Creating an Azure Resource Manager Service Endpoint

Depending on the Azure tasks you use in your Visual Studio Team Services (VSTS) builds and releases, you will need different connections to Azure. In this post I will show you how to create an Azure Resource Manager Service Endpoint. To create an Azure Resource Service Endpoint, you first need to create a Azure Service Principal.

While we move through the creation of the service principal, be sure to copy the Application Name, Client ID, Key, Tenant ID, Subscription name, and Subscription ID.

Create Service Principal

To create a Service Principal we must first register an application in the Azure Active Directory, which we will do now.  As of this writing this can only be done in the original Azure portal.  However, many of us are being forced into the new portal upon login.  If you are, simply click on Browse and select Active Directory and you will be redirected to the original Azure portal.
  1. Click on Applications of the selected Active directory
  2. Click the Add button at the button of the page
  3. Enter a name for your application and make sure Web Application and/or Web API is selected
  4. Enter two URLs based on your application name
    They do not have to be real. I used the same value for both.
  5. Once the application is created, click on Configure
  6. Make note of the Client ID because we will need it in a moment
  7. Select a key duration under the keys section and click Save at the bottom of the page
  8. Once the key is saved copy the value and place it with your Client ID
    This will be your only chance to collect this value.

Find Tenant ID

With the Active Directory select on the Applications page, we can harvest the Tenant ID.

  1. Click View Endpoints at the bottom of the page
  2. Copy any of the URLS and paste into an editor
  3. The GUID in the URL is your Tenant ID

Find Subscription Name and ID

You will also need the subscription name and ID to complete the service endpoint. We can get them while we are in the old portal.

  1. Click Settings in the left vertical menu
  2. Copy the Subscription and Subscription ID values

Grant access

Now that we have a service principal we need to give it access to create resources in your subscription.  Return to the new Azure Portal.
  1. Click Browse and select Subscriptions
  2. Select the subscription you are using
  3. Click the Access button 
  4. Click Add
  5. Select Contributor as the roll
  6. Search and select the name of the application you just created
  7. Click OK to grant the service principal access to your subscription

There is a script that can do all of this for you here on GitHub.

Create Service Endpoint

With the Service Principal created, we can now create the Service Endpoint in VSTS.

  1. Log in to VSTS and select a project
  2. Click the manage project gear icon in the upper right hand corner of the page
  3. Select the Services tab
  4. Select Azure Resource Manager from the New Service Endpoint drop down
    Field Value
    Connection Name {AnyValueYouLike}
    Subscription Id Subscription Id
    Subscription Name Subscription Name
    Service Principal Id Client Id
    Service Principal Key Key
    Tenant Id Tenant Id
  5. Click OK

Comments (8) -

  • Matt Burleigh

    12/9/2016 4:17:49 PM | Reply

    A bit different in the new portal but it was easy enough to sort out the changes and completely filled in the pieces I was missing.

    Thanks Donovan!

    • Donovan

      12/9/2016 4:26:52 PM | Reply

      So hard to keep up with Azure!

  • ruban

    4/5/2018 10:08:16 AM | Reply

    Can you help us to do the same in REST API with service principle authorization scheme

  • David Bojsen

    9/4/2018 1:50:43 PM | Reply

    Hi Donovan
    Can this be done by just granting permissions on Resource Group level?
    We're implementing for a customer and they want to limit what we can do outside of designated resource groups.

    BR David

    • Donovan

      10/1/2018 12:33:43 PM | Reply

      You can scope a Service Principal to a single RG if you want. You just have to create the RG first. Then use the security blade from there.

  • Payam

    11/13/2018 8:17:10 PM | Reply

    Thank you! After 2 years your article is still very helpful.

  • Andre Odendaal

    3/26/2019 4:04:55 PM | Reply

    I've used your guide successfully in the past but something seems to have changed with App Registration in Azure Active Directory and I don't get the Service Key any more. Is there an update to this process?

    My problem is that my credentials on Azure DevOps are different to my credentials on Azure Cloud, so I need a Service Principle (I think) so I can connect the two.

Pingbacks and trackbacks (1)+

Add comment