Create an Azure Service Principal and a VSTS ARM Endpoint

27 Jul, 2016
Xebia Background Header Wave

25-8-2016: Update because the UI to create a Service in VSTS changed
When you want to access Azure from VSTS there are multiple possibilities. It’s for example possible in VSTS to configure an Azure Classic Endpoint and after that configure the endpoint with credentials or with a certificate. The ARM way is to add an Azure Resource Manager Endpoint. To configure this you will need the settings of an Azure Service Principal. This blogpost tells you how to create both the Service Principal in Azure and the ARM Endpoint in VSTS.

Azure Service Principal

You can create an Azure Service Principal on multiple ways. Here you can read how to add an Azure Service Principal through the Classic Azure Portal. It’s also possible to add an Azure Service Principal through PowerShell. This PowerShell script can be used to create a Principal that has access to the whole subscription. I prefer to create a Service Principal that has access to a single ResourceGroup only. Here you can find the slightly changed script which support ResourceGroup access. When you run the script, the output will look like the following picture. Later on you will need the last five parts to create an ARM Endpoint in VSTS.

VSTS ARM Endpoint

To access the window where you can create an Endpoint in VSTS click on the Team Settings “Gear” icon in the upper right of the screen. After that click on the Services tab. Note that an Endpoint in VSTS is project specific.
Alternatively, when you are configuring a task in VSTS which uses an Endpoint, you can click the Manage link. Like in the following screendump of the Azure WebApp Configuration task:
In both cases you should see the following screen and click on New Service Endpoint. In the menu select Azure Resource Manager.


The following popup screen will be shown. Because we don’t want a Service Principal in Azure which has access to the whole subscription, don’t click OK. Instead click on the here link.

Create endpoint 1

The following screen appears. Here you can fill in all the information that the PowerShell script outputs.

Create endpoint 2

The Connection Name is the only field where you can enter custom information. The other fields must match exactly.
There is no validation or connection checker on the information that you fill in. When you use the Azure WebApp Configuration task for example and have selected an ARM Endpoint. The task selects all webapps where the Service Principal has access to. When no WebApps appears (and there should), the entered information will probably be wrong.


Get in touch with us to learn more about the subject and related solutions

Explore related posts