Create an Azure service connection

Azure Pipelines | TFS 2018 | TFS 2017

Note

Build and release pipelines are called definitions in TFS 2018 and in older versions. Service connections are called service endpoints in TFS 2018 and in older versions.

This topic explains how to create an Azure Resource Manager service connection for connecting to Microsoft Azure resources. It starts by showing the simple case where you select the subscription, and optionally the Azure Resource Group, to which you want to connect. Use this approach:

  • If you are connecting from Azure Pipelines, and not from TFS.
  • If you are the owner of both the Azure and the Azure DevOps subscriptions you are connecting from, and both accept the same credentials as you are currently signed into Azure Pipelines with.
  • You do not need to further limit the permissions for Azure resources accessed through the service connection.
  • You are not connecting to Azure Stack or an Azure Government Cloud.

If you have problems using this simple approach (such as no subscriptions being shown in the drop-down list), or if you want to further limit users' permissions, you can do so by using a service principal as shown here.

Create an Azure Resource Manager service connection

  1. In Azure DevOps, open the Service connections page from the project settings page. In TFS, open the Services page from the "settings" icon in the top menu bar.

  2. Choose + New service connection and select Azure Resource Manager.

    Choosing a service connection type

  3. Fill in the following parameters for the service connection.

    Parameter Description
    Connection Name Required. The name you will use to refer to this service connection in task properties. This is not the name of your Azure subscription.
    Scope level Select Subscription or Management Group. Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions.
    Subscription If you selected Subscription for the scope, select an existing Azure subscription. If you don't see any Azure subscriptions or instances, see Troubleshoot Azure Resource Manager service connections.
    Management Group If you selected Management Group for the scope, select an existing Azure management group. See Create management groups.
    Resource Group Leave empty to allow users to access all resources defined within the subscription, or select a resource group to which you want to restrict the users' access (users will be able to access only the resources defined within that group).
  4. After the new service connection is created:

    • If you are using it in the UI, select the connection name you assigned in the Azure subscription setting of your pipeline.
    • If you are using it in YAML, copy the connection name into your code as the azureSubscription value.

See also: Troubleshoot Azure Resource Manager service connection.

Create an Azure Resource Manager service connection with an existing service principal

  1. If you want to use a pre-defined set of access permissions, and you don't already have a suitable service principal defined, follow one of these tutorials to create a new service principal:

  2. In Azure DevOps, open the Service connections page from the project settings page. In TFS, open the Services page from the "settings" icon in the top menu bar.

  3. Choose + New service connection and select Azure Resource Manager.

    Choosing a service connection type

  4. Switch from the simplified version of the dialog to the full version using the link in the dialog.

    Opening the full version of the service  dialog

  5. Enter a user-friendly Connection name to use when referring to this service connection.

  6. Select the Environment name (such as Azure Cloud, Azure Stack, or an Azure Government Cloud).

  7. If you do not select Azure Cloud, enter the Environment URL. For Azure Stack, this will be something like https://management.local.azurestack.external

  8. Select the Scope level you require:

  9. Download and run this PowerShell script in an Azure PowerShell window. When prompted, enter your subscription name, password, role (optional), and the type of cloud such as Azure Cloud (the default), Azure Stack, or an Azure Government Cloud.

  10. Copy these fields from the output of the PowerShell script into the Azure subscription dialog textboxes:

    • Subscription ID
    • Subscription Name
    • Service Principal ID
    • Service Principal Key
    • Tenant ID

  11. Choose Verify connection to ensure the information you entered is valid, then choose OK.

  12. After the new service connection is created:

    • If you are using it in the UI, select the connection name you assigned in the Azure subscription setting of your pipeline.
    • If you are using it in YAML, copy the connection name into your code as the azureSubscription value.
  13. If required, modify the service principal to expose the appropriate permissions. For more details, see Use Role-Based Access Control to manage access to your Azure subscription resources. This blog post also contains more information about using service principal authentication.

See also: Troubleshoot Azure Resource Manager service connections.

Connect to an Azure Government Cloud

For information about connecting to an Azure Government Cloud, see:

Connect to Azure Stack

For information about connecting to Azure Stack, see:

Help and support