แก้ไข

แชร์ผ่าน


Configure Managed DevOps Pools security settings

You can configure security setting for Managed DevOps Pools during pool creation by using the Security tab, and after pool creation by using the Security settings pane.

Configure organization access

Be default, Managed DevOps Pools are configured for a single organization, with access to the pool granted to all projects in the organization. You can optionally limit access to specific projects in the organization, and you can grant access to additional organizations if desired.

Use pool with a single organization

By default, Managed DevOps Pools is configured for use with a single Azure DevOps organization that you specify when you create the pool. When your pool is configured for a single organization, the organization name is displayed and configured in Pool settings

By default, Add pool to all projects is set to Yes, and access to the Managed DevOps Pool is granted to all projects in the organization. Choose No to specify a list of projects to limit which projects in your organization can use the pool.

Screenshot of configuring projects for a single organization.

Use pool in multiple organizations

Enable Use pool in multiple organizations to use your pool with multiple Azure DevOps organizations. For each organization, specify the projects that are permitted to use the pool, or leave blank to allow all projects. Configure the Parallelism for each organization by specifying what portions of the concurrency, as specified by Maximum agents for the pool, to allocate to each organization. The sum of the parallelism for all organizations must equal the maximum concurrency of the pool. For example, if Maximum agents is set to five, the sum of the parallelism for the specified organizations must be five. If Maximum agents is set to one, you can only use the pool with one organization.

In the following example, the pool is configured to be available for the FabrikamResearch and FabrikamTest projects in the fabrikam-tailspin organization, and to all projects in the fabrikam-blue organization.

Screenshot of configuring multiple organizations.

If you receive an error like The sum of parallelism for all organizations must equal the max concurrency., ensure that the Maximum agents count for the pool matches the sum of the Parallelism column.

Configure interactive mode

If your tests need an interactive login for UI testing, enable interactive login by enabling the EnableInteractiveMode setting.

Screenshot of configuring interactive mode.

Pool administration permissions

As part of the Managed DevOps Pool creation process, an organization level agent pool is created in Azure DevOps. The Pool administration permissions setting specifies which users are granted the administrator role of the newly created Azure DevOps pool. To view and manage the Azure DevOps agent pool permissions after the Managed DevOps Pool is created, see Create and manage agent pools - Security of agent pools.

Screenshot of configuring pool administration permissions.

  • Creator only - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to Off in the agent pool security settings. Creator only is the default setting.
  • Inherit permissions from project - The user that created the Managed DevOps Pool is added as an administrator of the Azure DevOps agent pool, and Inheritance is set to On in the agent pool security settings.
  • Specific accounts - Specify the accounts to be added as administrators of the created agent pool in Azure DevOps. By default the Managed DevOps Pool creator is added to the list.

Note

The Pool administration permissions setting is configured on the Security tab when the pool is created, and is not displayed in the Security settings after the pool is created. To view and manage the Azure DevOps agent pool permissions after the Managed DevOps Pool is created, see Create and manage agent pools - Security of agent pools.

Key Vault configuration

Managed DevOps Pools offers the ability to fetch certificates from an Azure Key Vault during provisioning, which means the certificates will already exist on the machine by the time it runs your Azure DevOps pipelines. To use this feature, you must configure an identity on your pool, and this identity must have Key Vault Secrets User permissions to fetch the secret from your Key Vault. To assign your identity to the Key Vault Secrets User role, see Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.

Note

As of api-version 2024-10-19, if you use this feature you can only use a single identity on the pool. Support for multiple identities will be added soon.

Only one identity can be used to fetch secrets from the Key Vault.

Key Vault integration is configured in Settings > Security.

Screenshot of configuring Key Vault certificates.

Note

Key Vault integration settings can be configured only after the pool is created. Key Vault integration settings can't be configured during pool creation and are not displayed in the Security tab during pool creation.

Configuring SecretManagementSettings

Certificates retrieved using the SecretManagementSettings on your pool will automatically sync with the most recent versions published within the Key Vault. These secrets will be on the machine by the time it runs any Azure DevOps pipeline, meaning you can save time and remove tasks for fetching certificates.

Important

Provisioning of your agent virtual machines will fail if the secret cannot be fetched from the Key Vault due to a permissions or network issue.

For Windows, the Certificate Store Location is allowed to either be set to LocalMachine or CurrentUser. This setting will ensure that the secret is installed at that location on the machine. For specific behavior of how secret retrieval works, see the documentation for the Azure VMSS Key Vault extension for Windows.

See also