Azure Dev Ops security architecture connecting to different tenancies/subscriptions

%3CLINGO-SUB%20id%3D%22lingo-sub-862524%22%20slang%3D%22en-US%22%3EAzure%20Dev%20Ops%20security%20architecture%20connecting%20to%20different%20tenancies%2Fsubscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-862524%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%2C%3C%2FP%3E%3CP%3ECan%20someone%20help%20me%20understanding%20Dev%20Ops%20Security%20Architect%20connecting%20to%20tenancies%2Fsubscriptions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-862524%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDevOps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-913184%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Dev%20Ops%20security%20architecture%20connecting%20to%20different%20tenancies%2Fsubscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-913184%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F330967%22%20target%3D%22_blank%22%3E%40santoshpandey11%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20need%20Azure%20DevOps%20to%20connect%20to%20the%20other%20subscription%2C%20you%20will%20need%20a%20Service%20Principal%20account.%26nbsp%3B%20This%20can%20be%20created%20from%20inside%20Azure%20DevOps%20if%20you%20are%26nbsp%3Ba%20user%20with%20owner%20access%20on%20the%20subscription%20to%20create%20a%20Service%20Principal%20or%20you%20can%20use%20an%20existing%26nbsp%3BService%20Principal%20account.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fcreate-azure-service-principal-azureps%3Fview%3Dazps-2.7.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fcreate-azure-service-principal-azureps%3Fview%3Dazps-2.7.0%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20have%20that%20account%20you%20can%20create%20a%20service%20connection%20in%20Azure%20DevOps%20for%20your%20project.%20This%20account%20can%20be%20used%20in%20your%20pipelines.%20You%20will%20need%20to%20pick%20the%20subscription%20during%20the%20creation%20of%20tasks%20so%20make%20sure%20you%20label%20the%20service%20connection%20so%20its%20easy%20to%20find.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Fpipelines%2Flibrary%2Fservice-endpoints%3Fview%3Dazure-devops%26amp%3Btabs%3Dyaml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Fpipelines%2Flibrary%2Fservice-endpoints%3Fview%3Dazure-devops%26amp%3Btabs%3Dyaml%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20point%20to%20look%20at%20for%20is%20the%20access%20levels%20the%20service%20principal%20account%20has%2C%20It%20will%20need%20read%20access%20to%20the%20subscription%20but%20only%20contributure%20access%20to%20any%20resource%20groups%20if%20you%20want%20to%20lock%20it%20down.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi ,

Can someone help me understanding Dev Ops Security Architect connecting to tenancies/subscriptions?

1 Reply

@santoshpandey11 

 

If you need Azure DevOps to connect to the other subscription, you will need a Service Principal account.  This can be created from inside Azure DevOps if you are a user with owner access on the subscription to create a Service Principal or you can use an existing Service Principal account. https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-2...

 

Once you have that account you can create a service connection in Azure DevOps for your project. This account can be used in your pipelines. You will need to pick the subscription during the creation of tasks so make sure you label the service connection so its easy to find.

https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&...

 

One point to look at for is the access levels the service principal account has, It will need read access to the subscription but only contributure access to any resource groups if you want to lock it down.