Clean Install from Azure DevOps

When you perform an incremental ARM template release via Azure DevOps, you run into the risk that manual adjustments to logic apps or other artifacts like servicebus subscriptions are overlooked. For that reason it’s a good idea to always start from a clean canvas. As all of your resources are added to a resource group, the easiest approach would be to delete the resource groups in your project. Be careful. Authorizations granted at the resource level will be removed along with the resource group. This could be an undesirable side effect. The easy solution to that would be to remove all resources in the resource group instead of removing the resource group itself.

The good news is that resource groups referred to in a release pipeline are automatically recreated when they don’t exist. That means, resource groups can safely be deleted. It also means, you don’t have to run an ARM template to create a resource group. There’s one very important assumption here. The account under which the pipeline runs, must have Contributor rights in your subscription. It’s not enough to be Contributor at the resource group level. I mention the fact, because Developers are typically in a group with contributor rights to one or more resource groups. That means you wouldn’t be able to recreate reource groups when your pipelines were running under a Developer account.

So, how we can find the account under which the pipeline runs. If you go to Azure DevOp / Project / Project Settings, you will find an option to add one or more service connections. Typically you will make a service connection for Non-Production and a service connection for Production.  See also: When you select one of the service connections, you will get to the screen below.

From this screen you can click [Manage Service Principal]. Now you will get to a screen where the related service principal is shown.

You can lookup the service principal in Azure Active Directory under App Registrations. As a developer, you will have limited rights in Azure Active Directory. So, first I opened my (non-production/production) subscription. If you select Access Control / Role Assignments, you will find the service principal has Contributor rights at the subscription level. You can do the same for the o/t/a/p resource groups. Select Access Control / Role Assignments and you will  find the service principal has Contributor rights at the resource group level.