Azure Resource Manager - Service Principal (Manual)

I had some issues with automatically creating a service principal to set up Azure Resource Manager in Azure DevOps due to overly strict Azure AD policies resulting in the following error Error encountered: Failed to create an app in Azure Active Directory. Error: Credential lifetime exceeds the max value allowed as per assigned policy. This is a rather unique error with no results found on Google. Since the steps to manually create a service principal is rather complex, I have decided to document it here.

1) Use the powershell console in Azure Portal to run the following command

1
2
3
4
5
6
7
8
PS /home/limbenjamin> az ad sp create-for-rbac --name ServicePrincipalName
{
  "appId": "00000000-0000-0000-0000-000000000000",
  "displayName": "ServicePrincipalName",
  "name": "http://ServicePrincipalName",
  "password": "00000000-1111-1111-1111-000000000000",
  "tenant": "00000000-2222-2222-2222-000000000000"
}

2) Go to Azure Portal -> Subscriptions -> Access Control (IAM) -> Add Role Assignment and add Contributor role for ServicePrincipalName.
3) Go to Azure DevOps -> Project Settings (At Bottom) -> Service Connections -> New Service Connection -> Azure Resource Manager -> Service Principal (Manual) and use the values from the command output in the earlier powershell console

1
2
3
Service Principal Id: 00000000-0000-0000-0000-000000000000
Service Principal Key: 00000000-1111-1111-1111-000000000000
Tenant ID: 00000000-2222-2222-2222-000000000000

4) Setup a new pipeline in Azure DevOps. The new pipeline may not be able to detect the manually set up service principal and the build may fail, if that happens, you will need to visit the following URL to get the azureServiceConnectionId.

1
2
https://dev.azure.com/<<Org Name>>/<<Project Name>>/_apis/serviceendpoint/endpoints?api-version=5.0-preview.2
{"count":1,"value":[{"data":{"environment":"AzureCloud","scopeLevel":"Subscription","subscriptionId":"00000000-3333-3333-3333-000000000000","subscriptionName":"AzureSubsciptionName","creationMode":"Manual"},"id":"00000000-4444-4444-4444-000000000000","name":"ServiceConnectionName".....

5) Manually edit the azure-pipelines.yml file and include the new azureServiceConnectionId. Your builds should now work.

1
2
3
4
5
6
trigger:
- master

variables:
  # Azure Resource Manager connection created during pipeline creation
  azureServiceConnectionId: '00000000-4444-4444-4444-000000000000'


Tags: Coding, Server

Similar Articles

Google Calendar API v3 - In one of my previous posts, I mentioned that I was using rainmeter to display useful information such as events in my google calendar on my desktop. Google updated their calendar to API v3 ...
Code runs on code - This semester has been a rather hectic one. There is this massive Java Enterprise project that lasts throughout the entire semester. In the midst of this project, our team encountered a rather ...
webview vs native - And so, this month I will be rather busy volunteering on developing an app for the scouts. Some pointers I have picked up so far... 1) You need to pick somewhere to stop supporting. If you are ...
Stealing code - Much of client side web technology today runs directly from source, E.g. HTML/CSS/JS... , which means source code is readily available to anyone who wants it, a far cry from software where source ...