I've configured Azure DevOps with a Service Principal to access one specific resource group. I was expecting Azure DevOps will only be able to deploy to resources under this group but that doesn't seem to be the case. I am able to connect agents from other resource groups and then deploy to them without any issue.
What's the point of configuring Service Principal in 'Azure DevOps' if the agent can bypass all permissions?
Configuration:
Azure Portal
1. Created AD in Azure Portal. Created App under AD with client secret.
2. Granted 'contributor' role to App created in Step-1 with resource group scope.
3. Created two resource groups - RG1 and RG2 with one VM in each.
4. Granted role assignment to App created in step-1 for RG1 only. RG2 has no role assignments.
Azure DevOps
5. Connect Azure DevOps organization with Portal using AD connect.
6. Created service connection by going to Projects-> Service Principal(SP) -> Azure Resource Manager with Service Principal credentials (see step-1 above).
7. Created new pipeline and deployment group. Copied the deployment group agent code and ran it on both VMs in RG1 and RG2.
Actual Result: Both VMs connected fine as targets under deployment group. Pipeline was able to deploy successfully to both VMs. Even if no service connections exist, pipelines are able to deploy to VMs
Expected Result: Only VM under RG1 should connect based on RBAC. Pipeline should only be able to deploy to VM under RG1 and not RG2. Pipelines shouldn't be able to deploy if service connections are not defined.
Workaround: Maybe installing this extension ( https://github.com/maikvandergaag/msft-extensions/wiki/Azure-RBAC ) would help but I was trying to avoid it if possible.
