Error when trying to create service connection in azure devops - azure-devops

My requirement is to use Azure Devops services to create services connection, so I created an azure AD application in azure portal
In azure Devops project setting I created a new service connection but when I click on verify it throws me the error:
Failed to query service connection API "https://managemant.azure.com/sub/xxx?api-version=2016-06-01.status code:'status code:{"error",:{code""Authorization failed message" 'the client" with object id "does not have authorization to perform action 'microsoft.resource/sub/read,over scope'/sub/*** or scope is invalid.if access was recently granted.please refresh your credentials}}
The document I am referring to is https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#use-spn
Would appreciate any assistance on this
TIA

I tried to reproduce the same in my environment and got the same error as below:
To resolve the error, assign reader role/permission to the Azure AD Application on the subscription level like below:
Go to Azure Portal -> Subscriptions -> Select your Subscription -> Access control (IAM) -> Add role assignment
Verification is successful after assigning the role like below:
You can also assign contributor role based on your requirement.

According to the error message, you can try go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment use the object id. And then try to create a new service connection to check if it works.

The Service Principal or Managed Identity currently you are using from Azure Devops does not have permission to create another service principal. You have to assign specific permissions for create a service principal on your Azure AD tenant. You may try providing "Application Developer" role to the ID which you are using to authenticate from Az Devops.
Please refer this MS link for reference:
Permsissions

Related

Create a release pipeline in Azure DevOps which uploads a file to LCS, with a non admin user that doesn't have MFA

I'm trying to create a release pipeline in DevOps, that releases packages to LCS. The normal Dynamics 365 FO way of working. The issue is, I don't have an admin account without MFA that can be used to do this. Which roles or general setup, should I set on the AAD user, to be able to create the release? Currently I'm getting the AADSTS7000218 error.
I created a user that doesn't have MFA and I expect to add certain roles to be able to use this user for creating releases in DevOps.
In Azure DevOps, to create release pipeline you need "Edit release pipeline" permission set to Allow. And you need to be at least a Basic user.
And as per the document, AADSTS7000218 means The request body must contain the following parameter: 'client_assertion' or 'client_secret'. When authenticating to Azure AD to get an access token, the client application is not providing its “password” (in the form of either a client secret or a client assertion) as expected by Azure AD’s token endpoint.
You could try navigating to Azure Active Directory->App Registration and find Authentication in your application. And set "Allow public client flows" to "Yes" in Azure portal.
Here's another ticket has the similar issue, hope it can help.

Azure Release Pipeline does not have enough permissions to deploy Bicep/ARM template

When I try to deploy my Bicep template through a DevOps release pipeline I get the following error:
Deployment failed with multiple errors: 'Authorization failed for
template resource '1525ed81-ad25-486e-99a3-124abd455499' of type
'Microsoft.Authorization/roleDefinitions'. The client
'378da07a-d663-4d11-93d0-9c383eadcf45' with object id
'378da07a-d663-4d11-93d0-9c383eadcf45' does not have permission to
perform action 'Microsoft.Authorization/roleDefinitions/write' at
scope
'/subscriptions/8449f684-37c6-482b-8b1a-576b999c77ef/resourceGroups/rgabpddt/providers/Microsoft.Authorization/roleDefinitions/1525ed81-ad25-486e-99a3-124abd455499'.:Authorization
failed for template resource '31c1daec-7d4a-4255-8528-169fc45fc14d' of
type 'Microsoft.Authorization/roleAssignments'.
I understand through this post that I have to grant "something" the Owner or User Access Administrator role.
But I don't understand what user has the ObjectId 378da07a-d663-4d11-93d0-9c383eadcf45.
I tried to look it up with the following az CLI command, but it says that it cannot find a resource with that Id:
az ad user show --id 378da07a-d663-4d11-93d0-9c383eadcf45
The response it returns:
Resource '378da07a-d663-4d11-93d0-9c383eadcf45' does not exist or one of its queried reference-property objects are not present.
I'm a but clueless here. What do I exactly have to grant permission?
When you use service connection in DevOps pipeline, for example Azure Resource Manager service connection, it will create a service principal(app registry) on Azure portal-> Active Directory. You can find the service principal by clicking the link on service connection:
When you deploy with service connection, please make sure you have give correct permission for this service principal on target resource, like mentioned Microsoft.Authorization/roleDefinitions/write. Suggest to give contributor role on the resource. Otherwise it will reports the error in your pipeline log.
When you add the role, you will find the object id, it's different with service principal application ID or object id.
It's azure role not Azure AD role. You can find the difference in the doc.

