To deploy resources on Azure using VSTS as part of ci/cd process, first VSTS needs to establish an connection with the Azure and ensure it has proper permissions to manage resources. For this purpose, if you are using VSTS to manage azure resources, you would need to create an Azure Service endpoint first. In this blog post, we’ll learn how to do the same.
If you are doing in this your personal subscription, you will probably already have required permissions on Azure AD. In that case, you can skip directly to section: Create Azure endpoints in VSTS and use short version of dialog only. VSTS will automatically query and create required configuration for you. If you are working with medium or large sized organizations, you’ll need to create it via long way which provides more granular level of access and control.
Create an Application in Azure AD
First, we need to create( aka register) an application in Azure Active Directory. This would also create an service principal which could be used to connect to azure remotely. This registration process involves giving Azure AD details about your application, such as the URL where it’s located, the URL to send replies after a user is authenticated, the URI that identifies the app, and so on.
Needless to say, you would require an global admin permissions on Azure AD so that you can do above step. If you don’t have so, as is often the case with medium and large organizations, you can ask your AD team to do this step for you.
To create an application, sign into Azure RM portal with your credentials. In the left-hand navigation pane, click the Azure Active Directory service, click App registrations, and click New application registration:

When the Create page appears, enter your application’s registration information:
Name: Enter a meaningful application name
Application type: Select “Native” for client applications that are installed locally on a device. Select “Web app / API” for client applications and resource/API applications that are installed on a secure server. The same application can also expose both a client and resource/API.
Sign-On URL: For “Web app / API” applications, provide the base URL of your app. Users would use this URL to sign in to a web client application.
Redirect URI: For “Native” applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application.
Below is one of the examples:

Once you enter above information, select create.
Configure an client key with Azure AD App
In order for a web/confidential client application or say VSTS in our case, to be able to participate in an authorization grant flow that requires authentication (and obtain an access token), it must establish secure credentials. The default authentication method supported by the Azure portal is Client ID + secret key. Once application is created, select your application and then select keys:

In the new pane, enter the key name and duration for which you need it to be valid and then save it.

Note that there is no option to enter value for secret associated. It will be automatically generated by portal and you can read it. Azure will not save this information for you, so you need to copy it and then record it for later use.
Assign permissions to Azure AD app
To access resources in your subscription, you must assign the application to a role. For our case, we’ll set it to contributor level as we need it to able to create and manage resources. You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope.
Let’s say we want to assign it contributor level access at subscription level. Then we need to go to left pane -> search for subscriptions -> select subscription in reference -> select access control (IAM) -> select add and then assign permissions to it.
Create Azure endpoint in VSTS
Open your visual studio subscription. Select your project and then go to project settings. Select services from the list shown:

From left pane, select new service endpoint and then select Azure Resource Manager:

This will open a new dialog for you. Select full version of dialog:

Now, we can provide details for the azure ad app created earlier, verify connection and then click ok:

In this blog post, we learned details steps on how to create Azure RM service endpoints for VSTS.
Hi,
We are facing an issue during app registration itself.
We are getting error as below
errorCode:Authorization_RequestDenied,
errorDetail:Insufficient privileges to complete the operation.
Could you please help us identify where could be the issue?
Thanks,
Abhijit
LikeLike
Hi Abhijit, It looks like you do not have sufficient level of access on Azure AD to create new app. You need to ask your azure AD admins to register app and share key and secrets with you.
LikeLike
Thank you Mohit.
I will check with the IT team and will give it a try.
Thanks for quick response.
LikeLike
[…] For steps to create SPN and link it to Azure Pipelines, read here. […]
LikeLike