Limit octopus server to a specific azure webapp


Is there any way to limit the access from the octopus server to the azure account so it can only list the webapps I want not all of them?

I have tried with “Azure subscription” & “Service Principal” but still, I can see all the webapps in the list when setting up the "Deploy to an azure web app " step. Is the “Service Principal” the way to go to achieve this?


Hi Ale,

Thanks for getting in touch! In Azure, you can set the permissions of your Service Principal account. Is it currently set at the subscription level? If so, you can instead set it at the resource group level which will in turn display only web apps within that group in Octopus. I’ll refer to Microsoft’s documentation which outlines Service Principal account setup. The Assign application to role section shows how you can set the account up to be a contributor on specific resource groups, rather than at the subscription level. When you get to the Access Control (IAM) step, the setup is identical, just at a different scope.

Let me know how you go, and if you have any further questions!


Hi Kenny,

Thanks for your answer, I managed to get it working, the only confusing part is that by default the PowerShell script you have in the octopus docs assign the new app to be a contributor at the subscription level.

Once I realised that… then all good. :slight_smile:

Quick note, if you want to assign the app to a specific resource group in the Access Control (IAM) section you have to type the full name of the app otherwise, it won’t appear in the list and by default, azure shows you a list of existing users.