10 Azure DevOps Security Best Practices

This blog post will discuss ten essential security best practices in Azure DevOps. Following these practices will help you protect your data, infrastructure, and applications from malicious attacks.

If you're a visual learner, watch the video for a detailed explanation or continue reading the blog.

1. Access Control with Microsoft Entra, formerly known as Azure Active Directory

• Enable the Microsoft Entra directory, invite external users to the directory, entra settings.
• Integrate Azure DevOps with Microsoft Entra ID to have a single identity plane. It reduces risk, and you do not have to manage users from multiple places.
• Users, groups, and roles are synced between Azure and Azure DevOps.

2. Organization level permissions

• Go to Organization settings → security → policy: Should not allow the creation of public projects
• External users disabled
• Additional org admin to the group project collection admins

3. Agent pools

• Go to Settings → Agent Pools→ default → auto update/update agents
• Enable maintenance schedule to execute the agent upgrade at a certain time, like off-peak hours.
• Use self-hosted agents if you want full control over your build servers
• Use a separate agent pool to build artifacts shipped or deployed to production.

4. Pipeline settings

• Go to Project Settings → Pipeline Settings→ Disabling the creation of a classic build pipeline as yaml is the preferred way as it provides traceability for changes and can be maintained in a git repo.

5. Project-level permissions

• Add Groups and teams instead of individual users
• Go to pipeline settings → retentions policy for cost optimization and storage

6. Pipeline security:

• Ensure users/groups have the least privileged access to the pipeline
• Add checks and default approvers to the pipeline

7. Repo Settings

• Go to Repo settings → branch policy
• Ensure that the original pull requester can’t approve the change
• Add automatic reviewer
• Set the “Require a minimum number of reviewers” policy to ON, so that every pull request gets reviewed by at least two approvers.
• Enable advanced security automatically: watch the video
• Enable branch policy

8. Authentication and Authorization

• Use service principles and managed identities wherever possible
• Create separate service principles for separate teams, developers, ops, and so on
• Scope service connections only to the RG to which they need access. It Should not have permissions for the entire sub.
• Use workload identity service connection as it is more secure than other methods.
• Don’t use Azure Classic service connections, as there’s no way to scope the permissions.

9. Personal Access tokens:

• There are many things to keep in mind while using PAT: it should have restrictive permissions, it should be renewed after a few days, it should be revoked when compromised, and so on.

10. Secrets and credentials access

• Secrets should never be hardcoded within the pipeline or Git Repo.
• You should pass it as a runtime variable during pipeline execution and use the tokenize step within the Pipeline.
• Or, You Azure Key Vault to store and access the secrets
• You can also use a third-party secret management service like Hashicorp Vault.
• Don't store secrets in pipeline variables. Use key vault or use pipeline tokenization or a third party such as Hashicorp Key Vault.