After reading this documentation https://learn.microsoft.com/en-us/azure/devops/organizations/security/about-permissions?view=azure-devops-2020&tabs=preview-page#active-directory-and-azure-active-directory-security-groups it seems that Azure DevOps Server on premises can be used only with Active Directory but not with Azure Active Directory. Is it correct? Is there a way to use Azure DevOps Server with Azure Active Directory?
You are right, as on-premises Azure DevOps Server, is built on a SQL
Server back end which can work with on-prem AD .
Azure ad authentication for on prem directly is not feasible as it is
cloud based and involves azure based sql .
Note: On-premise SQL Server only supports Windows Authentication and
SQL Server Authentication. Windows authentication depends on Kerberos
(or NTLM), which needs an Active Directory domain to authenticate the
user in. Azure Active Directory does not handle Kerberos tokens.
But we can opt to migrate devops server to azure devops services to
work with AAD .Migration is when one wants to completely move to
cloud and it involves complex process as database/hardware is
involved.
If one wants to continue on premise server to use existing on-premises
identities with Azure DevOps, you can integrate directories with
Azure AD by using Azure AD Connect which connects an organization’s
on-prem Active Directory instance and cloud-based azure active
directory.It involves On prem users to be mapped to AAD tenant.
Please refer this Document.
Other References:
PTA
Migrate - Azure DevOps | Microsoft Docs
Related
I've got an active directory and azure devops server 2020 on windows server . How can I connect the two? My server is not connected to the Internet.
Active Directory works with Domain Services. See Active Directory Domain Services Overview for details.
What you need is to join the Windows server which installs Azure DevOps Server to Domain. Please refer to Join a Computer to a Domain for details.
After that it will automatically sync with the corporate domain.
However, Azure DevOps use a background synchronization job, scheduled every hour, to look for changes in Active Directory (or the local machine workgroup if the server is not domain joined). So changes you make to local or Active Directory groups do not get reflected in Azure DevOps immediately. Instead, Azure DevOps will synchronize those groups regularly (by default every hour).
That's all required. After this, you could directly add domain users or groups to groups in Azure DevOps server.
Sorry for the noob question - I'm a developer and don't know much about Windows administration. I'm upgrading from TFS 2017 to Azure Devops Server (onPrem). This will be on a new set of boxes though so it's not an in-plaee upgrade. Right now I'm doing proof-of-concept testing on a machine not on our domain so obviously I can't add users from the domain. My question is once I install Azure Devops Server on a machine on the domain will it automatically sync with the corporate domain? I've read that that happens once an hour - I'm just wondering if there's anything I need to install/setup to make that happen.
What you need is to join the Windows server which installs Azure DevOps Server to Active Directory.
After that it will automatically sync with the corporate domain.
However, Azure DevOps use a background synchronization job, scheduled every hour, to look for changes in Active Directory (or the local machine workgroup if the server is not domain joined). So changes you make to local or Active Directory groups do not get reflected in Azure DevOps immediately. Instead, Azure DevOps will synchronize those groups regularly (by default every hour).
That's all required. After this, you could directly add domain users or groups to groups in Azure DevOps server.
You can also try to force Azure DevOps Server to sync with Active Directory by following instructions mentioned in this article: How to synchronize TFS users with AD (Active Directory)?, it's still available for current Azure DevOps Server versions.
I am trying to establish a Service Connection from Azure DevOps to my Azure B2C tenant and am running into issues. I'm starting to think it's not even possible.
I have multiple Service Connections to the primary Azure Subscription/Tenant, but specifically wanted a connection to my B2C Tenant, so that I can manage B2C resources using Terraform and the Pipeline Agent within Azure DevOps.
Does anyone know if this is even possible? Or a method of getting this setup? No documentation online has been helpful
I know that it is possible to connect to Azure DevOps Services using Microsoft Office365 (O365) public cloud.
But is it possible for US Gov customers to connect to Azure DevOps Service using their O365 Government Community Cloud (GCC) account?
Is it even supported or in the roadmap for future?
Azure DevOps Service is a hosted version of Azure DevOps Server (TFS).
Currently it is not possible to connect Azure DevOps Service using O365 GCC account.
But if you have O365, then you can use it to connect to Azure DevOps Service. Meaning you should be able to create an Azure DevOps Service Organization to manage your projects and add other user from your company who are also using your O365 account.
Azure DevOps Service requires a Azure Commercial or Public Cloud Tenant subscription using either Enterprise Agreement (EA) if you are a company or Pay-As-You-Go Azure Subscription on Azure Public Cloud.
It is currently hosted on Azure Commercial Cloud and at the moment there is no road-map to also make it available in other Azure Clouds like US Government cloud. However one can still use O365 account to connect to Azure DevOps Services.
Is there a way to deploy SQL Database project to Azure SQL Managed Database from Azure DevOps ? Are there ports to open on Azure Network Security Group ?
Thank you
Bertrand
No, not using Azure DevOps hosted agent. That is because a managed instance does not have a public ip address an DevOps can not find your server. If you want to use DevOps you must host your own agent on a separate VM and open up all the internal/external routing you need.
the 'Azure SQL Database Deployment' task in the release pipeline should work for you. With a service connection (Service Principal in Azure) with the correct permissions on the subscription or resource group you can write to the resources, no need to open specific ports in NSGs
This is now possible on MI and Azure DevOps.
Not sure what the NSG settings are if you have restricted access via a NSG.