Eric van Wijk

In September, we announced the ability to configure Azure service connections that do not need a secret. Azure service connections that use workload identity federation are easier to manage and more secure. Many customers have adopted this feature and we’re excited to announce it is now generally available!

Image oidc collaboration

Improved security

Workload identity federation enforces how an identity can be used. The federation subject (sc:////) configured on the App Registration or Managed Identity can only be used in Azure DevOps, by the service connection the federation is configured for. This provides a stricter constraint than a secret, which could unintentionally be leaked and used for other purposes or from other locations.

No more worries about expiring secrets

Configuration of an Azure service connection with workload identity federation is a one-time setup. You don’t have to worry about expiring secrets that have to be rotated in order for the service connection to stay operational.

Getting started

If you haven’t used Workload identity federation yet, you can take advantage of worry-free Azure service connections in the following ways:

To create a new Azure service connection using workload identity federation, select Workload identity federation (automatic) in the Azure service connection creation experience:

image

To convert a previously created Azure service connection created with a secret, select the “Convert” action after selecting the connection:

image

To convert multiple service connections that use a secret to use workload identity federation instead, you can use the below script as a basis:

#!/usr/bin/env pwsh
<# 
.SYNOPSIS 
    Convert multiple Azure Resource Manager service connection(s) to use Workload identity federation
.LINK
    https://aka.ms/azdo-rm-workload-identity-conversion
.EXAMPLE