Beta

AZ-400: Designing and Implementing Microsoft DevOps Solutions

Design and Implement Authentication and Authorization Methods

Summary

This guide covers four essential pillars for securing and automating your DevOps workflows:

  1. Identity Management in Azure
  2. GitHub Authentication
  3. Azure DevOps Authentication
  4. Azure DevOps Project and Team Configuration

Master these areas to implement principle-of-least-privilege, streamline CI/CD pipelines, and structure agile projects effectively.

1. Identity Management in Azure

Managing identities in Azure ensures that your applications and services authenticate securely and follow best practices.

Core Concepts

  • Service Principal: An Azure AD application identity with credentials (secret or certificate).
  • Managed Identity: A first-class Azure resource identity managed by Azure, available on VMs, App Services, and Functions.

Comparison of Identity Types

Identity TypeDescriptionUse Case
Service PrincipalApp registration with client ID & secretAutomation scripts, external services
Managed IdentityAzure-managed credential lifecycleIntra-Azure resource communication

Least Privilege Principle

Always assign the minimal Azure RBAC roles required and rotate credentials according to your security policy.

Security Best Practices

  • Audit access logs regularly through Azure Monitor.
  • Use role-based access control (RBAC) scopes instead of subscription-wide roles.
  • Rotate secrets or certificates at least every 90 days.

2. GitHub Authentication

GitHub supports multiple auth methods for API access, Actions workflows, and integrations.

Authentication Mechanisms

  • GITHUB_TOKEN (GitHub Actions): Automatically generated per workflow run.
  • GitHub App: Fine-grained permissions for repos and organizations.
  • Personal Access Token (PAT): User-scoped token with configurable scopes and expiry.
Auth MethodScopeExpiryRecommended Use
GITHUB_TOKEN (Actions)Repo-levelSingle workflow runCI/CD jobs within GitHub Actions
GitHub AppOrganization or repoConfigurableExternal integrations, fine-grained control
Personal Access TokenGranular scopesUp to 1 yearCLI, REST API, third-party tools

PAT Security

Never commit a PAT in source code. Store secrets in GitHub Secrets or a Vault solution.

  • Limit GITHUB_TOKEN permissions in your workflow YAML.
  • Use a GitHub App for automated apps requiring scoped permissions.
  • Revoke unused PATs and rotate tokens periodically.

References

3. Azure DevOps Authentication

The image is a slide titled "Implementing and Managing GitHub Authentication," listing topics such as understanding GITHUB_TOKEN, personal access tokens, comparing authentication methods, and security best practices.

Azure DevOps pipelines and services require secure authentication to interact with Azure and external systems.

Key Options

  • Service Connection: Uses an Azure AD service principal to grant pipeline access to Azure resources.
  • Personal Access Token (PAT): User-scoped token for REST API calls and automation.
Connection TypeAuth MechanismExpiryUse Case
Service ConnectionAzure AD Service Principal1 yearPipelines accessing Azure subscriptions
Personal Access TokenPAT30 days–1 yearCustom scripts, REST API automation

Audit and Monitoring

Enable diagnostic logging in Azure DevOps to track service connection usage and detect unauthorized access.

Security Best Practices

  • Restrict service connection scopes to specific resource groups.
  • Rotate service principal credentials and PATs on a regular schedule.
  • Review access and activity logs monthly.

Further Reading

4. Azure DevOps Project and Team Configuration

Organizing projects and teams in Azure DevOps lays the foundation for efficient agile planning and work tracking.

Setting Up Projects & Teams

  1. Create a Project
    • Define visibility (public/private).
    • Select Agile, Scrum, or CMMI process template.
  2. Organize Teams
    • Assign team areas and iterations.
    • Configure team dashboards and backlogs.

Planning with Iterations

  • Define Sprints (timeboxed iterations).
  • Assign work items to iterations in backlog.
  • Review capacity and velocity regularly.

Work Item Management

Work Item TypeDescriptionBest Practice
EpicHigh-level feature setBreak into Features/User Stories
FeatureFunctional sliceLink child User Stories
User StorySmall deliverableInclude acceptance criteria and estimate
BugDefect reportTriage and prioritize in backlog

Visibility and Traceability

Link commits and pull requests to work items to maintain end-to-end traceability.

References

Master these pillars—Azure identity, GitHub auth, Azure DevOps authentication, and project configuration—to build secure, automated, and well-managed DevOps workflows. Practice in real-world scenarios to solidify your skills. Good luck on your DevOps journey!

Watch Video

Watch video content

Previous
Configure projects and teams in Azure DevOps
Next
Introduction