Configure Managed DevOps Pools identity

User assigned managed identities enable Azure resources to authenticate to cloud services, like Azure Key Vault, without storing credentials in code. These types of managed identities are created as standalone Azure resources, and have their own lifecycle. A single resource, like a Virtual Machine, can utilize multiple user assigned managed identities. Similarly, a single user assigned managed identity can be shared across multiple resources.

Create an identity and register it with Managed DevOps Pools

The managed identity must be in the same Microsoft Entra directory as your Azure DevOps organization.

If the two directories don't match, or your Azure DevOps organization isn't connected to Microsoft Entra, follow the steps in Connect your organization to Microsoft Entra ID and connect to the same directory as your Azure subscription.

  1. Go to the Azure portal, search for Managed Identities, select it from the available options, and choose Create. Ensure you're logged in to the tenant specified in the previous section. If not, you must switch to an Azure account with access to that tenant, or switch the tenant of your Azure DevOps organization. You can view your current Tenant ID by searching for Microsoft Entra Id in the search bar, or by navigating the Microsoft Entra ID option using the portal menu in the top left of the Azure portal.

    Screenshot of Managed Identities Create button.

  2. Choose the desired Subscription, Resource group, Region, and Name, and choose Review + Create.

    Screenshot of Create User Assigned Managed Identity window.

  3. On the confirmation window, choose Create to create the identity.

  4. Go to your Managed DevOps Pool in the Azure portal, and choose Settings > Identity, Add.

    Screenshot of Add identity button.

  5. Choose your subscription, choose the managed identity from the list, and choose Add.

    Screenshot of Add identity pane.

Azure Key Vault integration

Managed DevOps Pools offers the ability to fetch certificates from an Azure Key Vault during agent provisioning, which means the certificates will already exist on the machine by the time it runs your Azure DevOps pipelines. To use this feature, add an identity to your pool as shown in the previous example, and assign the Key Vault Secrets User role to the identity.

Key Vault integration is configured in Settings > Security. For more information, see Configure security - Key Vault integration.

Screenshot of Azure Key Vault integration settings.

See also