Creating an Azure Container Registry Service Connection in Azure DevOps with your own ServicePrincipal

A while ago, I blogged about creating an Azure Container Registry Service Connection in Azure DevOps, using the UI. In short, when you don’t have direct permission on the Azure subscription, the UI in Azure DevOps blocks you from creating a service connection, because there is no manual way of doing that.

My previous post described how to work around that. However, this uses the admin user of the ACR. That is not always what we want. Sometime we want to use an existing or new ServicePrincipal to give explicit rights

Today I ran in to this problem again, and now I don’t have the admin user. Luckily for me, we have the REST API, but this not very well documented.

The code snippet below, shows how to create a ServiceConnection to an ACR using a ServicePrincipal using the REST API

Post the following JSON payload to the endpoint, sending a valid Basic Access Token{organization}/{project}/_apis/serviceendpoint/endpoints?api-version=5.1-preview.2

    "authorization": {
        "scheme": "ServicePrincipal",
        "parameters": {
            "loginServer": "<ACRSERVER>",
            "servicePrincipalId": "<APPLICATIONid OF SPN>",
            "tenantId": "<TENANTID>",
            "serviceprincipalkey": "<SPN kEY>"
    "description": "",
    "name": "Name of Connection",
    "type": "dockerregistry",
    "url": "https://<ACRSERVER>",
    "isShared": false,
    "owner": "library",
    "data": {
        "registryId": "/subscriptions/<SUBSCRIPTIONID>/resourceGroups/<RESOURCEGROUP>/providers/Microsoft.ContainerRegistry/registries/<ACRSERVER>",
        "registrytype": "ACR",
        "spnObjectId": "",
        "subscriptionId": "<SUBSCRIPTIONID>",
        "subscriptionName": "<SUBSCRIPTIONNAME>"

This will probably help. If you want to have more REST snippets, take a look in my post here.

Comments are closed.

%d bloggers like this: