
To connect your Azure services to Azure DevOps, you'll need to create an Azure Service Connection. This connection allows you to link your Azure services to your DevOps project, enabling you to manage and monitor them from a single platform.
An Azure Service Connection is essentially a bridge between your Azure services and Azure DevOps. By creating a connection, you can access your Azure services directly from your DevOps project, streamlining your workflow and improving collaboration.
To create an Azure Service Connection, you'll need to provide the necessary details, such as the Azure subscription ID and the resource group name. This information is required to establish the connection between your Azure services and Azure DevOps.
Once you've created the connection, you can use it to link your Azure services to your DevOps project, allowing you to manage and monitor them from a single platform.
Check this out: Azure Openai Private Link
Prerequisites
To get started with Azure Service Connection, you'll need to have a few things in place. First, you'll need to have an Azure DevOps project and pipeline set up.
You'll also need to have the appropriate user roles assigned to create, view, use, or manage a service connection. This is important to ensure you have the necessary permissions to proceed.
To create an Azure Service Connection, you'll need to have an Azure account with an active subscription. If you don't have one, you can create an account for free.
You'll also need to have an application deployed to App Service in a region supported by Service Connector. If you don't have one yet, you can create and deploy an app to App Service.
Here are the specific prerequisites you'll need to meet:
- An Azure DevOps project and pipeline.
- The appropriate assigned user roles to create, view, use, or manage a service connection.
- An Azure account with an active subscription.
- An application deployed to App Service in a region supported by Service Connector.
Azure Service Connection Setup
To set up an Azure service connection, you'll need to choose an authentication method. You can connect to an Azure Container Registry using a Service Principal, Managed Identity, or Workload Identity federation.
There are three main ways to connect to an Azure Container Registry: using a Service Principal, Managed Identity, or Workload Identity federation. Each method has its own set of required parameters. For Service Principal, you'll need to enter the Subscription, Azure Container Registry, Connection name, and Description. For Managed Identity, you'll need to enter the Subscription ID, Subscription name, Tenant ID, Azure container registry login server, and Connection name. For Workload Identity federation, you'll need to enter the Subscription, Azure container registry, Connection name, and Description.
Take a look at this: What Is Service Principal in Azure
To create a service connection, you'll need to enter the required parameters for your chosen authentication method. The parameters will vary depending on the method you choose. Here are the required parameters for each method:
Container Registry
To set up an Azure Container Registry service connection, you can use one of three authentication methods: Service Principal, Managed Identity, or Workload Identity federation.
You'll need to enter the Azure subscription containing the container registry, the Azure Container Registry itself, and a connection name to refer to the service connection in task properties.
The connection name is required and will be used in YAML pipelines as the azureSubscription or equivalent subscription name value in the script.
You can also add a description of the service connection, which is optional, but it's a good idea to include it for future reference.
Selecting Grant access permission to all pipelines will allow all pipelines to use this connection, but if you don't select this option, you must explicitly authorize the service connection for each pipeline that uses it.
Check this out: Azure Managed Service Identity
Here are the required parameters for each authentication method:
Note that the parameters for Managed Identity include the GUID-like identifier for your Azure subscription, the name of your Microsoft Azure subscription, and the GUID-like identifier for your Microsoft Entra ID tenant.
You can copy these identifiers from the Azure portal.
See what others are reading: Microsoft Azure Services Appauthentication
Subscription Option
To set up an Azure service connection, you'll need to choose the right subscription option. This option is required for creating a service connection.
The Azure subscription option requires you to select the Azure subscription containing the cluster to be used for service connection creation. You'll also need to specify the cluster name, namespace, and connection name.
A ServiceAccount gets created in the chosen namespace along with a RoleBinding object, so that the created ServiceAccount can do actions only on the chosen namespace. This is the case for an Azure RBAC enabled cluster.
For an Azure RBAC disabled cluster, a ServiceAccount gets created in the chosen namespace, but the created ServiceAccount has cluster-wide privileges (across namespaces).
Here's a breakdown of the Azure subscription option parameters:
If you can't see subscriptions from other Azure tenants, check your Microsoft Entra permissions in those tenants.
Fabric
When creating a service connection to a Service Fabric cluster, you have three options for the authentication method.
Certificate based authentication is one of the options available.
Microsoft Entra credential is another option for authenticating your service connection.
Windows security using gMSA is also a valid choice for authenticating your service connection.
Setting up a service connection to a Service Fabric cluster requires careful consideration of the authentication method.
Each of the three options has its own unique benefits and use cases.
Certificate based authentication is often used in scenarios where high security is required.
Microsoft Entra credential is a good option when you need to integrate with other Azure services.
Windows security using gMSA is ideal for scenarios where you want to use the cluster's built-in security features.
You might like: Windows Azure Media Services
Existing User-Assigned Managed
To set up an Azure Service Connection using an existing user-assigned managed identity, you'll need to have one created beforehand. This type of identity is used for applications or services to authenticate within Azure without storing credentials.
You can use the automated method to create a service connection with a managed identity. This method creates a managed identity using a pre-formatted name and assigns contributor access to the managed identity to the subscription and optional resource group.
To create a service connection with a managed identity, sign into your Azure DevOps organization, select the Azure DevOps project where the service connection should live, and then select the Project settings icon in the lower left. In Project Settings, under Pipelines, select Service connections.
The automatic method performs many of the same tasks as the automatic service principal method. It creates a managed identity using a pre-formatted name and assigns contributor access to the managed identity to the subscription and optional resource group.
For more information about troubleshooting Azure Resource Manager service connections, see the article section "Create an Azure Resource Manager service connection for an existing user-assigned managed identity".
See what others are reading: Azure Devops Service Principal
Azure Service Connection Configuration
To create a service connection in Azure DevOps, you'll need to navigate to Project Settings in your project. From there, go to Service Connections under the Pipelines category and click New Service Connection.
You can connect to an Azure Container Registry using a Service Principal, Managed Identity, or Workload Identity federation. To define a connection using a Service Principal, you'll need to input the Service Principal ID, Service Principal Key, Tenant ID, Subscription ID, and Subscription Name.
Here are the parameters you'll need to define a connection to an Azure Container Registry using a Managed Service Identity:
Alternatively, you can use the automated method to create a service connection with a service principal or managed identity. This method will create a service principal or managed identity, assign contributor access to the subscription or resource group, and configure a secret credential for authentication.
Recommended read: Managed Azure Services
View
To view information about a service connection, you can select Project settings > Service connections, and then choose the connection you want to view. This will take you to the Overview tab where you can see the details of the connection, such as connection type, creator, and authentication type.
The Overview tab provides a summary of the connection, including its creator and authentication type. You can also find historical usage details on the Usage history tab.
To view the historical usage of a service connection, navigate to the Usage history tab. This tab shows details about how the connection has been used in the past.
The Approvals and checks tab is where you can manage approvals and checks that allow a pipeline stage to use the service connection. To add approvals and checks, select the + symbol or Add new.
You can also view service connections in App Service by selecting the Service Connector page. This page displays existing App Service connections, which you can expand to see the environment variables required by your application code.
To expand the list of App Service connections, select the > button. This will reveal the environment variables required by your application code. You can also select Hidden value to view the hidden value.
In App Service, you can validate your connection by selecting Validate. This will check your connection and provide details about the validation in the panel on the right. If you want to learn more about the connection validation details, select Learn more.
See what others are reading: Add Azure
Configuring

Configuring your Azure Service Connection involves several steps, but don't worry, it's easier than you think. To create a service connection, you'll need to select the type of connection you want to create, such as Azure Resource Manager, Azure Container Registry, or Other Git servers.
To edit an existing service connection, you can select the service connection page and click on the "Edit" button. You can also edit service connection properties by selecting the "Security" or "Delete" option from the More options menu.
One of the key parameters you'll need to enter when creating an Azure Container Registry connection is the Subscription ID, which is a required field. You'll also need to enter the Azure Container Registry login server and the Tenant ID, which is also a required field.
When using the automated method to create a service connection, Azure DevOps will automatically create a service principal and configure a secret credential in the generated service principal. This reduces manual administration and ensures that the secret is automatically renewed before it expires.
Suggestion: Azure Web App Container
To configure a service connection using workload identity federation, you can use an existing service principal or create a managed identity. If you don't have an existing service principal, you can use a managed identity instead. A managed identity provides an identity for applications or services to authenticate within Azure without storing credentials.
Here are the steps to create an Azure Resource Manager service connection using workload identity federation:
- Sign into your Azure DevOps organization at https://dev.azure.com.
- Select the Azure DevOps project where the service connection should live.
- In the project, select the Project settings icon in the lower left.
- In Project Settings, under Pipelines, select Service connections.
- If this is your first service connection, choose Create service connection; otherwise, select New service connection.
- In the New service connection flyout, select Azure Resource Manager, then click Next.
- On the Authentication method page, select Workload Identity federation (automatic). Click Next.
- Select the Scope level, Subscription, and optional Resource group. Enter a Service connection name and security option for pipeline access. Click Save.
By following these steps, you can configure your Azure Service Connection using workload identity federation, which allows you to authenticate with Azure resources without using secrets.
For your interest: How to Connect to Azure Cosmos Db Using Connection String
Package Management
Package management is a crucial aspect of Azure service connections. To connect to a NuGet server, you'll need to define a connection with specific parameters, including authentication method, feed URL, and connection name.
You can choose from three authentication methods: ApiKey, External Azure Pipelines, or Basic authentication. Each method requires different parameters, such as an authentication key, personal access token, or username and password.
Here's a breakdown of the required parameters for each authentication method:
By configuring your NuGet connection correctly, you'll be able to manage packages efficiently and securely.
Use a

To use a service connection in your Azure DevOps pipelines, you can follow these steps. For YAML pipelines, use the connection name in your code as the azureSubscription or other connection name value. This is a straightforward process that requires minimal setup.
To create a service connection, you'll need to select the Azure Resource Manager option and choose the authentication method. Select Workload Identity federation (automatic) for a seamless experience. This method creates a managed identity using a pre-formatted name and assigns contributor access to the managed identity.
In Classic pipelines, select the connection name in the Azure subscription or other connection name setting in your pipeline task. This ensures that your pipeline has the necessary credentials to access your Azure resources.
If your subscription is defined in an Azure Government Cloud, ensure your application meets the relevant compliance requirements before you configure a service connection. This is an important step to avoid any potential issues or security risks.
To use a Git repository, you'll need to provide the repository URL and authentication details. You can choose to attempt accessing the repository from Azure Pipelines, which can improve performance but may not be suitable for all scenarios.
Consider reading: Azure Blob Storage Access
Common Types

Package management systems can be broadly categorized into two main types: source-based and binary-based.
Source-based systems, like Portage in Gentoo Linux, rely on source code to install and manage packages. They allow for more flexibility and customization, but can be slower and more resource-intensive.
Binary-based systems, such as apt in Debian and Ubuntu, provide pre-compiled packages that can be easily installed and managed. They are generally faster and more efficient, but may not offer the same level of customization as source-based systems.
Some package managers, like npm in Node.js, are specifically designed for managing dependencies in JavaScript projects. They allow developers to easily install and manage packages, but can also lead to "dependency hell" if not managed properly.
Other package managers, like pip in Python, are designed for managing packages in specific programming languages. They provide a convenient way to install and manage dependencies, but may not offer the same level of flexibility as source-based systems.
You might like: Azure Ad Connect Sync Service Not Running
Nuget
NuGet is a package management system that allows you to manage dependencies in your projects. You can define and secure a connection to a NuGet server by using the NuGet service connection feature.
To connect to a NuGet server, you need to specify the authentication method, which can be ApiKey, External Azure Pipelines, or Basic authentication. You'll also need to provide the Feed URL, which is the URL of the NuGet server.
Here are the required parameters for each authentication method:
If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script. You can also grant access permission to all pipelines to allow all pipelines to use this connection.
A different take: Azure Devops Use Service Connection in Powershell Task
Python Package Upload
To upload Python packages, you'll need to define and secure a connection to a Python repository. This involves selecting an authentication method, which can be either Username and Password or Authentication Token.
A different take: Python Access Azure Blob Storage

The authentication method is a required parameter, so you can't skip it. You'll also need to provide the URL of the Python feed, which is another required parameter.
The unique repository used for the twine upload is specified by the EndpointName, which must be a unique value without spaces or special characters. You can also use a Personal Access Token, but this is optional.
When setting up the connection, you'll need to provide a username and password if you're using the Username and Password authentication method. This is a required parameter.
You can give your connection a name, which will be used to refer to it in task properties. This is also a required parameter. You can optionally add a description to the connection, but this is not required.
If you want all pipelines to be able to use this connection, you can select the "Grant access permission to all pipelines" option under the Security section. This is an optional parameter.
A fresh viewpoint: Access Connector for Azure Databricks
Authentication and Authorization
Azure service connections require authentication and authorization to ensure secure access to Azure resources. You can use certificate-based authentication, which involves providing a client certificate and server certificate thumbprints.
To use certificate-based authentication, you'll need to provide the server certificate thumbprints, which can be done by separating multiple thumbprints with a comma. This value overrides the publish profile. You can also use the thumbprints to verify the identity of the cluster.
Alternatively, you can use workload identity federation, which allows Azure DevOps to automatically query for the subscription, management group, or Machine Learning workspace that you want to connect to and creates a workload identity federation for authentication. This is done by selecting App registration (automatic) with the credential Workload identity federation in the Azure DevOps project settings.
Here's a summary of the authentication options:
In some cases, you may need to grant access permission to all pipelines to allow them to use the service connection. This can be done by selecting Grant access permission to all pipelines in the service connection settings.
Certificate-Based Authentication
Certificate-based authentication is a secure way to connect to a cluster, and it's achieved by using a certificate to verify the identity of the cluster.
To set up certificate-based authentication, you'll need to specify the client connection endpoint for the cluster, which should be prefixed with "tcp://". This value overrides the publish profile.
You'll also need to select either "Thumbprint" or "Common Name" from the "Server Certificate Lookup" dropdown, depending on the connection type.
If you choose "Thumbprint", you'll need to enter the thumbprints of the cluster's certificates, separated by commas. This value overrides the publish profile.
The client certificate is required for certificate-based authentication, and you can obtain its Base64 encoding using a PowerShell script.
If you're using Microsoft Entra credential, you'll need to provide the username and password for authentication. The certificate password is optional but required if you're using a certificate-based authentication method.
You can choose to skip Windows security authentication by selecting the "Unsecured" option, but this requires specifying a cluster SPN if you're using this option.
It's essential to provide a name for the service connection, which will be used to refer to it in task properties.
Here's a summary of the required parameters for certificate-based authentication:
Remember to explicitly authorize the service connection for each pipeline that uses it, unless you grant access permission to all pipelines.
App Registration with Secret (Auto)
If you're creating an Azure Resource Manager service connection, you'll have to choose between two credential types: workload identity federation or a secret. Workload identity federation is the preferred credential type, but we'll focus on the secret method here.
To create an Azure Resource Manager app registration with a secret, you'll need to sign in as the owner of the Azure Pipelines organization and the Azure subscription. This is a requirement, not an option.
You don't need to further limit permissions for Azure resources that users access through the service connection. This is a good thing, as it simplifies the process.
Curious to learn more? Check out: Azure Service Manager

However, there are some limitations to keep in mind. You can't use this method if you're connecting to the Azure Stack or the Azure US Government environments. Also, if you're using Azure DevOps Server 2019 or earlier versions of Team Foundation Server, you'll need to use a different method.
To create the service connection, follow these steps:
- Go to Project settings > Service connections in your Azure DevOps project.
- Select New service connection, then select Azure Resource Manager and Next.
- Select App registration (automatic) with the credential Secret.
- Select a Scope level: Subscription, Management Group, or Machine Learning Workspace.
- Enter a Service connection name.
- Optionally, enter a description for the service connection.
- Select Grant access permission to all pipelines to allow all pipelines to use this service connection.
- Select Save.
Here are the requirements for creating an Azure Resource Manager app registration with a secret:
Using Federation
You can create a trusted relationship between Azure DevOps and Azure resources using workload identity federation. This method eliminates the need for secrets and certificates, which have expiration dates and require manual maintenance.
Workload identity federation uses OpenID Connect to authenticate with Azure resources. It's a more secure and efficient way to manage access to Azure resources.
Azure DevOps automatically queries for the subscription, management group, or Machine Learning workspace that you want to connect to and creates a workload identity federation for authentication.
You might like: Azure Devops Service Connection
To create a service connection using workload identity federation, you can select App registration (automatic) with the credential Workload identity federation in the Azure DevOps project.
You can also convert an existing Azure Resource Manager service connection to use workload identity federation for authentication instead of a secret.
Here are the steps to convert an existing Azure Resource Manager service connection:
1. Go to Project settings > Service connections in the Azure DevOps project.
2. Select the service connection that you want to convert to use workload identity.
3. Select Convert.
4. Confirm that you want to create a new service connection.
Note that you can only convert service connections originally created by Azure DevOps. If you created the service account manually, you cannot convert it, as Azure DevOps does not have permission to modify its credentials.
For more insights, see: Aws Iam Federation with Azure Ad
In-App Management
In-App Management is a key feature of Azure Service Connection, allowing you to manage your services directly from within your app.

With Azure Service Connection, you can create and manage service connections, which enable your app to interact with Azure services. This is done through the Azure portal, where you can easily create and configure service connections.
To manage your services in-app, you'll need to install the Azure Service Connection SDK, which provides a set of APIs and tools for integrating Azure services into your app.
Suggestion: How to Create Service Principal in Azure
Incoming Webhook
Creating an Incoming Webhook service connection is a straightforward process that requires a few key pieces of information. You'll need to provide a name for the WebHook, which will serve as a reference point for your pipelines.
The name of the WebHook is a required field, so make sure to choose something descriptive and easy to remember. If you're using YAML, you'll need to use this name as the azureSubscription value in your script.
You can also provide a secret to authenticate with the WebHook, if required by your specific use case. This can add an extra layer of security to your connection.
Broaden your view: Webhook Azure
If you're planning to use this connection in multiple pipelines, you may want to consider granting access permission to all pipelines. This will save you time and effort in the long run, as you won't need to explicitly authorize the service connection for each pipeline.
Here's a summary of the required parameters for creating an Incoming Webhook service connection:
The description of the service connection is optional, but can be helpful if you need to provide context or additional information about the connection.
App Registration (Automatic)
You can create an Azure Resource Manager service connection in Azure DevOps using the App Registration (Automatic) method. This method allows you to automatically create a workload identity federation or a secret for authentication.
To use App Registration (Automatic), you need to be signed in as the owner of the Azure Pipelines organization and the Azure subscription. You also need to ensure that you're not connecting to the Azure Stack or the Azure US Government environments.

There are two credential types to choose from: Workload identity federation and Secret. Workload identity federation is the preferred credential type as it doesn't require manual rotation and management.
Here are the steps to create an App Registration (Automatic) service connection:
- In the Azure DevOps project, go to Project settings > Service connections.
- Select New service connection, then select Azure Resource Manager and Next.
- Select App registration (automatic) with the credential Workload identity federation or Secret.
- Select a Scope level: Subscription, Management Group, or Machine Learning Workspace.
- Enter a Service connection name.
- Optionally, enter a description for the service connection.
- Select Grant access permission to all pipelines to allow all pipelines to use this service connection.
- Select Save.
Note that using a secret requires manual rotation and management, and is not recommended.
Revert a Secret-Dependent Resource
You can revert a converted automatic service connection with its secret for seven days.
If you manually create and convert your service connection, you can't revert the service connection by using the service connection conversion tool because Azure DevOps doesn't have permissions to modify its own credentials.
To revert a service connection, go to Pipelines > Service connections in your Azure DevOps project.
Select an existing service connection to revert, then select Revert conversion to the original scheme.
Select Revert again to confirm your choice.
If you use the service connection in the UI, select the connection name that you assigned in the Azure subscription setting of your pipeline.
If you use the service connection in a YAML file, copy the connection name and paste it into your code as the value for azureSubscription.
After seven days, manually create a new secret.
In-App Update

To create a new service connection in App Service, you need to select the Azure App Services resource you want to connect to a target resource.
You'll need to select Service Connector from the left table of contents and then click Create.
The target service type is selected by choosing the service type from the dropdown menu, such as Storage - Blob.
If you don't have a Microsoft Blob Storage, you can create one or use another service type.
The connection name is the name that identifies the connection between your App Service and target service.
You should use the connection name provided by Service Connector or choose your own connection name.
Here are the settings you'll need to enter:
System-assigned managed identity is the recommended authentication option to connect through an identity that's generated in Microsoft Entra ID and tied to the lifecycle of the service instance.
You should only use the most secure authentication flow available, and managed identities are a good option when other more secure flows aren't viable.
View in App

Viewing your service connections in App Service is straightforward. You can find them on the Service Connector page.
Once you've successfully created a connection, this page displays all your existing App Service connections. To expand the list and see the environment variables required by your application code, simply select the > button.
You can also view the hidden value by selecting Hidden value. Additionally, you can validate your connection by selecting Validate and check the connection validation details in the panel on the right by selecting Learn more.
If you want to view information about a specific service connection, you can do so by selecting it from the list.
What and How
A service connection provides connections to external services for your Azure DevOps pipelines to use.
You can limit the scope of Azure service connections to management groups, subscriptions, or resource groups.
Service connections securely store and manage the connection details needed to access the service.
Examples of external services include GitHub Enterprise Server or Jenkins.
You can restrict access to specific users, pipelines, or additional projects in your Azure DevOps organization.
Service principals and managed identities are used to create connections to your Azure tenant.
Azure DevOps pipelines use service connections to access external services securely.
Principal Management
You can create a service connection using an existing service principal. To do this, you'll need to follow the automated method, where Azure DevOps creates the service principal and assigns permissions. This method is available for Azure Resource Manager service connections.
You can also use the manual method, where you provide the service principal and secret for authentication. This method requires you to modify the service principal to expose the appropriate permissions, and you'll need to enter the service principal ID, credential, tenant ID, and verify the settings.
There are two options for authenticating with a service principal: automated and manual. The automated method creates a service principal and assigns permissions, while the manual method requires you to provide the service principal and secret for authentication.
Convert Resource to Federation

Converting an existing Azure Resource Manager service connection to use workload identity federation is a straightforward process. You can use the service connection conversion tool in Azure DevOps if your service connection meets certain requirements.
Azure DevOps originally created the service connection, and only one project uses the service connection. If you manually created your service connection, you can't convert it using the service connection conversion tool because Azure DevOps doesn't have permissions to modify its own credentials.
To convert a service connection, go to Project settings > Service connections in your Azure DevOps project. Select the service connection you want to convert, and then select Convert.
You'll be prompted to confirm the update, and the conversion might take a few minutes. If you want to revert the connection, you must do so within seven days.
If you have multiple service connections to convert, you can use a PowerShell script to update them all at once. This script requires two parameters: your Azure DevOps organization and project. It then retrieves the associated service connections and updates them to use workload identity federation.
The script requires PowerShell 7.3 or newer and Azure CLI to run. You can save the script to a .ps1 file and run it using PowerShell 7.
Curious to learn more? Check out: How to Upgrade Azure Ad Connect
Principal

A service principal is an identity in Entra ID used with applications, services, and automated processes. It's essentially a user account meant for non-human entities.
To use an existing service principal in your service connection, you need to sign into your Azure DevOps organization and select the Azure DevOps project where the service connection should live. In the project, select the Project settings icon in the lower left, and then under Pipelines, select Service connections.
You can create a service connection using a service principal, and there are two options: automated method, where Azure DevOps creates the service principal and assigns permissions, or manual method, where you provide the service principal and secret for authentication.
A service principal can authenticate using a secret, which you will use in this first example, or a certificate. If you selected Service Principal Key, enter the key (password). If you selected Certificate, enter the certificate.

Here are the parameters you need to enter in the Authentication section:
In the Details section, enter the following parameters:
To use a service connection in pipelines, for YAML pipelines, use the connection name in your code as the azureSubscription or other connection name value. For Classic pipelines, select the connection name in the Azure subscription or other connection name setting in your pipeline task.
Frequently Asked Questions
What is the difference between service principal and service connection in Azure?
In Azure, a Service Principal is a configured identity in Azure Active Directory, while a Service Connection is a configured authentication setup in Azure DevOps, enabling secure access to resources. Understanding the difference between these two concepts is crucial for seamless integration and secure access in Azure.
Featured Images: pexels.com

