Azure DevOps Pipelines

Azure DevOps Pipelines #

Azure DevOps Pipelines is a CI/CD service for building, testing, and deploying applications across Azure, other clouds, Kubernetes, and on-premises environments.

Overview #

Azure Pipelines can run YAML-defined pipelines from Azure Repos, GitHub, or other Git providers. It supports Microsoft-hosted agents, self-hosted agents, deployment jobs, environments, service connections, approvals, and integration with Azure services. It is especially useful for Microsoft-heavy organizations and Azure-first platform teams.

Best use cases #

  • Azure-centered application, infrastructure, and platform delivery.
  • Enterprises that need service connections, approvals, environments, and auditability.
  • Hybrid Windows and Linux builds with Microsoft-hosted or self-hosted agents.
  • Deployments using Bicep, ARM templates, Terraform, OpenTofu, Helm, kubectl, or Azure CLI.
  • Teams that already use Azure Repos, Azure Boards, Azure Artifacts, or Microsoft Entra ID.

Minimal pipeline example # 

trigger:
  branches:
    include:
      - main

pr:
  branches:
    include:
      - main

pool:
  vmImage: ubuntu-latest

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: "22.x"
  - script: npm ci
    displayName: Install dependencies
  - script: npm test
    displayName: Run tests

Secrets handling #

  • Store sensitive values as secret pipeline variables, variable groups, or Azure Key Vault-backed variable groups.
  • Use service connections with the narrowest permissions needed for each subscription, resource group, or deployment target.
  • Prefer workload federation or managed identity patterns where available instead of static client secrets.
  • Limit variable group access and avoid echoing variables in scripts.
  • Separate non-production and production service connections to reduce blast radius.

Deployment options #

  • Deploy Azure resources with Azure CLI, Azure PowerShell, Bicep, ARM templates, Terraform, or OpenTofu.
  • Deploy applications to Azure App Service, Azure Functions, Azure Kubernetes Service, virtual machines, or container registries.
  • Use environments, deployment jobs, checks, and approvals for controlled staging and production releases.
  • Run self-hosted agents inside private networks for internal systems or restricted deployment targets.
  • Use GitOps tools for AKS when pull-based reconciliation is preferred.

Security considerations #

  • Scope service connections carefully and require approvals for production environments.
  • Protect YAML pipeline changes with branch policies and required reviews.
  • Avoid granting broad contributor permissions to pipelines that only need deployment or read access.
  • Keep self-hosted agents patched, isolated, and dedicated to compatible trust levels.
  • Add secret scanning, dependency scanning, IaC scanning, container image scanning, and release evidence retention.
  • DevSecOps — Integrate secure coding, scanning, and compliance controls into Azure pipelines.
  • GitOps — Combine Azure Pipelines with pull-based Kubernetes delivery.
  • Kubernetes — Build and deploy container workloads to AKS or other clusters.
  • Infrastructure as Code — Validate and deploy Bicep, Terraform, OpenTofu, and other IaC.
  • CI/CD Security Best Practices — Apply least privilege and secure artifact promotion.