How to Connect Azure DevOps to Azure with a Service Connection (Step-by-Step App Registration Guide)

Wed, 20 May 2026 00:00:00 +0000

If you’re planning to deploy resources to Azure using Azure DevOps pipelines, the very first step is to set up secure connectivity between the two platforms. This is done by creating an Application Registration in Azure (Entra ID) on your Azure Tenant and using it in Azure DevOps as a Service Connection. Without this setup, Azure DevOps pipelines can’t deploy to your Azure subscription. This is the security handshake that makes CI/CD possible in Azure.

In this post, I’ll walk you through:

What an App Registration is and why we need it
How to create one in Azure
How to configure a Service Connection in Azure DevOps
How to test the connection with a pipeline

By the end, you’ll have a working setup that can authenticate Azure DevOps to your Azure subscription.

What is an App Registration?

Think of an App Registration as an identity for applications or services.

When a user logs in to Azure, they authenticate with their username and password.
When a service (like Azure DevOps) needs access to Azure, it uses an App Registration instead.

An App Registration provides:

A Client ID (like a username)
A Client Secret (like a password)
Or optionally, a certificate for authentication

This setup is much safer than using personal credentials in pipelines, and it allows fine-grained control using RBAC (Role Based Access Control) roles.

High-level flow

flowchart LR A["Azure DevOps Pipeline"] -- uses --> B["Azure DevOps Service Connection"] B -- authenticates with --> C["App Registration"] C -- access granted by RBAC --> D["Azure Subscription / Resources"] A@{ shape: rounded} B@{ shape: rounded} C@{ shape: rounded} D@{ shape: rounded} style A fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0 style B fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0 style C fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0 style D fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0

flowchart TB A["Azure DevOps Pipeline"] -- uses --> B["Azure DevOps Service Connection"] B -- authenticates with --> C["App Registration"] C -- access granted by RBAC --> D["Azure Subscription / Resources"] A@{ shape: rounded} B@{ shape: rounded} C@{ shape: rounded} D@{ shape: rounded} style A fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0 style B fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0 style C fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0 style D fill:#457DDF,color:#f7f7f7,stroke-width:0px,stroke-dasharray:0

Step 1: Create an App Registration in Azure

Navigate to the Azure Portal -> Search for Microsoft Entra ID
Select App Registrations from the left menu
Click New Registration
- Name: azure-devops-service-principal
- Supported account types: Single tenant only (default)
- Redirect URI: leave blank
Click Register. You will now see:
- Application (client) ID
- Directory (tenant) ID
Under Certificates & Secrets -> Client Secrets -> New Client Secret
- Give a description: secret-azure-devops-service-principal
- Select an expiration and click Add
- Copy the secret value (you won’t see it again)
Assign permissions:
- Navigate to your subscription -> Access control (IAM) -> Add -> Add role assignment
- For simplicity choose Privileged Administrator Roles -> Contributor for broad deployments at the subscription level
- Click on Select Members and choose your App Registration
- Click on Review + Assign

Tip: Keep the App Registration’s permissions scoped only to what you need (e.g. resource group instead of full subscription) to follow least privilege best practices.

Step 2: Create a Service Connection in Azure DevOps

Go to your Azure DevOps Project -> Project Settings -> Service connections
Click New service connection -> Choose Azure Resource Manager
- Identity type: App registration or managed identity (manual)
- Credential: Secret
- Environment: Azure Cloud
- Scope Level: Subscription
- Subscription ID: Your Azure Subscription ID
- Subscription name: Your Azure Subscription Name
- Application (client) ID: Your App Registration (client) ID (listed on the app registration)
- Directory (tenant) ID: Your Directory (tenant) ID (listed on the app registration)
- Credential: Service principal key
- Client secret: Your client secret copied earlier
- Service Connection Name: azure-devops-service-connection
Verify and save

Now Azure DevOps can authenticate to Azure using this Service Connection.

Step 3: Test the Service Connection with a Pipeline

First we will ensure you have a Git repository initialized in your Azure DevOps project:

Go to your Azure DevOps Project -> Repos
- If you see an option to Initialize main branch -> Click Initialize
Go to your Azure DevOps Project -> Pipelines
- Click New Pipeline
- Choose Azure Repos Git for source code
- Select the repository where you want to store the pipeline yaml file
- Click on Starter Pipeline
- Use the following yaml code to create the pipeline:

trigger: none

pool:
 vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2 # Azure CLI task to verify service connection by showing subscription info
 inputs:
 azureSubscription: 'azure-devops-service-connection'
 scriptType: 'bash'
 scriptLocation: 'inlineScript'
 inlineScript: |
 echo "Checking Azure login..."
 az account show

Click on Save and run
Click on Approve if prompted for any approvals to service connections

Once the pipeline run is successful, the AzureCLI task will print subscription details on the pipeline logs.

Wrap-Up

You’ve just:

Learned what an App Registration is
Created one in Azure with RBAC permissions
Configured a Service Connection in Azure DevOps
Validated it with a pipeline

This setup is the foundation of every Azure deployment using Azure DevOps. Remember to scope your App Registration’s permissions to the minimum needed to ensure a secure, production-ready setup.

In a subsequent post, we will use this connection to deploy a simple Bicep template into Azure.