Connect Visual Studio Team Services to Azure Using a Service Principal Name
In today’s Ask the Admin, I will show you how to connect Visual Studio Team Services (VSTS) to Azure using a Service Principal Name (SPN) so that you can deploy code directly to Azure from VSTS.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
VSTS allows sysadmins and developers to build apps on code in a VSTS project directly in Azure. VSTS uses an Azure Resource Manager (ARM) service endpoint to connect to Azure. If you use the same account to log into VSTS and Azure, give the connection a name to set up a new endpoint. Then, select the Azure subscription from the dropdown menu.
I recently came across a problem. If the Microsoft account used to log into VSTS is different from the one used for your Azure tenant, you will not be able add an ARM service endpoint to VSTS. You have to perform extra configuration. The solution to the problem, create an SPN in the Azure Active Directory (Azure AD) associated with the Azure tenant. This is where the app will be deployed.
Add an ARM Service Endpoint in Visual Studio Team Services
Let’s look at how to add an ARM service endpoint in VSTS without an SPN.
- Log into your VSTS site using the URL provided at sign up. It should look something like this: myproject.visualstudio.com.
- On the VSTS homepage under Projects, click the project where you want to add a service endpoint.
- At the top of the project page, click the gear settings icon.
- In the list of options across the top of the page, click Services.
- In the column on the far left, select Endpoints and click New Service Endpoint.
- Select Azure Resource Manager from the list of options in the menu.
- In the Add Azure Resource Manager Service Endpoint dialogue, type a name for the connection.
- Click the Subscription dropdown menu and select the Azure subscription you want to connect to from the list.
- Click OK.
What if the Azure subscription you want to connect to is not associated with the account you use to log into VSTS? The dropdown menu will be empty. In this case, you will need to create an Azure AD SPN.
Create an Azure Active Directory Service Principal Name
Microsoft has a script (SPNCreation.ps1) on GitHub for creating Azure AD SPNs. To run it, you will need Microsoft Azure Powershell installed on your PC. I recommend using the Web Platform Installer 5.0 to install the necessary components.
- Right click the ps1 script you just downloaded and select Edit from the menu.
- The script will open in Windows PowerShell ISE.
- In the code window, click CTRL+A to select the entire script.
- Press F8 to run the selected code.
- When prompted, enter your Azure subscription name.
- You will be asked to enter a password. When you come to add a new ARM service endpoint, you will need to enter this password in VSTS.
- Enter your Azure tenant credentials to Sign into your account dialogue. Click Sign in.
The script will now run. When it is done, you will see information about the new SPN. You will need to enter in VSTS:
- Connection Name
- Subscription ID
- Subscription Name
- Service Principal ID
- Service Principal Key
- Tenant ID
If you want to get a list of the configure SPNs for your Azure AD, type Get-AzureRmADServicePrincipal into the output pane at the bottom of the ISE. Press ENTER.
Add an ARM Service Endpoint in Visual Studio Team Services Using a Service Principal Name
Now that the SPN has been created in Azure, you need to add the information output by the script in VSTS. Follow the instructions for adding an ARM service endpoint. This will get you to the Add Azure Resource Manager Service Endpoint dialogue.
- In the Add Azure Resource Manager Service Endpoint dialogue and at the bottom of the dialogue, you will see: If your subscription is not listed above, or your account is not backed by Azure Active Directory, or to specify an existing Service Principal, click here. Click to continue.
- Enter the information provided by the script and the password that you provided into the dialogue.
- Once you have entered the information, scroll down and click Verify connection.
- You should see that the connection is verified.
- Click OK to complete the process.
The new service endpoint will appear in the list on the left. You will now be able to build the project in VSTS and the Azure AD SPN will appear in the list of available Azure Subscriptions.
In this article, I showed you how to add an ARM service endpoint in VSTS and how to create an Azure AD SPN.