Azure DevOps Best Practices

Introduction

Securing your Azure DevOps environment is crucial to protecting your data and applications. This guide covers ten easy-to-follow best practices to help you keep your DevOps setup safe from threats. By following these tips, you can ensure your development processes stay secure and efficient.

In this blog, we’ll explore ten best practices that every Azure DevOps user should follow. These practices will help you safeguard your data, infrastructure, and applications against threats and malicious attacks.

Access Control with Microsoft Entra (formerly Azure Active Directory)

mic

Enable Microsoft Entra: Start by enabling Microsoft Entra, previously known as Azure Active Directory, to handle your identity management. This allows you to manage user access in one centralized place.
Invite External Users to the Directory: Invite them to join your Microsoft Entra directory if you’re collaborating with external partners or contractors. This ensures all users are managed under the same access policies.
Integrate Azure DevOps with Microsoft Entra ID: You create a unified identity platform across your organization by integrating Azure DevOps with Microsoft Entra ID. This integration reduces risks by ensuring you don’t have to manage users separately in multiple places, thereby minimizing human error and improving security.
Sync Users, Groups, and Roles: Ensure that users, groups, and roles are synced between Azure and Azure DevOps. This ensures that any updates to permissions or roles in Microsoft Entra are reflected across both platforms, maintaining consistent access control.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Organization-Level Permissions

mic2

Restrict Project Creation: To prevent unauthorized or unmonitored projects, go to Organization Settings → Security → Policy and disable the ability to create public projects. Public projects can expose sensitive data to external users, so limiting this capability is crucial.
Block External Users: Disable external users from accessing your organization unless necessary. Go to the security settings and enforce this policy to reduce the risk of outsiders accessing your environment.
Add Additional Organization Admins: It’s a good practice to have more than one admin managing your Azure DevOps organization. Add additional admins to the
Project Collection Administrators group to ensure continuous management and avoid single points of failure.

Agent Pools

mic3

Auto-Update Agents: In Settings → Agent Pools → Default, enable the auto-update feature for your agents. Keeping agents up-to-date ensures that your build and release processes run on the latest, most secure software versions.
Schedule Maintenance: Set up a maintenance schedule to run agent updates during off-peak hours. This helps minimize disruptions during critical operations.
Use Self-Hosted Agents: If you require complete control over your build servers, consider using self-hosted agents. This allows you to manage the environment and configurations according to your security requirements.
Separate Agent Pools for Production: It’s a good security practice to create separate agent pools for building artifacts that will be deployed to production environments. This isolates production builds from non-production builds and reduces the risk of accidental exposure.

Pipeline Settings

mic4

Disable Classic Pipelines: In Project Settings → Pipeline Settings, disable the creation of classic build pipelines. YAML pipelines are now preferred because they provide better traceability and can be managed within a Git repository. YAML pipelines also offer improved automation, which can enhance security by reducing manual intervention.
Pipeline as Code: Using YAML pipelines, your pipeline configuration is stored as code. This ensures that any changes to the pipeline are tracked in source control, making it easier to review and audit changes.

Project-Level Permissions

mic5

Use Groups and Teams Instead of Individual Users: Always assign permissions at the group or team level rather than assigning them to individual users. This simplifies permission management and ensures consistency across your project.
Optimize Retention Policies: Go to Pipeline Settings and configure retention policies for your pipelines. This helps optimize storage and reduce costs by automatically cleaning up old builds and artifacts that are no longer needed.

Pipeline Security

Enforce Least Privilege: Ensure that users and groups have the least privilege necessary to perform their tasks within pipelines. This minimizes the risk of unauthorized access or accidental changes to critical pipeline components.
Add Checks and Approvers: Add manual intervention steps to your pipelines, such as approval gates. You can assign default approvers to critical stages of the pipeline to ensure that no changes are deployed without proper oversight.

Repo Settings

mic7

Enforce strict branch rules to prevent pull requesters from self-approving their changes, reducing unverified code merges.
Set up automatic reviewers to ensure code quality and security. At least two reviewers are required per pull request for proper code validation.
Enable security features like static analysis and automated scans to catch vulnerabilities early.

Authentication and Authorization

Use service principals and managed identities for secure authentication and easier audits rather than personal or generic accounts. To limit access, create service principals specific to roles (e.g., developer, ops). Grant service connections only the necessary resource group permissions. Avoid classic service connections and use modern ones for better access control.

Personal Access Tokens (PATs)

mic9

Assign only necessary permissions to PATs. Ensure PATs expire after a few days or weeks to limit risks. Revoke compromised tokens immediately using Azure DevOps tools.

Secrets and Credentials Access

Avoid Hardcoding Secrets: Never embed API keys or passwords in pipeline scripts or code to prevent exposure.
Use Runtime Variables: Pass secrets as runtime variables during pipeline execution to keep them out of the codebase.
Tokenize Secrets: Inject secrets at runtime using tokenization to manage sensitive information securely.
Store Secrets in Azure Key Vault: Use Azure Key Vault for secure storage and fine-grained access control of secrets.
Consider Third-Party Tools: Use secret management tools like HashiCorp Vault for advanced secret handling and Azure DevOps integration.

Conclusion

By following the ten best practices outlined in this guide, you can significantly bolster the security and integrity of your Azure DevOps environment.

From managing access control with Microsoft Entra to securing pipelines and repos, each step enhances your system’s resilience against unauthorized access and threats.

Prioritizing security is not just about protecting data but ensuring that your development processes remain efficient and reliable. By implementing these practices, you safeguard your organization’s data, infrastructure, and applications, allowing your teams to work confidently.

Drop a query if you have any questions regarding Azure DevOps and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.

FAQs

1. Why integrate Microsoft Entra with Azure DevOps?

ANS: – Microsoft Entra centralizes user access, ensuring consistent security policies and simplifying identity management.

2. Why use YAML pipelines instead of classic pipelines?

ANS: – YAML pipelines offer better traceability, automation, and version control, enhancing security by reducing manual errors.

WRITTEN BY Navneet Nirmal Toppo

Navneet is a Research Associate at CloudThat. He is a Microsoft Certified Solution Professional and a Certified Network Security Specialist and who has experience in AWS, Azure, GCP & vSphere. He is passionate about cloud computing, cybersecurity, and learning new cloud-native technologies who strives to provide the best cloud experience to clients through transparency.