I am trying to establish a Service Connection from Azure DevOps to my Azure B2C tenant and am running into issues. I'm starting to think it's not even possible.
I have multiple Service Connections to the primary Azure Subscription/Tenant, but specifically wanted a connection to my B2C Tenant, so that I can manage B2C resources using Terraform and the Pipeline Agent within Azure DevOps.
Does anyone know if this is even possible? Or a method of getting this setup? No documentation online has been helpful
Related
i am implementing CI/CD pipeline that needs to register an AAD Application with permissions to read/write into Site collections, this would mean that the pipeline itself need to have permission to 'Sites.FullControl.All'. I want to understand from the security perspective, if this is desirable, i.e., a pipeline having FullControl access to a SharePoint tenant. What are the recommended practices w.r.t. this, will the application registration in such scenarios be manually done by Ops team?
According to your description, it seems that you want to use the service connection in the Azure CI/CD pipeline.
We can create a service connection with Service principal (automatic) or Service principal (manual).
Use the following parameters to define and secure a connection to a Microsoft Azure subscription using Service Principal Authentication (SPA) or an Azure managed Service Identity.
Automated subscription detection. In this mode, Azure Pipelines
queries Azure for all of the subscriptions and instances to which you
have access. They use the credentials you're currently signed in with
in Azure Pipelines (including Microsoft accounts and School or Work
accounts).
If you don't see the subscription you want to use, sign out of Azure Pipelines and sign in again using the appropriate account credentials.
Manual subscription pipeline. In this mode, you must specify the
service principal you want to use to connect to Azure. The service
principal specifies the resources and the access levels that are
available over the connection.
For more information, you could refer to Azure Resource Manager service connection.
I am looking for a way to create a service account to access the Azure Devops REST API.
The goal would be that this service account would be able to list all the projects.
For now the only solution I found was to create a new user, add it to an overall admin group and create a PAT for it.
Does anyone found another way of doing so ?
Thanks in advance
PS: we have a Azure Devops Service solution
Based on your description and concern, please note that the service account in Azure DevOps Service is automatically created for you when you create an organization in Azure DevOps Services. It is used when clients communicate with the hosted service and can be viewed through the web portal administration page.
And it is not supported to manually create service Account in Azure DevOps Service.
For more information, you could refer to the doc: Service account requirements - Azure DevOps | Microsoft Docs & Service accounts and dependencies - Azure DevOps Server | Microsoft Docs .
After reading this documentation https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-permissions?view=azure-devops-2020&tabs=preview-page#active-directory-and-azure-active-directory-security-groups it seems that Azure DevOps Server on premises can be used only with Active Directory but not with Azure Active Directory. Is it correct? Is there a way to use Azure DevOps Server with Azure Active Directory?
You are right, as on-premises Azure DevOps Server, is built on a SQL
Server back end which can work with on-prem AD .
Azure ad authentication for on prem directly is not feasible as it is
cloud based and involves azure based sql .
Note: On-premise SQL Server only supports Windows Authentication and
SQL Server Authentication. Windows authentication depends on Kerberos
(or NTLM), which needs an Active Directory domain to authenticate the
user in. Azure Active Directory does not handle Kerberos tokens.
But we can opt to migrate devops server to azure devops services to
work with AAD .Migration is when one wants to completely move to
cloud and it involves complex process as database/hardware is
involved.
If one wants to continue on premise server to use existing on-premises
identities with Azure DevOps, you can integrate directories with
Azure AD by using Azure AD Connect which connects an organization’s
on-prem Active Directory instance and cloud-based azure active
directory.It involves On prem users to be mapped to AAD tenant.
Please refer this Document.
Other References:
PTA
Migrate - Azure DevOps | Microsoft Docs
I know that it is possible to connect to Azure DevOps Services using Microsoft Office365 (O365) public cloud.
But is it possible for US Gov customers to connect to Azure DevOps Service using their O365 Government Community Cloud (GCC) account?
Is it even supported or in the roadmap for future?
Azure DevOps Service is a hosted version of Azure DevOps Server (TFS).
Currently it is not possible to connect Azure DevOps Service using O365 GCC account.
But if you have O365, then you can use it to connect to Azure DevOps Service. Meaning you should be able to create an Azure DevOps Service Organization to manage your projects and add other user from your company who are also using your O365 account.
Azure DevOps Service requires a Azure Commercial or Public Cloud Tenant subscription using either Enterprise Agreement (EA) if you are a company or Pay-As-You-Go Azure Subscription on Azure Public Cloud.
It is currently hosted on Azure Commercial Cloud and at the moment there is no road-map to also make it available in other Azure Clouds like US Government cloud. However one can still use O365 account to connect to Azure DevOps Services.
Is there a way to deploy SQL Database project to Azure SQL Managed Database from Azure DevOps ? Are there ports to open on Azure Network Security Group ?
Thank you
Bertrand
No, not using Azure DevOps hosted agent. That is because a managed instance does not have a public ip address an DevOps can not find your server. If you want to use DevOps you must host your own agent on a separate VM and open up all the internal/external routing you need.
the 'Azure SQL Database Deployment' task in the release pipeline should work for you. With a service connection (Service Principal in Azure) with the correct permissions on the subscription or resource group you can write to the resources, no need to open specific ports in NSGs
This is now possible on MI and Azure DevOps.
Not sure what the NSG settings are if you have restricted access via a NSG.