Connecting to Azure Subscriptions from VSTS for release management

When it comes to deploy and realease management in VSTS we need to connect to our subscription.

This is done via Service Endpoints created inside VSTS, there are two ways of authentication to Azure subscriptions, with User Account or AAD Application, typically scenarios for AAD Applications is when the subscription is not in your tenant or when you don’t have access to the subscription with the appropiate role or so.

1 User Account: The subscription is accessible with your user account

When you use the same user account when logging in to VSTS and your Azure Subscription the Azure Subscription is auto discovered and can be picked under the headline “Available Azure Subscriptions”

  • Pick the Subscription
  • Press the Authorize button to make VSTS create the required authorization
    1. If you have the required access you can now start deploying to this subscription

2 AAD Application: The subscription is not accessible with your user account

If the VSTS user dosen’t have access to the subscription it will not be listed in the Subscription list under “Available Azure Subscriptions” and we will need to add it manually.

  • Press the Manage button
    1. A new tab is opened and you will come to the Service tab
  • Press the  “New Service Endpoint”
  • A new dialog is opened and you can now create  a Connection to an existing accessible subscription, just as before but we want to create it based on Service Principal so press the “here” link
  • The dialog is transformed and now we can add the full information from an AAD application. Connection name:_ enter a name for the Connection i.e “Customer A  TEST”Subscription ID: the guid for the subscription_Subscription Name:_ A friendly understandable name of the subscription; we often use the same as Connection name i.e. “Customer A TEST”Service Principal Client ID: this is the AAD Application Client ID_Service Principal Key:this is the AAD Application KeyTenant ID: the guid for the tenant Sample from an AAD Application in Azure, this is how you find the values: TenantID: is the** Directorty ID** and found on the Properties section of the Azure AD Directory. Service Principal Client ID: _This is the **Application ID **of the AAD Application._Service Principal Key: Is the Key on the Azure AD Application and is found under keys, generate a new key (only visible 1 time after save)
    1. Verify the Connection. Tip: if the verification failes make sure that the AAD Application has atleast “Contributor” rights at atleast one resource Group (not just only the subscription)
    2. Press Ok

This service endpoint can now be found in the subscription list.

I prefer using AAD Applicaiton Connection stetup on Production Environments, just to make sure there are no “personal account” Connections that can mess things up.


Posted in: •Integration  •Uncategorized  | Tagged: