Using a Service Principal to authenticate to Azure DevOps (in-app)
The following article will help you to configure a service principal to use with your Azure DevOps instance. This article assumes you already have at least ONE Azure Devops organisation added.
Before Microsoft supported Service Principals, Backrightup used a "service account" based model. Using Microsoft Service Principals over service accounts to connect to Azure services is now considered better practice because:
Security: Service principals use secure methods like certificate-based authentication and allow for least privilege access, reducing security risks.
Manageability: They can be managed programmatically, integrate with Azure RBAC for easy permission management, and offer better auditing and monitoring capabilities.
Compliance: Service principals support separation of duties and enforce organizational policies more effectively.
Scalability and Flexibility: Designed for applications and automation, they are scalable and can operate across multiple Azure tenants.
Improved Identity Management: Azure managed identities simplify and secure identity lifecycle management.
The best way to create the service principal is following the Microsoft guide here.
Note: You do not need to add a "Redirect Uri"
Note: There is also NO requirement to add any roles to the application.
Backrightup supports Option 3 - Using a secret
Browse to Identity > Applications > App registrations, then select your application.
Select Certificates & secrets.
Select Client secrets, and then select New client secret.
Provide a description of the secret, and a duration.
Select Add.
Make a note of the secret.
Navigate to your "Organisation settings" in Azure DevOps (bottom left on home page of your DevOps instance) and then Users:
Add your Entra ID app in the users section. "Access Level" should be "Basic + Test plans".
Navigate to "Permissions" in the left hand menu of the Organisation Settings. Navigate to the "Project Collection Administrators" and the service principal to this group:
Add the secret, tenant id and client id to Backrightup.
The client id can be found on the App overview page (Application Id)
The tenant Id can be found by navigating to the home page of your Entra ID (Overview page)
Add these details to Backrightup:
Once you click "Use Service principal", Backrightup will attempt to connect to your Azure DevOps instance and read data. Any errors will be reported in the UI.
Before Microsoft supported Service Principals, Backrightup used a "service account" based model. Using Microsoft Service Principals over service accounts to connect to Azure services is now considered better practice because:
Security: Service principals use secure methods like certificate-based authentication and allow for least privilege access, reducing security risks.
Manageability: They can be managed programmatically, integrate with Azure RBAC for easy permission management, and offer better auditing and monitoring capabilities.
Compliance: Service principals support separation of duties and enforce organizational policies more effectively.
Scalability and Flexibility: Designed for applications and automation, they are scalable and can operate across multiple Azure tenants.
Improved Identity Management: Azure managed identities simplify and secure identity lifecycle management.
1. Login to your Backrightup dashboard and navigate to your settings:
2. Navigate to the "Integration settings"
3. Click the "Use service principal" button
4. Navigate to Microsoft Entra ID and create a new service principal account (Micrsosoft Entra ID App)
The best way to create the service principal is following the Microsoft guide here.
Note: You do not need to add a "Redirect Uri"
Note: There is also NO requirement to add any roles to the application.
5. Setting up Authentication for your Service principal
Backrightup supports Option 3 - Using a secret
Browse to Identity > Applications > App registrations, then select your application.
Select Certificates & secrets.
Select Client secrets, and then select New client secret.
Provide a description of the secret, and a duration.
Select Add.
Make a note of the secret.
6. Add the Service Principal to Azure DevOps
Navigate to your "Organisation settings" in Azure DevOps (bottom left on home page of your DevOps instance) and then Users:
Add your Entra ID app in the users section. "Access Level" should be "Basic + Test plans".
Navigate to "Permissions" in the left hand menu of the Organisation Settings. Navigate to the "Project Collection Administrators" and the service principal to this group:
7. Add the details to Backrightup
Add the secret, tenant id and client id to Backrightup.
The client id can be found on the App overview page (Application Id)
The tenant Id can be found by navigating to the home page of your Entra ID (Overview page)
Add these details to Backrightup:
8. Click "Use Service principal"
Once you click "Use Service principal", Backrightup will attempt to connect to your Azure DevOps instance and read data. Any errors will be reported in the UI.
Updated on: 14/06/2024
Thank you!