Microsoft Dev Blogs

Azure DevOps Pipelines: Discovering the Ideal Service Connection Strategy

thumbnail

Table of Contents

  1. Introduction
  2. One Service Connection to Rule Them All
  3. Service Connection per Resource Group
  4. Service Connection Per Environment

Introduction

In this article, we will explore various configurations, decisions, and pros and cons related to how your Azure DevOps environment will deploy code into Azure.


One Service Connection to Rule Them All

  • Deployment Scope: All Azure Environment and resources.
  • Access: Typically starting with Contributor role.
  • Pros: Centralized management, simplicity.
  • Cons: Lack of granularity, potential security risks if compromised.

Service Connection per Resource Group

  • Deployment Scope: Specific to each Resource Group.
  • Access: Contributor role recommended.
  • Pros: Granular control, security, easier troubleshooting.
  • Cons: Increased management overhead, potential redundancy.

Service Connection Per Environment

  • Deployment Scope: Dedicated to each Environment.
  • Access: Contributor role initially, User Access Administrator for IaC.
  • Pros: Isolation, tailored access, improved security.
  • Cons: Increased service connections to manage, complexity.

By evaluating the scenarios of one Service Connection to rule them all, a Service Connection per Resource Group, and a Service Connection per Environment, organizations can determine the ideal service connection strategy based on their security posture, scale, and maturity levels.