Setting Up an ARM Service Connection for Azure DevOps with Workload Identity Federation : automatic implemetation

Implementation automatic Workload Identity Federation 🔐

Prerequisites

Before you start, ensure you have the following:

• An Azure subscription and Azure Entra Id permissions.
• An Azure DevOps organization.
• Federation feature activated on Azure DevOps organization.
• The necessary permissions to create service connections in Azure DevOps.
• An Azure subscription access with the required permissions to configure identity federation.

First of all you need to have a check on you Azure DevOps organisation, to see if the Federation feature is well activated on usersetting/ preview feature on organisation level.

New service connection

First thing is to go through Azure DevOps organisation/project/service connections/ Create service connection. Then select the Recommended Workload Identity federation (automatic)

Fill the needed inforamtion

• Service Connection Name: You can put the name of you service-connection, depends on your name convention, it could have this kind of pattern : ProjetName-Environnement-TypeService-SC
• Scope level: It depends on your needs of use, you can select Machine Learning Workspace or Management Group or extend to subscription level if needed.
• Description: It's optional bu setting a description good for better visiblity which describe what the service connection is about on the quick review.

service connection created Finally you can check what happen on Azure Entra Id Side: An app registration created automatically with a federation and contributor role on the selected scope previously.

Conclusion:

En conclusion, utiliser la fédération automatique avec Azure DevOps est fortement recommandé, à condition d'avoir les permissions nécessaires. Cela permet de simplifier les workflows tout en garantissant la sécurité et l'efficacité des projets. official Microsoft documentation.