Create, Build, Deploy and Configure an Azure App Service with Azure DevOps and Azure CLI

This post shows how to create, build, deploy and configure an Azure App Service using Azure DevOps, Azure CLI and Powershell. An Azure Service is created in Azure using Azure DevOps with Azure CLI and Powershell. The Azure App Service is created and built using ASP.NET Core and Visual Studio. This solution is deployed to the Azure infrastructure using a second Azure DevOps Pipeline. The Azure App Service configuration settings is configured to use Azure Key Vault for secrets and the settings directly.

Create Azure Infrastruture for the Azure App Service

The Azure infrastructure is created using an Azure DevOps Pipeline which connects to an Azure Key Vault and in a second task executes a Powershell script which creates the Azure infrastructure. See Use Azure Key Vault for Secrets in Azure DevOps Pipelines for details.

  vmImage: 'ubuntu-latest'

  - stage: AzureCliPowershell
    displayName: "Azure CLI with Powershell"
      - job: CreateAzureAppServiceInfra
        - task: AzureCLI@2
          displayName: "Create App Service"
            azureSubscription: 'Visual Studio Enterprise(777...)'
            scriptType: 'pscore'
            scriptLocation: 'scriptPath'
            scriptPath: 'azure-infra-pipelines.ps1'

The Powershell script creates the Azure Infrastruture for the Azure App Service. Once to Azure App Service is created, an identity is created for this, and the identity is used then to allow the App Service to use secrets from the Key Vault.

$keyVaultName = "damienbod"
$keyVaultMySecret =  az keyvault secret show --name "MySecret" --vault-name $keyVaultName
$keyVaultMySecretId = ($keyVaultMySecret | ConvertFrom-Json).id
$location = "westeurope"
$resourceGroup = "devops-damienbod-rg"
$appServicePlan = "damienbodappserviceplan"
$appServiceName = "damienbodappservice"

Write-Host "Create resource group $resourceGroup"

az group create `
	-l $location `
	-n $resourceGroup

Write-Host "Create App Service Plan $appServicePlan"
az appservice plan create `
	--resource-group $resourceGroup `
	--name $appServicePlan `
	--location $location `
	--sku S1 `
	--number-of-workers 2

Write-Host "Create App Service $appServiceName"

az webapp create `
	--name $appServiceName `
	--resource-group $resourceGroup `
	--plan $appServicePlan

Write-Host "Create App Service Identity $appServiceName"

$appServiceIdentity = az webapp identity assign `
	--name $appServiceName `
	--resource-group $resourceGroup

$objectId = ($appServiceIdentity | ConvertFrom-Json).principalId
Write-Host "Created identity $objectId"

Write-Host "Assigned $appServiceIdentity"

Write-Host "Azure az keyvault set-policy using $objectId"

az keyvault set-policy `
    --name $keyVaultName `
    --secret-permissions get list `
    --output none `
    --object-id $objectId

Create the ASP.NET Core Web API

An ASP.NET Core API project is created which will be deployed to the Azure App Service. This demo is really simple, no database and just uses a value form the Key Vault. The Microsoft.Extensions.Configuration.AzureKeyVault Nuget package is used to access the Azure Key Vault.

<Project Sdk="Microsoft.NET.Sdk.Web">
      Version="3.1.3" />

In the program.cs file, the application initialization is programmed, so that the local development requires no Key Vault, but only when the application is deployed. You could change this to always use a Key Vault if required.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;

namespace AzureAppServiceApi
    public class Program
        public static void Main(string[] args)

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            .ConfigureAppConfiguration((context, config) =>
                var builder = config.Build();
                var keyVaultEndpoint = builder["AzureKeyVaultEndpoint"];
                if (!string.IsNullOrEmpty(keyVaultEndpoint))
                    var azureServiceTokenProvider = new AzureServiceTokenProvider();
                    var keyVaultClient = new KeyVaultClient(
                        new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

                    IHostEnvironment env = context.HostingEnvironment;

                    config.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
                             .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true, reloadOnChange: true)
            .ConfigureWebHostDefaults(webBuilder =>

The Azure KeyVaultEndpointvalue is added to the local configuration for development. If this has no value, the local app.settings.json file and user secrets are used. You do not want secrets in the source code. You should use User secrets for local development and configure this in the program.cs file. Then local development uses user secrets, a deployed version uses Key Vault.

  "AzureKeyVaultEndpoint": "",
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
  "AllowedHosts": "*"

For local development, the local.settings.json file is used to add your configurations. User secrets can also be used if required. No secrets should be committed to the repository.

Build, Deploy and Configure the Azure App Service

Now that the Azure App Service project is created and added to a git repository, a second Azure DevOps Pipeline is created for build and deployment. The Pipeline builds, deploys and configures the Azure App Service ASP.NET Core project in different steps. Azure Key Vault and Powershell is used in a third step to configure the app settings. When creating the Pipeline, choose the Azure infrastucture created in the infrastucture Pipeline.

# ASP.NET Core (.NET Framework)
# Build and test ASP.NET Core projects targeting the full .NET Framework.
# Add steps that publish symbols, save build artifacts, and more:

- master

  vmImage: 'windows-latest'

  solution: '**/*.sln'
  buildPlatform: 'Any CPU'
  buildConfiguration: 'Release'

- stage: Build
  displayName: Build stage

  - job: Build
    displayName: Build
    - task: NuGetToolInstaller@1

    - task: NuGetCommand@2
        restoreSolution: '$(solution)'

    - task: DotNetCoreCLI@2
      displayName: "Publish"
        command: publish
        projects: "**/*.csproj"
        arguments: "--configuration $(BuildConfiguration) --output $(Build.ArtifactStagingDirectory)/publish_output"
        zipAfterPublish: True

    - task: VSTest@2
        platform: '$(buildPlatform)'
        configuration: '$(buildConfiguration)'

    - task: AzureRmWebAppDeployment@4
      displayName: "Deploy to Azure"
        ConnectionType: 'AzureRM'
        azureSubscription: 'Visual Studio Enterprise(777...)'
        appType: 'webApp'
        WebAppName: 'damienbodappservice'
        Package: "$(Build.ArtifactStagingDirectory)/publish_output/*.zip"
        UseWebDeploy: true
        RemoveAdditionalFilesFlag: true

- stage: Configure
  displayName: "Configure App settings"
  - job: ConfigureAppSettings
    - task: AzureCLI@2
      displayName: "Add settings"
        azureSubscription: 'Visual Studio Enterprise(777...)'
        scriptType: 'pscore'
        scriptLocation: 'scriptPath'
        scriptPath: 'AddAppSettings.ps1'

The Powershell script uses the Azure Key Vault and the Azure CLI to set the configuration values. Each configuration, app setting would be added in this script. Values from the Key Vault do not need to be added here, as the Key Vault Nuget package takes care of this. The AzureKeyVaultEndpoint is added so that Key Vault is active.

$keyVaultName = "damienbod"
$keyVaultMySecret =  az keyvault secret show --name "MySecret" --vault-name $keyVaultName
$keyVaultMySecretId = ($keyVaultMySecret | ConvertFrom-Json).id
$location = "westeurope"
$resourceGroup = "devops-damienbod-rg"
$appServicePlan = "damienbodappserviceplan"
$appServiceName = "damienbodappservice"

Write-Host "Azure App Service add secrets from the key vault"

az webapp config appsettings set `
    --resource-group $resourceGroup `
    --name $appServiceName `
    --output none `
    --settings `

When the Pipeline is run, and deployed, the API can be opened in the browser, and the secret will be displayed as a demo.



  1. […] Create, Build, Deploy and Configure an Azure App Service with Azure DevOps and Azure CLI (Damien Bowden) […]

  2. Francis Ducharme · · Reply

    Not entirely sure why program.cs needs to be changed. Aren’t we just asking Azure Devops to build the project, take the output and put in the created App Service ? Why does the .Net project itself have to know about devops stuff ? Should it be agnostic to that ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: