Get Started with Azure DevOps Managed Identity for Seamless Integration

By using a managed identity, you can grant access to your Azure resources without sharing your credentials. This is particularly useful when you're working with multiple services and want to avoid the hassle of managing multiple sets of credentials.

With a managed identity, you can create a service principal in Azure AD, which can then be used to authenticate with Azure resources. This eliminates the need for explicit credentials, making it easier to integrate your services.

To get started with Azure DevOps Managed Identity, you'll need to create a service principal in Azure AD. This can be done through the Azure portal or using the Azure CLI.

To set up managed identity authentication in Azure DevOps, you'll need to meet some prerequisites.

First, make sure your Azure account has the Managed Identity Contributor or higher role assignment. This is a requirement for creating a user-assigned managed identity.

In addition, you'll need to assign the managed identity access to the resource you want to use it with. This ensures that the managed identity has the necessary permissions to access the resource.

To create a user-assigned managed identity, your Azure account needs the Managed Identity Contributor or higher role assignment, and you need to assign the managed identity access to the resource.

To configure identities in Azure DevOps, you'll first need to decide between a system-assigned or user-assigned managed identity. System-assigned managed identities are tied to the lifecycle of a service instance and can only be used by that instance to request tokens from Microsoft Entra ID.

You can create a system-assigned managed identity directly on a service instance in the Azure portal, or create a user-assigned managed identity as a standalone Azure resource and assign it to one or more instances of an Azure service.

There are two types of managed identities: System-assigned and User-assigned. Here's a brief summary of each:

To use a user-assigned managed identity, you'll need to manage it separately from the resources that use it. This includes assigning the identity to one or more instances of an Azure service, and ensuring that the identity is properly configured and secured.

Application Principals are a crucial part of Azure DevOps managed identity, allowing you to control access to your organization's resources.

A service principal is a security object within a Microsoft Entra application that defines what an application can do in a given tenant. They're set up in the Azure portal during the application registration process and configured to access Azure resources, like Azure DevOps.

To authenticate these identities to Azure DevOps, you'll need to use the following steps: Create an application service principal, add a service principal to your Azure DevOps organization, and set permissions on the service principal.

Here are the steps to create an application service principal:

1. Create a new application registration in the Microsoft Entra admin center.

2. An application object is created in Microsoft Entra ID, and the application service principal is a representation of this application object for a given tenant.

If you're a Project Collection Administrator (PCA), you can also grant a service principal access to specific projects and assign a license. If you're not a PCA, you must reach out to the PCA to update any project memberships or license access levels.

You can add a service principal to your Azure DevOps organization through the Users page or with the ServicePrincipalEntitlements APIs. To add a service principal, enter the application or managed identity's display name.

Identity is a crucial aspect of Azure DevOps managed identity. You can create a managed identity in the Azure portal, which differs significantly from setting up applications with service principals.

There are two types of managed identities: system-assigned and user-assigned. System-assigned managed identities are tied to the lifecycle of a service instance, while user-assigned managed identities are managed separately from the resources that use them.

To create a managed identity, you must first consider which type you want to create. Here's a brief comparison:

You can also create a managed identity as a standalone Azure resource by creating a user-assigned managed identity and assign it to one or more instances of an Azure service.

Once you've created a managed identity, you can use it to acquire an access token for Azure DevOps. To do this, you can follow the Microsoft Entra ID documentation, which provides examples for service principals and managed identities.

The returned access token is a JWT with the defined roles, which can be used to access organization resources using the token as Bearer.

Authentication is a crucial aspect of Azure DevOps managed identity. You can use the Microsoft Entra ID token to authenticate to Azure DevOps resources, but there's a technical limitation that prevents displaying service principals in a list of Microsoft Entra ID group members.

Service principals can be added to Microsoft Entra ID groups, but they inherit group permissions only if they belong to an Azure DevOps organization. To add a service principal to an organization, you must explicitly do so, as sign-in isn't possible for service principals.

You can't modify a service principal's display name or avatar on Azure DevOps. Service principals count as a license for each organization they get added to, even if multi-organization billing is selected.

Here are some key differences between using service principals and user-assigned managed identities for authentication:

Service principals can't be organization owners or create organizations, and they can't create tokens like personal access tokens (PATs) or SSH Keys. They can, however, generate their own Microsoft Entra ID tokens, which can be used to call Azure DevOps REST APIs.

Workload identity federation is booming, and organizations are exploring migrating from service principals to user-assigned managed identities.

Implementing workload identity federation is pretty simple, you just need to follow the steps outlined in the Azure portal.

You can create a service connection in your Azure DevOps project that will use the new Workload Identity Federation by accessing the preview functionality.

To create a Workload Identity federation, you can choose between manual or automatic configuration, and you'll need to select the Azure Subscription and optionally a Resource Group.

Choosing a resource group is a good idea, as the service connection will be given Contributor access only to that Resource Group, and not the whole subscription.

Here are the steps to create a workload identity federation service connection:

Once you've created the service connection, you can find it in your Entra ID tenant and view the role assignments for the Resource Group.

You can also add a Microsoft Graph permission to the service principal, so that you can use it for queries in the pipeline later.

By using workload identity federation, you can avoid managing secrets for service principals and increase security by not exposing or exfiltrating secrets.