Adding ADO service principal #6647
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
github-actions
bot
added
content
Editorial changes
| @@ -62,22 +62,20 @@ An Entra ID admin needs to provide your new app access to Azure DevOps: | |||
|
|
|||
| ## Add another redirect URI | |||
|
|
|||
| A Microsoft Entra ID admin needs to add another redirect URI to your Entra ID application. This redirect URI will be used to authenticate the service user for headless actions in deployment environments. | |||
| A Microsoft Entra ID admin needs to add another redirect URI to your Entra ID application. This redirect URI will be used to authenticate the service principal for headless actions in deployment environments. | |||
There was a problem hiding this comment.
With service principal I don't think we need to add redirect uri to the entra app anymore. But if they are switching from service user to service principal with the same application credentials, they can just keep the redirect uri
|
|
||
| 1. Navigate to your Microsoft Entra ID application. | ||
|
|
||
| 2. Select the link next to **Redirect URIs** | ||
| 3. Click **Add URI** and add the URI, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/access-regions-ip-addresses) for your region and plan: | ||
| `https://YOUR_ACCESS_URL/complete/azure_active_directory_service_user` | ||
| `https://YOUR_ACCESS_URL/complete/azure_active_directory_service_principal` |
There was a problem hiding this comment.
Probably don't need this part either. But you could mention perhaps that if they are switching from service user to service principal they don't need to remove the redirect uris. Probably preferred to not remove them if they want to switch back to service user.
There was a problem hiding this comment.
Thanks for adding this! I'm not a 100% sure I follow the flow for adding a service principal but maybe you found another way to do it. I was under the impression you just need to create an entra application and add that to your ADO org settings as a user and give it the proper permissions under Azure DevOps Groups. I could be missing something though. We should also tell users migrating from service user -> service principal to use the same application. We don't delete the actual service user so if something goes wrong they can easily switch back. Let's maybe regroup in person and I can show you how I was doing the flow.
| @@ -89,7 +87,7 @@ An Azure admin will need one of the following permissions in both the Microsoft | |||
| - Azure Service Administrator | |||
| - Azure Co-administrator | |||
|
|
|||
| If your Azure DevOps account is connected to Entra ID, then you can proceed to [Connect a service user](#connect-a-service-user). However, if you're just getting set up, connect Azure DevOps to the Microsoft Entra ID app you just created: | |||
| If your Azure DevOps account is connected to Entra ID, then you can proceed to [Connect a service principal](#connect-a-service-principal). However, if you're just getting set up, connect Azure DevOps to the Microsoft Entra ID app you just created: | |||
|
|
|||
| 1. From your Azure DevOps account, select **Organization settings** in the bottom left. | |||
| 2. Navigate to Microsoft Entra ID. | |||
There was a problem hiding this comment.
This part is incorrect for service principal (unless these are for service user). For service principal, you go to org settings -> navigate to users -> add users -> search and add your application as a service principal in the search bar -> add projects for Add to projects and also for Azure DevOps Groups select Project Administrators (this is important for being able to create webhooks)
What are you changing in this pull request and why?
This PR adds the ADO service principal configuration instructions
Checklist
🚀 Deployment available! Here are the direct links to the updated files: