Beta

AZ-400: Designing and Implementing Microsoft DevOps Solutions

Design and Implement Authentication and Authorization Methods

Introduction

In this lesson, we’ll explore how to design and implement robust authentication and authorization strategies across Azure DevOps and GitHub. By the end, you’ll understand identity management in Azure, how to authenticate in GitHub and Azure DevOps, and how to configure projects and teams in Azure DevOps for secure, efficient workflows.

Our lesson is organized into four sections:

  1. Identity Management in Azure
  2. Implementing and Managing GitHub Authentication
  3. Authentication in Azure DevOps
  4. Configuring Projects, Teams, and Work Item Management in Azure DevOps

1. Identity Management in Azure

Azure provides two primary identity solutions for non-user access: service principals and managed identities. Understanding their differences and best practices will help you secure your cloud resources effectively.

Key Concepts

  • Service Principal
    – An identity you create in Azure AD for use with apps, services, and automation tools.
  • Managed Identity
    – A first-party Azure AD identity automatically managed by Azure for Azure resources.

Comparison Table

FeatureService PrincipalManaged Identity
CreationManual via Azure CLI/PowerShell/PortalAutomated when you enable it on an Azure resource
Credential ManagementYou supply and rotate secrets or certificatesAzure handles credential rotation
ScopeBroad – can access multiple subscriptionsTied to a single resource or resource group
Use CasesCI/CD pipelines, cross-tenant automationSecure access from VMs, Functions, App Services

Note

Use managed identities wherever possible to eliminate secret management. Reserve service principals for scenarios requiring cross-tenant or custom-role access.

Security Best Practices

  • Assign least-privilege roles.
  • Rotate credentials regularly (for service principals).
  • Audit sign-in logs in Azure Active Directory:
    Azure AD Sign-ins.

2. Implementing and Managing GitHub Authentication

The image is a presentation slide titled "Implementing and Managing GitHub Authentication" with a GitHub logo and a gear icon on a blue gradient background.

In this section, we’ll review GitHub’s authentication mechanisms and how to manage them in your workflows.

Authentication Options

  • GitHub Apps: Fine-grained permissions and installation-based auth.
  • GITHUB_TOKEN: Auto-generated token scoped to Actions.
  • Personal Access Tokens (PATs): User-generated, customizable scopes.

The image is a list of topics titled "Areas to be Covered," including GitHub authentication, GitHub apps, authenticating with a GitHub app, and managing GitHub app permissions.

GitHub Apps Flow

  1. Register your GitHub App under Settings > Developer settings.
  2. Generate a private key and install the app on repositories or organizations.
  3. Exchange installation ID for an installation access token.

Authentication Methods Comparison

MethodScopeRotationUse Case
GITHUB_TOKENRepo-scoped, auto-generatedAutomaticCI jobs in GitHub Actions
PATUser-scoped, configurable scopesManualLocal scripts, external CI/CD
GitHub AppGranular, installation-levelRotate via APIThird-party integrations, bots

Warning

Personal Access Tokens expire by default. Always set reminders to renew or automate rotation via the GitHub REST API.

Security Best Practices

  • Grant only necessary scopes to tokens.
  • Use short-lived tokens for automation.
  • Monitor token usage via Audit Log:
    GitHub Audit Log.

3. Authentication in Azure DevOps

The image features a title about implementing and managing Azure DevOps service connections and personal access tokens, alongside the Azure logo on a blue gradient background.

Azure DevOps supports two main non-user authentication patterns:

  • Service Connections — managed endpoints for Azure, AWS, Docker, and more.
  • Personal Access Tokens (PATs) — scoped tokens tied to a user identity.

When to Use Each

OptionScopeManagementBest For
Service ConnectionProject-level, integrates with pipelinesCentralized in project settingsLinking pipelines to cloud services
Azure DevOps PATUser-level, configurable scopesUser rotates manuallyLocal Git operations, REST API calls

Note

Rotate Azure DevOps PATs at least every 90 days and restrict scope to only what’s necessary.

Security Controls

4. Configuring Projects, Teams, and Work Item Management in Azure DevOps

The image is a presentation slide titled "Configuring Projects and Teams in Azure DevOps," featuring the Azure DevOps logo and icons of a gear and people on a blue gradient background.

Effective project and team setup streamlines collaboration and traceability.

Project & Team Setup

  1. Create an Azure DevOps Project with the appropriate visibility (public/private).
  2. Define Teams and assign areas & iterations.
  3. Configure Security Groups and Permissions for repos, pipelines, and work items.

Work Item Management

  • Work Item Types: Epic, Feature, User Story, Bug, Task.
  • Backlogs & Boards: Customize columns and swimlanes.
  • Sprints & Iterations: Set sprint length, capacity, and goals.
Work Item TypePurposeExample
EpicLarge initiative“Migrate Monolith to Microservices”
FeatureA distinct product capability“Add OAuth2 support”
User StoryCustomer-centric requirement“As a user, I want to reset password via email.”
BugDefect tracking“Fix login redirect issue”
TaskDevelopment or testing activity“Write unit tests for AuthService”

Note

Align sprints and iterations with your team’s delivery cadence. Use capacity planning to avoid overcommitment.

Let’s get started with Identity Management in Azure!

Watch Video

Watch video content

Previous
Summary Maintaining Pipelines
Next
Choose between Service Principals and Managed Identity