Service connections let Azure DevOps deploy to Azure resources. Getting the security right is important. Here’s how to set them up properly.
Creating a Service Connection
Project Settings → Service connections → New → Azure Resource Manager
- Automatic: Creates service principal for you
- Manual: Use existing service principal
- Managed Identity: For self-hosted agents
Best Practices
- Use least-privilege: Scope to resource group, not subscription
- Rotate credentials regularly
- Use separate connections for prod/non-prod
- Enable “Grant access permission to all pipelines” cautiously
Workload Identity Federation (Preview)
New in 2019: Federated credentials eliminate secrets entirely. The pipeline authenticates using OpenID Connect – no secrets to manage or rotate.
Discover more from C4: Container, Code, Cloud & Context
Subscribe to get the latest posts sent to your email.