Beta

AZ-400: Designing and Implementing Microsoft DevOps Solutions

Design and Implement Authentication and Authorization Methods

Implement and manage Azure DevOps service connections and personal access tokens

Azure DevOps provides robust authentication mechanisms to secure pipelines, REST APIs, and integrations. In this guide, we'll explore two critical methods—Service Connections and Personal Access Tokens (PATs)—to help you maintain secure, automated workflows.

Table of Contents

Service Connections

Service Connections in Azure DevOps let pipelines and services authenticate with external resources—such as Azure Subscriptions, Docker registries, GitHub, and more—without embedding secrets directly in your YAML definitions.

The image is a diagram illustrating Azure DevOps Service Connections, showing how service connections manage and authenticate internal and external services like Azure Subscription, Docker Registries, and GitHub.

Benefits

  • Centralized credential management for all pipelines
  • Simplified service authentication in YAML and classic pipelines
  • Improved security posture with scoped access

Creating a Service Connection

  1. Navigate to Project Settings in your Azure DevOps project.
  2. Under Pipelines, select Service connections.
  3. Click New service connection and pick the desired type (e.g., Azure Resource Manager, Docker Registry).
  4. Complete the authentication prompts and grant the necessary permissions.
  5. Save the service connection and reference its name in your pipeline YAML.

Exam Tip

The AZ-400 certification exam often tests your ability to walk through these steps. Practice creating and referencing service connections in sample pipelines.

The image provides a step-by-step guide for creating an Azure Service Connection in Azure DevOps, alongside a list of service connection types to choose from.

Managing Service Connections

  • Edit or Update: Go to Service connections, select the connection, update settings, and save.
  • Delete: Select the connection and click Delete (project administrator permissions required).

Personal Access Tokens (PATs)

Personal Access Tokens (PATs) are OAuth-like tokens used to access Azure DevOps REST APIs. They are perfect for automation scripts, third-party integrations, and CLI operations.

The image outlines use cases for Personal Access Tokens (PATs), including scripting, integrating third-party applications, and automating tasks.

Generating a PAT

  1. Open your Azure DevOps profile and choose Personal Access Tokens.
  2. Click New Token, enter a descriptive name, set an expiration date, and select only the scopes you need (e.g., Code (read/write), Work items (read/write)).
  3. Click Create, then copy and store the token securely.

Warning

Treat PATs like passwords. Store them in a secure vault and never check them into source control.

The image shows a form for creating a new personal access token, with fields for name, organization, expiration date, and scope options. It is labeled as "Step 04" in a process for generating a personal access token.

Using PATs with cURL

Use your PAT in the Authorization header to interact with the Azure DevOps REST API:

curl -u :<PAT> \
  -H "Content-Type: application/json-patch+json" \
  -X POST \
  -d '[{"op":"add","path":"/fields/System.Title","value":"New Task"}]' \
  https://dev.azure.com/{organization}/{project}/_apis/wit/workitems/$Task?api-version=6.0

Using PATs with Python

Below is a Python script that creates a work item via the REST API using requests and HTTPBasicAuth:

import requests
from requests.auth import HTTPBasicAuth

organization = "yourorganization"
project = "yourproject"
pat = "yourPAT"

url = (
    f"https://dev.azure.com/{organization}/{project}"
    "/_apis/wit/workitems/$Task?api-version=6.0"
)
headers = {"Content-Type": "application/json-patch+json"}
data = [
    {"op": "add", "path": "/fields/System.Title", "value": "New Task"}
]

response = requests.post(
    url,
    json=data,
    headers=headers,
    auth=HTTPBasicAuth("", pat)
)
print(response.json())

Service Connections vs. Personal Access Tokens

The image is a comparison chart between Service Connections and PATs, highlighting key differences and when to use each. Service Connections focus on centralized credential management and security, while PATs offer flexible access for personal use and require careful management.

FeatureService ConnectionsPersonal Access Tokens (PATs)
ManagementCentralized in Project SettingsDecentralized per user profile
Use CasePipelines, deployments, managed identitiesCLI scripts, REST API calls, third-party integrations
Security ScopeScoped at resource level, supports managed identitiesScopes defined per token, manual rotation required
Recommended forAutomated deployments and pipeline orchestrationPersonal automation and ad-hoc API interactions

Security Best Practices

The image outlines three security best practices for authentication: minimizing permissions, regularly rotating tokens and credentials, and monitoring and auditing access.

  1. Grant least privilege on both service connections and PATs.
  2. Rotate tokens and credentials regularly to reduce exposure.
  3. Monitor and audit logs for unauthorized access attempts.
  4. Enforce Multi-Factor Authentication (MFA) and conditional access policies.

References

Watch Video

Watch video content

Previous
Implement and manage GitHub Authentication
Next
Design and implement permissions and roles in GitHub