Use Azure AD Managed Identity/Service Principal user in ADO to use ADO API
I was following this guide https://learn.microsoft.com/en-us/azure/devops/repos/git/create-pr-status-server-with-azure-functions?view=azure-devops to create a custom branch policy. The gist of the article is: when an ADO PR is created or updated, the following happens:
- ADO invokes an Azure Functions webhook
- Azure Functions execute some custom branch policy logic (e.g. adds custom status to the PR).
Azure functions use Personal Access Token to authenticate with ADO to post a custom status. Two things I don't like about this approach:
- PAT's max life span is 2 years. After 2 years you need to update your PAT token - easy to forget, extra effort to automate.
- PAT is issued by a user. I'd like to have a separate "system" user for the custom branch policy. I don't want to reuse an "alive" user (people tend to quit) nor I want to create a "fake" live user for this purpose (company's security policies implications).
So, I wonder if there is a way to use Azure Functions Managed Identity/Service Principal directly in ADO: give ADO permissions to the managed identity and use Azure AD token to authenticate user in ADO API.
I know that you can set up your ADO organization to user Azure AD users. This is how my organization is set up currently:
All "alive" users are shown but I don't see any Managed Identities/Service Principals. It looks like only users are synchronized with ADO.
Unfortunately Azure AD Managed Identity/Service Principal user which uses Client credentials flow are not supported to authenticate to ADO.
You can see that there is no related Authenticate method which you want in this list.
See this answer for more details.