How to create Azure DevOps Service Connection scoped to multiple Resource Groups

1
votes

I have a project whose resources spanned across 3 resource groups. I want to create a Service connection scoped to all those resource groups so that i can manage access at one place through that service connection. Currently i created 3 service connections scoped to each resource group. I don't want to scope it to subscription since there are other teams handling projects in that subscription. It will give me maintenance and audit issues in the future.

If i create a service principal and assign it to 3 resource groups and then attach this service principal to service connection then would it be good design?

Is there any better way to achieve this ?

1
azure-devopsazure-active-directoryazure-pipelinesservice-principalserviceconnection
Hi ,Venky Is bbaywet's answer helpful to your issue?Hugh Lin

1 Answers

1
votes

You don't have to create the service principal manually. You can use the interface to create the service principal, grant permissions on the first resource group and configure the connection automatically for you.
Then once it's done, look at the service connection to identify the service principal in use, and give it permissions on the other resource groups.
And yes it is a good design, the only drawback compared to 3 service principals is that you have less granularity over who in Azure DevOps has access to each of these 3 resource groups via permissions on the service service connection(s) (as you only have one and not 3)