You can configure security setting for Managed DevOps Pools during pool creation by using the Security tab, and after pool creation by using the Security settings pane.
Configure organization access
Be default, Managed DevOps Pools are configured for a single organization, with access to the pool granted to all projects in the organization. You can optionally limit access to specific projects in the organization, and you can grant access to additional organizations if desired.
By default, Managed DevOps Pools is configured for use with a single Azure DevOps organization that you specify when you create the pool. When your pool is configured for a single organization, the organization name is displayed and configured in Pool settings
By default, Add pool to all projects is set to Yes, and access to the Managed DevOps Pool is granted to all projects in the organization. Choose No to specify a list of projects to limit which projects in your organization can use the pool.
Organizations are configured in the organizationProfile property of the Managed DevOps Pools resource.
The organizationProfile section has the following properties.
Property
Description
organizations
A list of the organizations that can use your pool. url specifies the URL of the organization, projects is a list of project names that can use the pool (an empty list supports all projects in the organization), and parallelism specifies the number of agents that can be used by this organization. The sum of the parallelism for the organizations must match the maximum agents setting for the pool.
permissionProfile
Specify the permission granted to the Azure DevOps pool when it is created. This value can be set during pool creation only. Allowed values are Inherit, CreatorOnly, and SpecificAccounts. If specificAccounts is specified, provide a single email address or a list of email addresses for the users property; otherwise omit users. For more information, see Pool administration permissions.
kind
This value specifies the type of organization for the pool, and must be set to Azure DevOps.
Organizations are configured in the organization-profile parameter when creating or updating a pool.
az mdp pool create \
--organization-profile organization-profile.json
# other parameters omitted for space
The following example shows an organization-profile object that is configured for all projects in the fabrikam-tailspin organization with parallelism set to 1.
The organizationProfile section has the following properties.
Property
Description
AzureDevOps
This value is the name of the object defined in organization-profile and must be set to Azure DevOps.
organizations
A list of the organizations that can use your pool. url specifies the URL of the organization, projects is a list of project names that can use the pool (an empty list supports all projects in the organization), and parallelism specifies the number of agents that can be used by this organization. The sum of the parallelism for the organizations must match the maximum agents setting for the pool.
permissionProfile
Specify the permission granted to the Azure DevOps pool when it is created. This value can be set during pool creation only. Allowed values are Inherit, CreatorOnly, and SpecificAccounts. If specificAccounts is specified, provide a single email address or a list of email addresses for the users property; otherwise omit users. For more information, see Pool administration permissions.
Enable Use pool in multiple organizations to use your pool with multiple Azure DevOps organizations. For each organization, specify the projects that are permitted to use the pool, or leave blank to allow all projects. Configure the Parallelism for each organization by specifying what portions of the concurrency, as specified by Maximum agents for the pool, to allocate to each organization. The sum of the parallelism for all organizations must equal the maximum concurrency of the pool. For example, if Maximum agents is set to five, the sum of the parallelism for the specified organizations must be five. If Maximum agents is set to one, you can only use the pool with one organization.
In the following example, the pool is configured to be available for the FabrikamResearch and FabrikamTest projects in the fabrikam-tailspin organization, and to all projects in the fabrikam-blue organization.
If you receive an error like The sum of parallelism for all organizations must equal the max concurrency., ensure that the Maximum agents count for the pool matches the sum of the Parallelism column.
Add additional organizations to the organizations list to configure your pool for use with multiple organizations. The following example has two organizations configured. The first organization is configured to use Managed DevOps Pools for all projects, and the second organizations is limited to two projects. In this example, the maximum agents setting for the pool is four, and each organization can use two of these four agents.
Organizations are configured in the organization-profile parameter when creating or updating a pool.
az mdp pool create \
--organization-profile organization-profile.json
# other parameters omitted for space
Add additional organizations to the organizations list to configure your pool for use with multiple organizations. The following example has two organizations configured. The first organization is configured to use Managed DevOps Pools for all projects, and the second organizations is limited to two projects. In this example, the maximum agents setting for the pool is four, and each organization can use two of these four agents.
