How do I authenticate an Azure Repos service connection with another principal than a personal principal?

Question

I'm the administrator of several Azure DevOps organizations. The company I work for has a sister company, therefore we also have two separate Azure DevOps organizations.

In this question I'll call them 'company A', which has (Azure DevOps) 'organization A', and 'company B', which has (Azure DevOps) 'organization B'.

Both organizations A and B are connected to the same Azure Active Directory tenant.

In organization A, I have a Git repo pipeline-tools, which contains PowerShell scripts and Azure Pipelines YAML templates. pipeline-tools is used in all YAML pipelines scattered across all projects and repos.

In organization B, we have used Classic Pipelines up to now, but we'd like to migrate to YAML pipelines (organization A uses YAML pipelines only).

I could copy the pipeline-tools repo to organization B, but I'd much rather have only one repo to update every time I'd like to make a change, or add a PowerShell script, for instance.

I know this is possible by creating a service connection of the Azure Repos type. However, after having read the documentation, it appears that there are only two ways to authenticate the service connection; either Basic authentication, or with a Personal Access Token (PAT).

My question is this: Can I setup authentication for this service connection, so that it is not linked to a personal account?

Imagine I setup the auth via a PAT; then I need to manage myself that the PAT doesn't expire. If I forget (e.g. I'm on holidays) and it expires, then all pipelines in organization B will fail because the service connection authentication breaks.

Also, imagine I stop working for this company, and my account gets deleted: This would invalidate all PATs I've generated, and break the service connection.

Is it possible to authenticate with some kind of service principal, instead of a personal principal? And if it is possible, how can I achieve this?

Many thanks in advance for your help!

Answer 1

After some talks with Microsoft, it became clear that this is currently not supported.

Using the service connection type Azure Repos with either a PAT or basic authentication is currently the only supported authentication method.

You can read more about it in this problem report on Visual Studio Developer community: How do I authenticate an Azure Repos service connection with another principal than a personal principal?

I've also created a feature request: Share Azure Repos hosted Git repos across multiple Azure DevOps organizations without using a PAT

Answer 2

I have struggled with this question myself on the company I work. We had the same issue with different projects and organizations and source control templates. As you cannot interact with Azure devops Repos through different organizations without the PAT, we got the decision to have a central Github repository and store all the files there.

As you mentioned the PAT is linked with the person that creates it. You could also create a new user on the azure active directory for devops purposes and use this one but the Github solution could be better.

Our approach:

We created a connection with Github from a project and the linked app appeared on Github Applications.

This way you will have a service connection on every project of your organization of type Github (using azure pipelines app)

Then you will use this service connection to download code across your organizations but you should keep your source control on Github.

Code example:

resources:
  repositories:
    - repository: devops
      type: github
      name: ORG/DevOps
      ref: azure-devops-dev
      endpoint: MyConnectionWithGithubApp