Connecting Azure DevOps to Another Azure Subscription

I just wanted to use this blog post to document a frequently asked question concerning Azure DevOps:
What do I need to do to let my Release pipeline deploy to a tenant/subscription to which my Azure DevOps account has no access?

To put it in Microsoft terms:
You have an Azure DevOps account called John.Smith@contoso.com in the Contoso organization, but you want to deploy resources to the Azure subscription for tailspintoys.com.
Your Contoso account does not have direct access to the tailspintoys.com subscription, but you can have tasks done on the subscription by another Global Administrator if required. What do you do?

The answer here is:
You need to have the Global Administrator in the tailspintoys.com subscription create a Service Principal account, give it the correct role and access on the desired resource location and then you need to manually create a Service Connection in your Contoso Azure DevOps environment.

Well, that’s all fine and dandy, but what are the exact steps required here?
This is what this post will try and show you :smiley:

Steps required for the Global Administrator of Tailspintoys.com

1. Open the Azure portal in your favourite browser
2. Open the Azure Active Directory Blade
3. Open the App Registration Blade

   

4. Create a new App Registration, dedicated for your Project’s connection.
   • Enter a descriptive name for the account
   • Select the option Acccounts in this Organization Only

     

5. Open the newly created Registered App and go to Certificates & Secrets

   

6. Create a new Secret for the Registered App
   DO NOTE!! Directly copy the Secret value as this is the only time you’ll be able to see it.
   Once you leave or refresh the page, the value will no longer be displayed and a new secret will have to be created in case you didn’t note it down or forgot it.

   

7. In the Azure Portal, navigate to the location to which the newly created Registered App needs to get permissions to do operate.
   Possible options are either a Resource Group or Subscription
8. Open the Access Control (IAM) Blade on either the Resource Group or Subscription you want to provide access to

   

9. Click Add -> Role Assignment to add the Registered App and give it the appropriate permissions role (of course using the principle of least priviledge)

   

Steps required for you in your Contoso Azure DevOps project

1. Open your Azure DevOps project in your favourite browser
2. Open Project Settings
   

   

3. Select Service Connections under the Pipelines segment

   

4. Click New Service Connection

   

5. Select Azure Resource Manager and click Next

   

6. Select Service Principal (manual) and click Next

   

7. Enter the required information
   • Subscription ID - You can get this from the Azure Portal -> Subscriptions blade
   • Subscription Name - Enter a name to recognize the Subscription by
   • Service Principal ID - Client ID for the newly created Registered App (you can find this information under the Registered App’s Overview blade as Application (client) ID)
   • Service Principal Key - The created Secret for your Registered App
   • Tenant ID - The Tenant ID of the Registered App (you can find this information under the Registered App’s Overview blade as Directory (tenant) ID)

     

8. Use the Verify button to confirm that the details have been entered and configured correctly

   

9. Enter the Details
   • Service Connection Name - The Service Connection Name you want to use in Azure DevOps so you know which connection you’re using
   • Description - Enter the description of the newly created Service Connection. Suggested is to add the scope and permissions used on the Registered App

     

10. Click Verify and Save

And that should be all that’s required!
Head on over to your Azure DevOps Release pipeline, select the Stage you want to set your deployment on and be sure to Refresh the Azure Resource Manager Connection field.
Once that’s done, select your newly created Service Connection and away you go! :thumbsup: