How To Create A Service Principal For Service Connection
Background
Service Principal Identity (SPI) is a required and recommended approach for the authentication with the multiple platforms such as Azure Subscription Resources, Cosmos, Blueshift etc. SPI is supported in Azure Data Factory, Azure DevOps and so on. The page will show how to request a new SPI and configure it as a service connection in Azure DevOps.
Steps
Step 1 : Register an AAD application via DMS
Run Commands in PROD DMS - DataCenter Management Services : New-TorusAzureADApplication -ApplicationName {your app name} -STID {Service Tree ID} -Team {Torus team} -SupportType {SingleTenant | MultiTenant}
New-TorusAzureADApplication -ApplicationName AurigaSentry -STID c377de9c-e737-4f3f-bd9b-f2024bb57e74 -Team msaidataplat -SupportType MultiTenantWait for an Approval from the approval team. Then, acquire and note the Application Id (Client Id) from the Approval Response email.
Step 2 : Request as an owner of the application
Run Commands in PROD DMS - DataCenter Management Services : "Request-AzureApplicationOwnerRoleElevation -ApplicationId {App ID} -Reason {Elevation Reason} " Then, wait for an Approval from the approval team.
Request-AzureApplicationOwnerRoleElevation -ApplicationId b6cb0f1e-1101-4128-9256-762aa4f94377 -Reason "Update Sentry Release in new Subscription"
Step 3 : Add a client secret in the application
Open the Azure Portal and sign in with your torus account (e.g. _zhxin_debug@prdtrs01.prod.outlook.com_). Note: You MUST login in Azure Portal with your Debug account rather than JIT or Admin account!!!
Navigate to App Registrations -> Owned applications. You can see the specific Application item if you have completed the Step 2.
Add a Secret from Certificates & secrets. (Suggest to Store the secret value into the Azure Key-Vault resource.)
Step 4 : Assign a role for the application
Please request an AdminAccess before assign a Role in Azure Portal for an application. Run this command in PROD DMS - DataCenter Management Services
Request-AzureSubscriptionElevation -Role AdminAccess -SubscriptionId 8b8b2cf1-f7e3-4d86-8581-a15cd35463a4 -Reason "Check Role Assignment"Add the Application with the corresponding Role in Access Control (IAM).
Step 5 : Create a service connection for Azure DevOps connect to Azure Subscription
Create a new Service Connection in Azure DevOps portal.
Azure DevOps -> Project -> Project Settings -> Service Connections -> New Service Connection
Connection type: Azure Resource Manager
Authentication method: Service principal (manual)
Environment: Azure Cloud
Scope Level: Subscription
Service Principal Id: {The Application id}
Credential: Service principal key
Service principal key: {The client secret}
Appendix
Service Principal Identity Usage Summary
| Name | Creator | ClientId/AppId | TenantId | ServiceTreeServiceId | Roles | Usage | 1CS Link |
|---|---|---|---|---|---|---|---|
| Valit | lishengq | b131124d-cba5-4427-9e6c-0075ccca1f9c | cdc5aeea-15c5-4db6-b079-fcadd2505dc2 | c377de9c-e737-4f3f-bd9b-f2024bb57e74 | Data Factory Contributor, Storage Account Contributor | Service connections for release pipeline: Valit Portal | |
| adf-deploy | pingzhongwei | 8055073e-3993-4ff8-be02-f0d2e40a517e | cdc5aeea-15c5-4db6-b079-fcadd2505dc2 | c377de9c-e737-4f3f-bd9b-f2024bb57e74 | Data Factory Contributor, Storage Account Contributor | Service connections for release pipeline: msai-datapipeline | |
| msai-datapipeline | yihl | 895f5c42-431c-4d9f-9c42-938232ee63c6 | cdc5aeea-15c5-4db6-b079-fcadd2505dc2 | c377de9c-e737-4f3f-bd9b-f2024bb57e74 | N/A | Authentication for the access Cosmos VC and ADL (cortana-c14, exchange-storage-prod-c14, office-engineering-c14, office-adhoc-c14), Blueshift (substrateadlaneuprod). It is used by AzureDataFactory, ExP Scorecard etc. | Data Request 275571 |
| MSAIDataPipeline | zhxin | b4da76b1-da6b-453b-85ab-e862fba33aeb | cdc5aeea-15c5-4db6-b079-fcadd2505dc2 | c377de9c-e737-4f3f-bd9b-f2024bb57e74 | N/A | Authentication for the access Cosmos VC and ADL (cortana-c14, exchange-storage-prod-c14, office-engineering-c14, office-adhoc-c14). Authentication for access the Kusto datasources (1ES, AzureSpend). It is used in AzureDataFactory. | Data Request 270627 |
| AurigaSentry | zhxin | b6cb0f1e-1101-4128-9256-762aa4f94377 | cdc5aeea-15c5-4db6-b079-fcadd2505dc2 | c377de9c-e737-4f3f-bd9b-f2024bb57e74 | AurigaSentry Resource Group Contributor, AurigaSentry Storage Blob Data Owner | AurigaSentry CI/CD service connection | |
| o365ccapp-ews-oivic-nam-prod | lishengq | 56f36246-4e3b-4702-9c32-9887d5066920 | cdc5aeea-15c5-4db6-b079-fcadd2505dc2 | c377de9c-e737-4f3f-bd9b-f2024bb57e74 | N/A | Production SPN for access Cosmos, EUDB for Compliant Datasets Azure DataFactory | Data Request 345487 |
| o365ccapp-ews-oivic-nam-ppe | lishengq | d8ad08bc-e685-427c-afb4-f5f3ff8f48f7 | cdc5aeea-15c5-4db6-b079-fcadd2505dc2 Azure DataFactory | c377de9c-e737-4f3f-bd9b-f2024bb57e74 | N/A | PPE SPN for access Cosmos, EUDB for Compliant Datasets | Data Request 345487 |
Azure Blob Storage Role Assignment
If you want to use Service Principal Identity for uploading the files to the Azure blob storage. You MUST assign the Application as a Storage Blob Data Owner for the corresponding storage account on Azure. Otherwise, you will encounter an Unauthorized error.
Service Connection Reference in Azure Pipeline
You can use the ServiceConnection name as the parameter value of azureSubscription in Azure Pipeline task.
- task: AzureFileCopy@4
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
displayName: 'Upload AvailabilityMonitorConfigs to AurigaSentry Azure Blob'
inputs:
SourcePath: '$(Build.ArtifactStagingDirectory)/MonitorConfigs/AvailabilityMonitorConfigs'
azureSubscription: AurigaSentryDeploy
Destination: AzureBlob
storage: aurigasentry
ContainerName: monitorconfigs
Service Connection Reference in Continous Deployment Pipeline
You can select the available ServiceConnection name in the Azure Subscription property in CI/CD task.
