Service connections
Most common lateral movement path in Azure DevOps -- over-scoped connections let pipelines access production resources
Fork PRs
Can trigger pipelines with access to variable group secrets unless fork build protection is explicitly configured
PAT scope
Full-scope PATs are equivalent to interactive user tokens -- limit to minimum required scopes and set short expiry
Key Vault links
Variable groups linked to Key Vault store no secret values in Azure DevOps -- only the mapping is persisted

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Azure DevOps sits at the intersection of source code, build infrastructure, and cloud deployments. A single misconfigured service connection or exposed PAT can give an attacker the ability to deploy to production, read all secrets, or exfiltrate every repository. Security hardening in Azure DevOps requires controls at five layers: organization authentication policy, pipeline service connection permissions, branch protection, secret management, and audit logging. This guide covers the specific settings in each layer with the configurations that matter most in 2026 environments running YAML pipelines connected to Azure cloud resources.

Organization-Level Authentication and Access Controls

The foundation of Azure DevOps security is enforcing Entra ID as the sole identity provider and disabling local authentication methods. These settings live under Organization Settings > Security > Policies and should be applied before any other control.

Disable alternate credentials

Alternate credentials are a legacy HTTP basic authentication mechanism. They are disabled by default in new organizations but should be explicitly confirmed off. Under Organization Settings > Security > Policies, verify 'Allow Basic authentication' is disabled.

Enforce Entra ID conditional access

Enable 'Enforce Azure Active Directory conditional access policies' in Organization Settings. This forces Azure DevOps to evaluate your Entra ID CA policies for interactive sign-ins, enabling MFA requirements, compliant device checks, and IP restrictions to apply to DevOps access.

IP allowlisting via Security Policy

Azure DevOps supports IP-based restrictions under Organization Settings > Security > Security policies > IP access restriction. Define CIDRs representing your office and VPN egress ranges. Access from outside these ranges will be blocked at the organization level.

Restrict organization visibility

Set Organization Overview visibility to 'Private' if not already. Private organizations require authentication to even list projects. Public visibility allows unauthenticated enumeration of projects and potentially pipelines.

Disable third-party OAuth app access

Under Organization Settings > Security > Policies, disable 'Allow third-party OAuth apps to access via OAuth'. This prevents external applications from using the Azure DevOps OAuth flow to obtain tokens on behalf of users, reducing the OAuth token theft surface.

Pipeline Service Connection Security

Service connections define how pipelines authenticate to external services including Azure subscriptions, Kubernetes clusters, Docker registries, and generic REST endpoints. Over-permissioned service connections are the most exploitable pipeline misconfiguration because they allow a pipeline job to perform actions far beyond what the build legitimately needs.

Scope service connections to minimum resource scope

Azure Resource Manager service connections should be scoped to a specific resource group or resource, not a full subscription. Under Project Settings > Service Connections, edit each ARM connection and set the 'Scope level' to Resource Group with only the resource group the pipeline deploys to.

Disable 'allow all pipelines' and use explicit grants

Each service connection has a 'Grant access permission to all pipelines' setting that should be disabled. Instead, grant each service connection only to the specific pipelines that need it. This prevents a new pipeline from inheriting access to high-value connections without explicit approval.

Prefer managed identity or workload identity federation

Modern Azure service connections support workload identity federation (OIDC) instead of client secrets. This eliminates the credential that could be leaked -- the pipeline authenticates via a short-lived OIDC token signed by Azure DevOps, not a stored secret. Migrate existing secret-based connections to federated identity.

Require approval for service connection use

Enable 'Approvals and Checks' on sensitive service connections such as production deployment connections. This adds a human approval gate before a pipeline can use the connection, even if the pipeline is technically authorized.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Branch Policies for Protected Branches

Branch policies in Azure Repos enforce code review, build validation, and merge strategy requirements before code can reach protected branches. They are the primary control for preventing unauthorized code from entering production pipelines.

Require minimum reviewer count

Set a minimum of two reviewers for the main branch in production repositories. Enable 'Prohibit most recent pusher from approving their own changes' to prevent self-approval. For security-critical repositories, require a specific individual or group (Security team) as an additional reviewer via the 'Required reviewers' policy.

Require build validation before merge

Add a Build Validation policy that runs the CI pipeline against the PR source branch before merge is allowed. This prevents code that breaks the build or fails security checks from merging. Set the policy as 'Required' and configure it to expire after the branch is updated so stale validations cannot be used.

Block direct pushes to main

Under Branch Policies > Protect this branch, configure the policy so that only pull requests can modify the branch. The bypass list should be empty or limited to break-glass accounts. Any direct push to main that bypasses PR review also bypasses branch policy checks including build validation.

Enforce squash merge or merge commit strategy

Enforcing a consistent merge strategy (squash merge is common) ensures the main branch history remains linear and attributable. Squash merge also prevents history poisoning attacks where a commit contains content not visible in the PR diff.

Secret Management: Key Vault-Linked Variable Groups

Pipeline secrets should never be stored as inline pipeline variables or unencrypted in YAML files. Azure DevOps supports Key Vault-linked variable groups as the correct pattern for secret injection into pipelines.

Create Key Vault-linked variable groups

Under Pipelines > Library > Variable Groups, create a new variable group and toggle 'Link secrets from an Azure Key Vault as variables'. Select the Key Vault and map the secret names. The pipeline will retrieve the current secret value at runtime without ever storing it in Azure DevOps.

Avoid inline secret variables in YAML

Never define sensitive values directly in pipeline YAML, even as encrypted variables. Encrypted YAML variables are stored in Azure DevOps and readable by organization admins. Key Vault-linked groups keep the authoritative value exclusively in Key Vault with its own access policy.

Restrict variable group access to specific pipelines

Each variable group has a 'Pipeline permissions' setting. Disable 'Open access' and grant access only to the pipelines that need those secrets. This limits blast radius if a pipeline definition is modified to exfiltrate variable values.

Enable secret scanning in Azure Repos

Azure DevOps integrates with GitHub Advanced Security (GHAS) for secret scanning when enabled. Under Project Settings > Repos > GitHub Advanced Security, enable push protection and secret scanning to block commits containing known secret patterns before they reach the repository.

PAT Security and Lifecycle Management

Personal Access Tokens are long-lived credentials that authenticate as the issuing user. They are widely used in automation but frequently over-scoped and never rotated. PAT governance is a required control for any mature Azure DevOps security posture.

Enforce maximum PAT lifetime via policy

Under Organization Settings > Security > Policies, set 'Maximum token lifetime' to 30 days or less. This forces periodic rotation of all PATs in the organization and limits the exposure window of any leaked token.

Scope PATs to minimum required permissions

When creating PATs for automation, select only the specific scope required: Code (Read) for source fetching, Packaging (Read and Write) for artifact publishing. Never use full-scope PATs for non-human identities. Document the purpose of each PAT in its name to facilitate auditing.

Audit active PATs via REST API

Use the Azure DevOps Tokens API (GET _apis/tokenadmin/personalaccesstokens) with organization admin credentials to enumerate all active PATs across the organization, including creation date, expiry, and scope. Alert on PATs that are full-scope or have not been rotated within the policy window.

Audit Logging and SIEM Integration

Azure DevOps emits organization-level audit events for security-relevant actions including permission changes, policy modifications, and pipeline edits. Streaming these events to a SIEM enables detection of privilege escalation and configuration tampering within the DevOps platform itself.

Configure audit streaming to Log Analytics

Under Organization Settings > Security > Auditing > Streams, configure a stream to an Azure Monitor Log Analytics workspace. Select 'All events' for comprehensive coverage. Events appear in the AzureDevOpsAuditing table with ActionId, ActorDisplayName, ProjectName, Timestamp, and Data fields.

Alert on high-value audit events

Key event categories to alert on: permissions granted (ActionId contains 'Security.ModifyPermission' or 'Group.UpdateGroupMembership'), policy changes ('Policy.PolicyConfigCreated' or 'PolicyConfigUpdated'), and pipeline/build definition changes ('Build.UpdateBuildDefinition'). An unexpected pipeline definition change could introduce a step that exfiltrates secrets.

Monitor service connection changes

Service connection modifications (ActionId 'ServiceEndpoint.Modify' or 'ServiceEndpoint.Create') should be treated as high-value changes. An attacker with Project Administrator rights can create a new service connection to an attacker-controlled Azure subscription and exfiltrate artifacts or tokens through it.

The bottom line

The highest-impact Azure DevOps security controls are: scope all service connections to minimum resource group permissions and disable open pipeline access on sensitive connections; enforce Entra ID conditional access and disable alternate credentials at the organization level; require PR review and build validation before any merge to main; link all pipeline secrets to Key Vault variable groups rather than storing them in Azure DevOps; and stream audit events to a SIEM and alert on pipeline definition changes and permission modifications. PAT lifetime caps close the long-lived credential risk that most organizations ignore until a token surfaces in a breach investigation.

Frequently asked questions

What is the highest-risk misconfiguration in Azure DevOps pipelines?

Service connections with over-broad permissions are the single highest-risk misconfiguration. A service connection configured with Subscription Contributor or Owner at the Azure subscription scope means any pipeline job that can reference that connection can deploy arbitrary resources, exfiltrate secrets from Key Vault, or pivot to other services. Apply least-privilege service connections scoped to the specific resource group or resource the pipeline needs.

How do fork builds create a secret exfiltration risk?

When a public project allows fork contributors to trigger pipelines, a fork PR can execute pipeline jobs that have access to secrets in variable groups or service connections. The protection is to disable automatic fork builds under Project Settings > Pipelines > Settings and require explicit review before running pipelines from fork contributions. For private projects this is less urgent but still best practice.

What scope should a PAT (Personal Access Token) have for read-only CI operations?

For most read-only CI operations like fetching source code, Code (Read) is sufficient. For publishing to Azure Artifacts, Packaging (Read and Write) scoped to the specific feed is appropriate. Never issue full-scope PATs for automation. Set short expiration windows (30 days or less) for human-issued PATs and rotate them on the same cadence as other credentials.

How does Azure Key Vault integration with variable groups work?

A Key Vault-linked variable group connects to a specific Key Vault and maps secret names from that vault to pipeline variable names. At runtime, the pipeline fetches the current secret value directly from Key Vault using the pipeline's managed identity or service principal. The secret value is never stored in Azure DevOps -- only the mapping is. This means secret rotation in Key Vault is automatically picked up without updating pipeline configuration.

What Entra ID Conditional Access policies apply to Azure DevOps?

Azure DevOps respects Entra ID Conditional Access when the organization is linked to an Entra tenant and 'Require Azure Active Directory authentication' is enforced in Organization Settings > Security > Policies. You can then target the 'Azure DevOps' service principal in a Conditional Access policy requiring compliant device, MFA, or IP-based access. Conditional Access does not apply to PAT-based access by default unless 'Enforce Azure AD conditional access' is enabled for token-based access.

What are the most important branch policy settings for the main branch?

Require a minimum reviewer count (at least one reviewer, ideally two for security-critical repositories), require linked work items, require all comments to be resolved before merge, require builds to pass (status checks from the CI pipeline), and restrict direct pushes to bypass list only. Squash merge enforcement reduces noisy history but is a team convention choice. The most important security control is preventing direct pushes to main, which would bypass all review and CI checks.

How should Azure DevOps audit logs be forwarded to a SIEM?

Azure DevOps organization-level audit events can be streamed to an Azure Event Hub, Azure Monitor Log Analytics workspace, or directly to Splunk and other supported SIEM platforms via the Auditing stream configuration in Organization Settings > Security > Auditing > Streams. Once in Log Analytics, use the AzureDevOpsAuditing table. Key events to alert on include ProjectCreated, PolicyEnforcementEnabled changes, PermissionsModified, and BuildDefinitionModified (pipeline changes).

Sources & references

  1. Microsoft: Azure DevOps Security Best Practices
  2. Microsoft: Use Azure Key Vault secrets in pipeline
  3. Microsoft: Protect access to repositories in YAML pipelines
  4. Microsoft: Azure DevOps Auditing

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.