Connecting Azure DevOps to Azure

If you are an Azure AD admin then you can easily connect Azure DevOps to Azure/ Azure AD. But if you are not, then you need to work with the Azure & Azure AD admins to hook these up. Here’s how.

Azure AD

On the Azure AD portal go to App Registrations. Click “New Registration” and give it a name. Leave everything else as is and click “Register”. Once it’s registered go to the “Certificates & secrets” section.

If you are on a Windows machine, open Windows PowerShell and type the following:

New-SelfSignedCertificate -Subject "CN=Azure Pipelines" -KeyExportPolicy Exportable -HashAlgorithm SHA256 -KeyLength 4096 -NotAfter (Get-Date).AddYears(10)

1	New-SelfSignedCertificate -Subject "CN=Azure Pipelines" -KeyExportPolicy Exportable -HashAlgorithm SHA256 -KeyLength 4096 -NotAfter (Get-Date).AddYears(10)

You can change the subject in the above command. And if you skip the -NotAfter parameter it will create one that’s valid for 2 years instead of 10 (or you could choose a different number like 5, for 5 years). After this open Certificate Manager (certlm.msc) and export the certificate and key. Give a password when prompted. This creates a single PFX file.

There might be some other easier way to convert this PFX to a PEM file (which is what we need), but for now here’s what I do.

# install the PSPKI module
Install-Module -Name PSPKI

# import it
Import-Module PSPKI

# convert the PFX file to PEM
Convert-PfxToPem -InputFile \path\to\pfxfile.pfx -OutputFile \path\to\pemfile.pem

# you will be prompted for the password

# install the PSPKI module

Install-Module -Name PSPKI

# import it

Import-Module PSPKI

# convert the PFX file to PEM

Convert-PfxToPem -InputFile \path\to\pfxfile.pfx -OutputFile \path\to\pemfile.pem

# you will be prompted for the password

If you on a Linux or macOS machine, open a terminal and type the following:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout pipelines.key -out pipelines.cer -subj "/CN=Azure Pipelines.com"

1	openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout pipelines.key -out pipelines.cer -subj "/CN=Azure Pipelines.com"

This outputs a certificate and key. Yeah, easier here. But I had to Google those arcane OpenSSL switches. :)

Now upload this certificate in the “Certificates & secrets” section.

Take a note of the Client ID & Tenant Id of this app registration. We’ll need it in a later step.

Azure

Grant the App Registration we created above access to Azure. Say you want to do it on the Subscription level, go to it, then IAM, Add, and add the App Registration created above with Contributor access.

Take a note of the Subscription Id and Name.

Azure DevOps

Go to Azure DevOps > select the project > Project Settings > Service Connections. Click “New Service Connection” here and choose “Azure Resource Manager”. Under authentication method choose “Service principal (manual)”.

Fill in the Subscription Id and Name you noted in Azure. Fill in the Client ID from Azure AD for the Service Principal Id. For credential paste the contents of the certificate and key. Fill the Tenant Id from Azure AD.

Click Verify. Hopefully all good! Now give the Service Connection a name and save it.