This article introduces how to deploy code to an Azure Web App by leveraging a new Azure DevOps feature that supports User Assigned Managed Identity (UAMI).
TOC
- UAMI Configuration
- App Configuration
- Azure DevOps Configuration
- Logs
UAMI Configuration
Create a User Assigned Managed Identity with no additional configuration.
This identity will be mentioned in later steps, especially at Object ID.
App Configuration
On an existing Azure Web App, enable Diagnostic Settings and configure it to retain certain types of logs, such as Access Audit Logs.
These logs will be discussed in the final section of this article.
Next, navigate to Access Control (IAM) and assign the previously created User Assigned Managed Identity the Website Contributor role.
Azure DevOps Configuration
Go to Azure DevOps → Project Settings → Service Connections, and create a new ARM (Azure Resource Manager) connection.
While creating the connection:
- Select the corresponding User Assigned Managed Identity
- Grant it appropriate permissions at the Resource Group level
During this process, you will be prompted to sign in again using your own account.
This authentication will later be reflected in the deployment logs discussed below.
Assuming the following deployment template is used in the pipeline, you will notice that additional steps appear in the deployment process compared to traditional service principal–based authentication.
Logs
A few minutes after deployment, related log records will appear.
In the AppServiceAuditLogs table, you can observe that the deployment initiator is shown as the Object ID from UAMI, and the Source is listed as Azure (DevOps).
This indicates that the User Assigned Managed Identity is authorized under my user context, while the deployment action itself is initiated by Azure DevOps.
Microsoft