Service Connection with Management Group Scope

[jreed14]

When using an Azure DevOps Service Connection that is scoped for a Management Group I'm not able to use the Azure CLI task. It appears part of the out of box task (excluding any commands or scripts specified) on the Azure CLI step is to:

1. Set Active Cloud
2. az login with service principal associated with the service connection
3. Perform an az account set to a subscription

Step #3 fails when service connections is scoped for a management group because there is no subscription specified. It runs:

az account set --subscription

The whole pipeline fails before even getting to specified code or script in the CLI task.

[bishal-pdMSFT]

@jreed14 Management group scope service connection is not supported for Azure CLI task currently, and I am not aware of any immediate plan to add this support. But this is something we should do.

@pulkitaggarwl to add this to backlog and plan.

[bhicks329]

@bishal-pdMSFT - What would be the recommended alternative approach until this is hopefully implemented?

[bishal-pdMSFT]

@bhicks329 no good alternative other than using a Subscription/Resource group scoped service connection.
Another option would be to use bash/powershell task and login using a script.

[Lutando]

This is a pretty big problem to have with no workaround.

So I have only one option. Use multiple service connections that are scoped to the subscription. This is quite a loss of agility for what management groups provide big orgs

[thepaulmacca]

I've just come across this page due to me noticing that this doesn't work for ARM service connections scoped to a Management Group either (unless i'm missing something, but it works if i scope it to an individual subscription)

I'm currently trying to learn how Management Groups work to improve governance across Dev/Prod subscriptions, and this is a bit of an issue when we're being advised to use Management Groups to improve governance, but then they don't work in scenarios like this

[andrenelnz]

I've also confirmed this is still an issue. Has this issue been added to the backlog since February? Having this feature would mean a lot to us as well. @bishal-pdMSFT could you or @pulkitaggarwl please provide a update?

[bishal-pdMSFT]

@pulkitaggarwl can you please take a look here?

[bishal-pdMSFT]

By the way if you specify a valid subscriptionId input then it should just work even if service connection is that management group scope.
Currently the task only works in subscription context and hence it is a required input.

[jsco2t]

By the way if you specify a valid subscriptionId input then it should just work even if service connection is that management group scope.
Currently the task only works in subscription context and hence it is a required input.

Hi @bishal-pdMSFT I tried passing a subscriptionId on input to the AzureCLI pipeline task - but I am still not seeing any impact.

Here is what I am trying:

- task: AzureCLI@2
  displayName: Create Resource Group
    inputs:
      azureSubscription: "$(AZServiceConnection)"
      subscriptionId: '$(SubscriptionId)' <----------------- tried this
      subscriptionName: '$(SubscriptionId)' <------------------ and this
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        Write-Host "[INFO] Creating something in Azure!"

Is there something I am doing wrong here? Or maybe I'm not following your work-around?

[cysecops]

FYI the azure resource group deployment (ARM Template) supports management groups if you use version 3 (preview). Still waiting on CLI support

[bishal-pdMSFT]

Thanks to @mbrancato a PR is out for adding this support. Please see if the PR is sufficient to handle this issue.

[iamalexmang]

@bishal-pdMSFT is there an update to this?
What is the current possible way (preview or otherwise) to use a management group scoped service connection in an Azure CLI task? PR !12516 is currently merged to master. Based on the commits for this PR, the --allow-no-subscription parameter is used, but I'm failing on understanding which is the right input parameter to properly log in.

[wcc8088]

Same issue. Save me please.
Support for Azure Management Group in Azure CLI V2 task (#12922)

[jasric89]

I'm having the same issue when will this be fixed? I'm having to recode my whole pipeline in terraform because I can't pass a simple variable value from a PowerShell script that does some stuff before my pipeline runs...

Does PR 12922 work for Management Group and Azure CLI, or just ARM?

[felickz]

Same issue with the Azure File Copy task

Cannot choose a service connection that is scoped to a management group, even though it has contrib permissions to the underlying subscription.

[thepaulmacca]

Wow can't believe this is still open 😆

[NinadKavimandan]

Hi 👋
I started looking into this issue again and wanted to understand the repro steps.
I created a service connection with SP having scope to a management group, added a PowerShell script doing a simple operation:

Per the above discussion, it seems the task used to fail even before reaching the script. But the script ran without any issues for me. Can I get some repro steps?

@felickz Are you still facing the issue? Can you provide details?

[AbyTJoseph]

Hi @NinadKavimandan 👋
I was able to set up a Build (CI) YAML Pipeline like you have mentioned and was able to get an authenticated CLI with Service connection - SP that is scoped at the Management group level, i.e seems it works via YAML.
However, the Release Pipeline using the Classic Release Editor of the Azure CLI task still doesn't seem to list any Service connections that are scoped at the Management level

@bishal-pdMSFT : Seems you too had encountered the issue same that the Release editor wasn't displaying the Management scoped Service Connections in the dropdowns, was there a fix for the issue or alternative? Seems the issue still exists. @mbrancato

[github-actions]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

[CamiloTerevinto]

Hey @NinadKavimandan, I see this was auto-closed about 11 months ago, but this is still not done? Can we get an update on this please?

[azarchitect2024]

Please folks can this thread be re-opened ? It seems the limitation still persists :(

[Rologics]

Anything happening yet in the backend on this one?

[Rologics]

@NinadKavimandan any update would be much appreciated