

Automatic App Registration Flow #

Use the automatic app registration approach when:

  • You have the Owner role on the Azure subscription.
  • You are not connecting to Azure Stack or Azure US Government.
  • Any Marketplace extension tasks used by the pipeline support workload identity federation.

The basic process is:

  1. Go to Azure DevOps Project settings.
  2. Open Service connections.
  3. Create a new Azure Resource Manager service connection.
  4. Select App registration automatic.
  5. Choose Workload identity federation as the credential.
  6. Pick the scope level: Subscription, Management Group, or Machine Learning Workspace.
  7. Enter the required scope details.
  8. Name the service connection.
  9. Save it.

For subscription scope, you choose the subscription and can optionally limit the service connection to a resource group. For management group scope, you choose the management group. For Machine Learning Workspace scope, you choose the subscription, resource group, and workspace.

The app registration created by Azure DevOps is an identity in Microsoft Entra ID, not a resource that lives inside a resource group. The service connection can be scoped to a subscription, resource group, management group, or workspace. It can also be granted access to another Azure scope later if the app registration has the required Azure RBAC permissions there.

For example, Azure DevOps can create the app registration while setting up access for Subscription A. If that app registration is later granted the right role on Subscription B, the same identity can be used to access resources in Subscription B.

Managed Identity Flow #

Use the managed identity option when you already have a user-assigned managed identity and want Azure DevOps to create the federated credential for it.

The setup has three parts:

  1. Select the subscription, resource group, and managed identity that already exists.
  2. Choose the Azure scope the managed identity should access.
  3. Enter the service connection details, such as name, description, and optional service management reference.

The user-assigned managed identity itself must live in an Azure subscription and resource group. However, the service connection does not have to target only that same subscription. The managed identity can access another subscription, resource group, management group, or workspace if it has the required Azure RBAC permissions on that target scope.

For example, a managed identity can exist in Subscription A and be granted access to Subscription B. Azure DevOps can then use the service connection to deploy to Subscription B through that managed identity.

For the Azure scope, you can choose Subscription, Management Group, or Machine Learning Workspace. You can also limit the service connection to a specific resource group when using subscription scope.

Pipeline Access #

Azure DevOps lets you grant the service connection to all pipelines, but that should be used carefully. A better practice is to authorize only the pipelines that need the connection.

For managed identity service connections, the same security choice exists: either allow all pipelines to use the connection or manually authorize each pipeline.

Key Takeaway #

For new Azure Resource Manager service connections, start with workload identity federation. Use automatic app registration when you have permission to create it. Use an existing user-assigned managed identity when app registration creation is restricted. Keep secret-based and older options for compatibility or edge cases only.