Interactive mode is configured in the osProfile section of the fabricProfile property. Set logonType to Interactive to enable interactive mode, or Service to disable interactive mode.
As part of the Managed DevOps Pool creation process, an organization level agent pool is created in Azure DevOps. The Pool administration permissions setting specifies which users are granted the administrator role of the newly created Azure DevOps pool. To view and manage the Azure DevOps agent pool permissions after the Managed DevOps Pool is created, see Create and manage agent pools - Security of agent pools.
Creator only - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to Off in the agent pool security settings. Creator only is the default setting.
Inherit permissions from project - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to On in the agent pool security settings.
Specific accounts - Specify the accounts to be added as administrators of the created agent pool in Azure DevOps. By default the Managed DevOps Pool creator is added to the list.
Note
The Pool administration permissions setting is configured on the Security tab when the pool is created, and is not displayed in the Security settings after the pool is created. To view and manage the Azure DevOps agent pool permissions after the Managed DevOps Pool is created, see Create and manage agent pools - Security of agent pools.
Pool administration permissions are configured in the permissionsProfile property of the organizationProfile section of the Managed DevOps Pools resource.
The permissionProfile property can be set during pool creation only. Allowed values are Inherit, CreatorOnly, and SpecificAccounts.
CreatorOnly - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to Off in the agent pool security settings. Creator only is the default setting.
Inherit - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to On in the agent pool security settings.
SpecificAccounts - Specify the accounts to be added as administrators of the created agent pool in Azure DevOps. By default the Managed DevOps Pool creator is added to the list. Provide a single email address or a list of email addresses for the users property; otherwise omit users.
The permissionProfile property can be set during pool creation only. Allowed values are Inherit, CreatorOnly, and SpecificAccounts.
CreatorOnly - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to Off in the agent pool security settings. Creator only is the default setting.
Inherit - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to On in the agent pool security settings.
SpecificAccounts - Specify the accounts to be added as administrators of the created agent pool in Azure DevOps. By default the Managed DevOps Pool creator is added to the list. Provide a single email address or a list of email addresses for the users property; otherwise omit users.
Managed DevOps Pools offers the ability to fetch certificates from an Azure Key Vault during provisioning, which means the certificates will already exist on the machine by the time it runs your Azure DevOps pipelines. To use this feature, you must configure an identity on your pool, and this identity must have Key Vault Secrets User permissions to fetch the secret from your Key Vault. To assign your identity to the Key Vault Secrets User role, see Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.
Note
As of api-version 2024-10-19, if you use this feature you can only use a single identity on the pool. Support for multiple identities will be added soon.
Only one identity can be used to fetch secrets from the Key Vault.
Key Vault integration is configured in Settings > Security.
Note
Key Vault integration settings can be configured only after the pool is created. Key Vault integration settings can't be configured during pool creation and are not displayed in the Security tab during pool creation.
Azure Key Vault is configured in the osProfile section of the fabricProfile property. Set the secretManagementSettings to be able to access the desired certificate.
Azure Key Vault is configured in the osProfile section of the fabricProfile property when creating or updating a pool. Set the secretManagementSettings to be able to access the desired certificate.
az mdp pool create \
--fabric-profile fabric-profile.json
# other parameters omitted for space
The following example shows the osProfile section of the fabric-profile.json file with secretsManagementSettingsconfigured.
Certificates retrieved using the SecretManagementSettings on your pool will automatically sync with the most recent versions published within the Key Vault. These secrets will be on the machine by the time it runs any Azure DevOps pipeline, meaning you can save time and remove tasks for fetching certificates.
Important
Provisioning of your agent virtual machines will fail if the secret cannot be fetched from the Key Vault due to a permissions or network issue.
For Windows, the Certificate Store Location is allowed to either be set to LocalMachine or CurrentUser. This setting will ensure that the secret is installed at that location on the machine. For specific behavior of how secret retrieval works, see the documentation for the Azure VMSS Key Vault extension for Windows.
For Linux, the Certificate Store Location can be any directory on the machine, and the certificates will be downloaded and synced to that location. For specifics on default settings and secret behavior, see the documentation for the Azure VMSS Key Vault extension for Linux.
