4

I'm trying to create a release pipeline in Azure DevOps. I created an App service resource in Azure and I want to deploy my web-app to this App service through my pipeline. For that I need to create an ARM service connection. Can you please help me with understanding the difference between the types of service connections? Thanks!

  1. What is the difference between Service Principal (automatic) and Service Principal (manual) ?
  2. What is the difference between service principal, managed identity and publish profile?
SD4
  • 439
  • 10
  • 27

1 Answers1

6

What is the difference between Service Principal (automatic) and Service Principal (manual) ?

Service Principal (automatic): It will create an AD App along with the service principal in Azure AD for you automatically and use it in the service connection.

Service Principal (manual): You need to create the AD App along with the service principal manually in Azure AD and configure it when you create the service connection.

What is the difference between service principal, managed identity and publish profile?

When you create an AD App(App Registration) in Azure AD, it will create a service principal for you automatically in your Azure AD.

The managed identity is essentially a service principal in your AAD managed by Azure, you can use it to access azure resources in the subscription.

The publish profile is a file used to publish your web app or web job, it includes a username and password, it uses the basic auth to deploy your web app, if you use service principal/managed identity, it uses Azure AD auth.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Hey thanks for your reply Joy! Also, why do we need to use service principal? What are the benefits with using service principal? – SD4 Aug 12 '20 at 09:22
  • @SD4 This question is too broad, you can understand it is an identity to access the resources in Azure(also have other usages), for more details, you need to learn about Azure AD, details here -https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object – Joy Wang Aug 12 '20 at 09:28
  • @SD4 You could also take a look at this [post](https://stackoverflow.com/questions/58846095) to help you understand. – Joy Wang Aug 12 '20 at 09:34
  • So I create a service principal and tried establishing the service connection using the credentials. But the verification failed and got the below error message. Any idea as to why? _Failed to query service connection API: 'https://management.azure.com/subscriptions/468---'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '440b---' with object id '440b4---' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/468---' or the scope is invalid._ – SD4 Aug 12 '20 at 09:45
  • @SD4 You need to add the client `440b--` as an RBAC role in your subscription, e.g. `Contributor`, follow https://learn.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal – Joy Wang Aug 12 '20 at 09:47
  • I have a resource group under my subscription. Would I need to add it to resource group? – SD4 Aug 12 '20 at 10:20
  • @SD4 No, just need to add it under subscription scope. – Joy Wang Aug 12 '20 at 10:30
  • Awesome! It worked now, created a service connection, deployment to web-app successful. But the app-service url isn't loading my web-app. Any clue? – SD4 Aug 12 '20 at 11:04
  • @SD4 I think it is really a different issue from the original topic of this post, you may need to accept this answer and ask it in a new post. Stackoverflow avoid to ask several questions in the same post. – Joy Wang Aug 12 '20 at 11:11