According documentation you can create a service connection to Azure which allows users to have access to all resource groups of the given subscription or limiting to a certain resource group:
Resource Group: Leave empty to allow users to access all resources defined within the subscription, or select a resource group to which you want to restrict users' access (users will be able to access only the resources defined within that group).
So, if you want to give access to a certain webapp ONLY, the available option is to create a new service principal, give access to the resource and configure it on service connection.
Any way of doing this without creating a new service principal? I mean: It would be nice to have the option of selecting the resource (and not only the resource group) when creating a service connection with automated security, but obviously it´s not available.
We are planning to move a LOT of webapps (managed by different teams) to Azure and to create a new principal for each one (in order to guarantee the owner team as the only one allowed to deploy) seems not practical.
Regards.