Do Azure DevOps Service Connection need elevated permissions?

I'm using Azure DevOps services to create service connection but getting errors.
I am trying to follow the steps outlined here
These are the steps I followed:
Add a new AAD app registration with secret.
In DevOps, from project settings create a new service connection.
Connection type: ARM
Authentication method: Serviceprincipal (manual)
Env: Azure Cloud
Scope: Subscription
Subscription Id: xxx
Subscription name: xxx
service principal id: xxx
service principal key: xxx
Tenant Id: xxx
When I click Verify, I get this error:
Failed to query service connection API:
'https://management.azure.com/subscriptions/xxx?api-version=2016-06-01'.
Status Code: 'Forbidden', Response from server:
'{"error":{"code":"AuthorizationFailed","message":"The client 'abc'
with object id 'abc' does not have authorization to perform action
'Microsoft.Resources/subscriptions/read' over scope
'/subscriptions/xxx' or the scope is invalid. If access was recently
granted, please refresh your credentials."}}'
So,
Does this mean, my app registration need to have read permission on this xxx subscription?
Can't I scope it to resource group level? If yes, how can I do that as I don't see that option in portal?
Thanks!
I tried to reproduce the same in my environment and got the same error as below:
Does this mean, my app registration needs to have read permission on this xxx subscription? Can't I scope it to resource group level?
Yes, your app registration needs to have read permission on that subscription level. You cannot scope it to resource group level as the query https://management.azure.com/subscriptions/xxx?api-version=2016-06-01 is related to subscriptions.
Read permission will be included in roles like reader, contributor and owner. For least privilege, I assigned reader role to the app like below:
Go to Azure Portal -> Subscriptions -> Your Subscription -> Access Control(IAM) -> Add role assignment -> Select Role
After assigning that role, verification is successful like below:
When you create ARM service principle (Manual) type Service Connection, you need to manually add role assignment for this service principle inside your Azure Subscription in Azure Portal.
In common, you will need to give this service principle “Contribute” role to perform the action.
Find the Overview Page of this app registration in AAD.
In your Azure Subscription page, click IAM -> Add -> Add role assignment
Select the name of this app and assign it a "Contribute" role of this Azure Subscription.

Azure DevOps Release Pipeline Managed Identity App Service Error On Deployment

I am just new to Azure Cloud and Devops, so forgive me if I may forget some critical info here.
So during creation of tasks for the release and selecting subscriptions, I get an error when trying to authorize the subscription (which I suspect is because of insufficient permissions associated to my account), so I go to advanced options to select the managed identity authentication.
After which no error shows now. So I set all remaining items and assign Deploy Azure App Service task. However during the running of the agent I get an error during Deploy Azure App Service step.
Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'sample-vue'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
I have already set my azure app service to have a system assigned managed identity, but still this error occurs. I can't find any answer, online, with regards to the error above so hoping that someone could help explain to me the problem and how to possibly fix it. My hunch now is that I may have some insufficient permissions, but I don't know what it may be.
Please try the following items:
Remove and re-add the service connection in DevOps.
Check the rights of the account on Azure subscription. Please verify if the account has at least contributor access on Azure subscriptions. Check https://learn.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator

Azure Resource Manager Service Connection not connecting

We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings: