Azure DevOps Security: Complete Hardening Guide
Comprehensive Azure DevOps security guide. Learn to secure pipelines, service connections, permissions, and protect against supply chain attacks.
Azure DevOps is the backbone of software delivery for thousands of organisations. But with great power comes great responsibility, and significant security risk if not configured correctly. This guide covers the essential security controls you should implement to protect your Azure DevOps environment.
Why Azure DevOps Security Matters
Your Azure DevOps environment contains some of your organisation's most sensitive assets. Your source code represents your intellectual property. Build pipelines provide direct access to production deployments. Service connections hold credentials for Azure, AWS, and other platforms. Secret variables contain API keys, connection strings, and certificates. A compromised Azure DevOps environment can lead to supply chain attacks, data breaches, and complete infrastructure compromise. Recent high-profile attacks like SolarWinds have highlighted the critical importance of CI/CD security.
Organisation-Level Security
Authentication and Access
Start by enforcing Azure AD authentication and disabling alternative authentication methods like personal access tokens (PATs) where possible. Enable multi-factor authentication through Azure AD Conditional Access. Review and limit external user access, regularly auditing guest accounts. For sensitive operations, implement IP restrictions to known IP ranges.
Set PAT expiration to 90 days maximum and require approval for PAT creation in Organization Settings → Policies.
Audit and Monitoring
Enable audit streaming to Azure Monitor or your SIEM and review audit logs regularly for suspicious activity. Set up alerts for critical changes such as permission modifications and pipeline updates. Track who has access to what resources and when they access them.
Project-Level Security
Permissions Model
Azure DevOps uses a role-based access control model. Assign permissions to Azure AD groups rather than individual users. Follow the principle of least privilege, granting only the minimum permissions required for each role. Conduct quarterly access reviews to verify who has access to what. Where possible, use different projects or organisations for production versus development environments.
Branch Policies
Protect your main branches with appropriate policies. Require pull requests for all changes, no direct commits to main or master. Mandate at least one (preferably two) code reviewers. Link work items to ensure traceability to requirements. Require a successful build before merges are permitted, and ensure all comments are resolved before completion.
Pipeline Security
Pipelines are the most critical security domain in Azure DevOps. A compromised pipeline can deploy malicious code or exfiltrate secrets.
Pipeline Permissions
Limit who can create and edit pipelines. Require pipeline decorators for security scanning. Use environments with approval gates for production deployments, and enable "Limit job authorization scope" to reduce token permissions.
Secure Variables
# Bad - hardcoded secret
- script: |
curl -H "Authorization: Bearer abc123secret" https://api.example.com
# Good - variable from Key Vault
- task: AzureKeyVault@2
inputs:
azureSubscription: 'MyConnection'
KeyVaultName: 'MyKeyVault'
SecretsFilter: 'api-key'
- script: |
curl -H "Authorization: Bearer $(api-key)" https://api.example.comService Connection Security
Service connections are high-value targets and require careful protection. Use workload identity federation to avoid storing credentials where possible. Limit scope by using resource group-scoped connections rather than subscription-wide access. Restrict which pipelines can use each connection, and rotate secrets quarterly.
Never use "Grant access permission to all pipelines" on service connections. Always explicitly authorise only the pipelines that need access.
Agent Security
Use Microsoft-hosted agents when possible, as they provide a fresh VM for each build. For self-hosted agents, run them in isolated networks and keep them updated with the latest patches. Consider scale set agents for dynamic provisioning, and never run agents with administrative privileges.
Repository Security
Secret Scanning
Enable GitHub Advanced Security for Azure DevOps to scan for exposed secrets in code, block pushes containing secrets, and identify and remediate existing secrets in your repositories.
Dependency Scanning
Enable dependency scanning in your pipelines using tools like OWASP Dependency-Check, Snyk, or WhiteSource. Block builds with critical vulnerabilities and maintain a software bill of materials (SBOM) for your applications.
Security Checklist
To assess your Azure DevOps security posture, verify that you have Azure AD authentication enforced, MFA required via Conditional Access, PAT creation requiring approval, and audit logging enabled and monitored. Confirm that branch policies protect main branches, code reviews are required, service connections are restricted to specific pipelines, and secrets are stored in Key Vault rather than variables. Ensure you have environment approvals for production, secret scanning enabled, dependency scanning in pipelines, and regular access reviews.
Automate Your Security Assessment
Manually checking all these settings across an organisation is time-consuming and error-prone. Our tool, Drop Table Pulse, automates this process, running 100+ security checks across your Azure DevOps organisation and providing actionable remediation guidance.
Get a free security scan and see where your organisation stands.
Want more insights?
Explore our other articles or subscribe to our newsletter for the latest cloud security guidance.