One of the goals I have with DevOps Utopia is to make it easy for people to join as a contributor and a reader. This should give people access to both the Azure DevOps project and the Azure portal with the correct permissions.
The way I configured this, is to link both my Azure subscription and my Azure DevOps organization to an Azure Active Directory, create some groups and set the correct permissions. In this blog post I show you how.
Creating the Azure Active Directory
Creating a new Azure Active Directory in the Azure portal is quite simple. Make sure you have an existing Azure subscription (trial, free credits from your Visual Studio subscription or a paid subscription). Just follow these steps and you have a new tenant.
Connecting Azure DevOps to Azure Active Directory
Microsoft has two types of accounts that you can use to create an Azure DevOps organization:
- Microsoft account such as @outlook.com, @hotmail.com
- Work/school account such as @wouterdekort.com or @sogeti.com
If you create your Azure DevOps organization with a Microsoft account, your organization is not backed by Azure Active Directory. If you create your organization with a work/school account, the organization gets linked to the AAD tenant automatically.
For Utopia, I created the organization Utopia-Demo with my @outlook.com account. I then connected the organization to my new tenant by going to the organization settings and selecting the Azure Active Directory tab:
Make sure to read the detailed steps. Especially when you have existing users and content in your organization you want to make sure you don’t accidently lock people out.
I’ve then created two groups in my AAD:
Both groups get access to the Azure resources. I have several resource groups that contain the test and production environments of Utopia and other resources such as SonarQube. For every resource group I added Utopia – Contributors and Utopia – Readers:
If I now invite a user to one of two groups they get an email inviting them to the Azure Active Directory tenant. After accepting the invitation they can logon to the Azure portal and see the resource groups.
Azure DevOps permissions
In Azure DevOps I’ve used group rules to import the users from the two AAD groups, assign an Access level and add them to a team project.
Here you see that all users in the Utopia – Readers group automatically get a Basic access level and are assigned to the Project Readers group of project Utopia.
And that’s it
Inviting people to Utopia is now a one step process and all permissions in both Azure DevOps and Azure are in place.
Now that the basics are done and the first people have joined, I can continue working on adding new DevOps features!