Forum Discussion

Agility1980's avatar
Agility1980
Copper Contributor
May 30, 2024

How to recognize the correct Enterprise Application

Hello All,

 

I have a DevOps project with several ARM service connections with workload identity federation.

 

I can find them from the Azure portal by name, but the generated name is the same on all of them. The resourceID in the DevOps URL of the service connection does not correspond to the ObjectID or ApplicationID in the Azure portal.

 

So the question is, how am I supposed to differentiate which service connection corresponds to which Enterprise App?

 

B.R. Agility

2 Replies

  • balasubramanim's avatar
    balasubramanim
    Iron Contributor
    Feb 03, 2025

    Agility1980 

    To differentiate between Azure DevOps service connections and their corresponding Enterprise Applications in Azure, try these steps:

    1. List All Enterprise Applications
    Use Azure CLI to list Enterprise Applications:
    az ad sp list --filter "appDisplayName eq '<ApplicationName>'" --query "[].{Name:displayName, ObjectID:objectId, AppID:appId}" -o table

    2. Get Details of a Service Connection in Azure DevOps
    To get detailed information about a service connection:
    Go to Project Settings > Service Connections in Azure DevOps.
    Click the service connection and note the resource ID or Service Principal ID.

    3. Match Service Connection with Enterprise Application
    Use Azure CLI to find the Enterprise Application associated with the Service Principal ID:
    az ad sp show --id <ServicePrincipalID>
    This command provides details like ObjectID, AppID, and DisplayName.

    4. Use Azure Portal
    In Azure Active Directory:
    Navigate to Enterprise Applications > All Applications.
    Search by AppID or ObjectID obtained from Azure CLI to identify the correct application.

    Key Identifiers:
    AppID: Unique to the application registration.
    ObjectID: Unique to the service principal (Enterprise Application).
    Service Principal ID: Used by DevOps to authenticate with Azure.
    By cross-referencing these IDs, you can accurately identify which Enterprise Application corresponds to each Azure DevOps service connection.

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Feb 02, 2025

    Take this:

     

    • Check the Application Object and Service Principal Object: Each registered application in Azure Active Directory (AAD) creates two objects. The Application Object is what you see under App Registrations, and the Service Principal Object is what you see under Enterprise Applications. Ensure you're looking at the correct Service Principal Object.
    • Use the Application (Client) ID: The Application ID (also known as Client ID) is unique to each application and can help you differentiate between them. You can find this ID in the App Registration details.
    • Review the ObjectID and ApplicationID: The ObjectID and ApplicationID should match the Service Principal Object in the Enterprise Applications blade. If they don't, there might be an issue with how the service connections were set up.
    • Check the Permissions and Roles: Look at the permissions and roles assigned to each Service Principal Object. This can give you clues about which application it corresponds to based on the resources it can access.
    • Use Azure CLI or PowerShell: You can use Azure CLI or PowerShell commands to list and inspect the details of your service connections and Enterprise Applications. This can help you gather more information and identify discrepancies.

Resources