Azure DevOps Service Connections restriction not applying to Release Pipelines

Question

I have setup a Service Connection and I don't want the connection to be used by all pipelines. So I have left the Grant access permission to all pipelines checkbox unchecked. But this seems to have no effect on Release Pipelines. Connection is visible and available for all of them. Is this checkbox only intended for YAML pipelines? Is there a way to allow using connections to only specific releases?

This is not an Azure connection

Answer 1

I can reproduce this on my pipelines. Restricting service connection to specific releases cannot be achieved currently. I did some tests and its behavior is like below. And I came to the conclusion that service connection access permission setting is only effective for users not for pipelines.

1,I had two users User A and User B.

User A create service connection S1. User A automatically was assigned administrator role to this service connection. I assign User B to User role.

Even with Grant access permission to all pipelines unchecked. User B still be able to view and use service connection S1.

2, User B was removed User role access. Grant access permission to all pipelines** unchecked.

If the pipeline was able to access Service connection S1. User B can still access to S1. However if User B delete the service connection S1 from the pipeline and refresh the page a few times. User B willnot be able view S1.

However if User A edit this pipeline and add Service Connection S1 to this pipeline again. User B will again be able to view service connection S1 and run this pipeline successfully.

You can report this issue to Microsoft Development Team. Hopefully they will take a look at this issue and fix it soon. Please follow below screenshot to report a problem for Azure Devops here.