All authentication Method

Here is the complete, full, exhaustive list of all authentication methods and all service connection types in Azure DevOps. Nothing missing. This is the master list you can use for study and interviews.

🟦 PART 1 — ALL Authentication Methods in Azure DevOps Pipelines

Azure DevOps supports 12 major authentication mechanisms.

✅ 1. Workload Identity Federation (WIF)

Passwordless authentication using OIDC tokens. Used for ACR, ARM, AKS, Key Vault, Terraform.

✅ 2. Service Principal (Client ID + Secret)

Old but widely used.

Used for:

• ACR

• ARM

• AKS

• Key Vault

• Azure CLI tasks

✅ 3. Service Principal (Client ID + Certificate)

More secure than secret, used for:

• ARM deployments

• Key Vault

• Terraform

✅ 4. Managed Identity (User-Assigned or System-Assigned)

Used mostly in:

• Self-hosted agents running on Azure VM

• Pipeline authenticates automatically to Azure

✅ 5. Admin User Authentication (Only for ACR)

Username + password ⚠️ Deprecated and insecure → avoid.

✅ 6. OAuth (Azure AD OAuth)

Used for:

• Native apps

• Web apps

• GitHub integration

• Claims-based auth

✅ 7. Personal Access Token (PAT)

Used for:

• Git clone/push

• REST API

• API Automation

• Agents authentication

✅ 8. SSH Authentication

Used for:

• GitHub connections

• Azure Repos SSH access

• Linux servers deployment

✅ 9. Basic Authentication

Rare, mostly for:

• On-prem systems

• Artifactory

• Nexus

• Jenkins

✅ 10. Token-based authentication (Bearer tokens)

Used by:

• Service principals

• AAD tokens

• Federated tokens

✅ 11. SAS Token Authentication (Storage)

Used for:

• Azure Blob Storage

• Azure File Shares

• Artifacts feed storage

✅ 12. Connection Strings Auth

Used for:

• SQL DB

• Redis

• Service Bus

• Event Hub

🟩 PART 2 — ALL Service Connection Types in Azure DevOps

Below is the complete list of all service connections available in Azure DevOps.

🔵 A. Azure Service Connections

1. Azure Resource Manager (ARM)

   • Service Principal

   • Managed Identity

   • Workload Identity Federation

2. Azure Container Registry (ACR)

   • Service Principal

   • Managed Identity

   • Workload Identity Federation

   • Admin user (legacy)

3. Azure Classic (ASM)

4. Azure RM for Kubernetes (AKS)

5. Azure Key Vault

🟣 B. Git Service Connections

1. GitHub

   • OAuth

   • PAT

   • SSH

2. Bitbucket Cloud

3. Bitbucket Server

4. GitHub Enterprise

5. GitLab (via generic)

6. Azure Repos Git (built-in)

🟠 C. Docker & Container Service Connections

1. Docker Hub

2. ACR

3. Other Container Registry (Harbor, ECR, GCR)

Auth methods:

• Username/Password

• Service Principal

• Managed Identity

• WIF

🟥 D. Kubernetes Service Connections

1. Kubernetes (Generic)

   • Kubeconfig

   • Service account token

2. AKS (Azure Integration)

3. OpenShift

🟤 E. Cloud Provider Connections

1. AWS Service Connection

• Access Key / Secret Key

1. GCP Service Connection

• JSON Key

1. DigitalOcean Spaces (generic)

2. Alibaba Cloud (generic)

🟩 F. Artifact, Package & Repo Service Connections

1. Artifactory

2. Nexus IQ

3. JFrog XRay

4. Sonatype

5. NuGet.org

6. Maven repos

7. NPM registries

🟦 G. CI/CD Tools Integrations

1. Jenkins

2. TeamCity

3. Octopus Deploy

4. ServiceNow

🟧 H. Monitoring / Security Connections

1. Snyk

2. SonarQube

3. WhiteSource / Mend

4. Checkmarx

5. Fortify

🟨 I. Generic Service Connection

1. Generic Endpoint (REST API) Used to connect to:

• Custom APIs

• Third-party platforms

• Private services

• Authentication using PAT, Bearer Token

🟫 J. SCM Connections

1. Subversion (SVN)

2. TFS version control

⭐ BONUS — Deprecated / Legacy

1. XAML Build Services

2. Azure Classic (ASM)

3. Legacy Docker Registry with PAT

4. Basic Auth for Azure (removed)

🏆 Summary (Easy Table)

If you want, I can give you:

✅ A chart/diagram showing how each connection works ✅ Examples of YAML for each service connection ✅ Real-world enterprise CI/CD setup using WIF everywhere Just tell me!

Below is the complete, correct, up-to-date (2025) guide for setting up and using WIF (Workload Identity Federation) in Azure DevOps.

This includes:

✔ What you must configure in Azure

✔ What you must configure in Azure DevOps

✔ A full working YAML example

✔ Whether the steps are same for ACR, AKS, Key Vault, ARM, etc.

I’ll keep the explanation exact and practical, not theoretical.

🚀 WHAT IS WIF (Workload Identity Federation)?

WIF allows Azure DevOps pipelines to authenticate to Azure without storing secrets.

like aws oidc allow github action to authenticate to ACR without storing secrets.

Instead of storing:

• clientId

• clientSecret

• AWS Cred keys

The pipeline requests a temporary OIDC token, Azure trusts it, and issues an access token.

Github action request OIDC token AWS trust it and issue token

No secrets anywhere. Most secure method today.

🟦 PART 1 — SETUP WIF (Workload Identity Federation) FOR AZURE DEVOPS

⭐ Step 1 — Create an Azure AD App Registration

This app represents Azure DevOps in Azure.

az ad app create --display-name "azuredevops-wif"

Get the app ID:

APP_ID=$(az ad app list --display-name "azuredevops-wif" --query "[0].appId" -o tsv)

⭐ Step 2 — Create a Federated Credential

This allows Azure DevOps pipeline to exchange its OIDC token for an Azure access token.

Replace:

• <YOUR-ORG>

• <YOUR-PROJECT>

• <YOUR-REPO>

• main (branch)

az ad app federated-credential create \
  --id $APP_ID \
  --issuer "https://vstoken.dev.azure.com/<YOUR-ORG>/" \
  --subject "repo:<YOUR-ORG>/<YOUR-PROJECT>/<YOUR-REPO>:ref:refs/heads/main" \
  --audience "api://AzureADTokenExchange" \
  --name "azuredevops-wif"

🎯 This is the MOST IMPORTANT PART. Without this, OIDC will not work.

In AWS

Step 1: Create the OIDC Identity Provider in AWS IAM for GitHub. ...

iam role with trust-policy contain issues/principlev ie. github/azure devops and audience

Step 2: Create WebIdentity IAM Role with Trust Policy. ...

Step 3: Add the IAM Role arn to Github

⭐ Step 3 — Give the App permissions (RBAC)

Example: give ACR access.

az role assignment create \
  --role AcrPush \
  --assignee $APP_ID \
  --scope /subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.ContainerRegistry/registries/<ACR_NAME>

You can also grant:

🟦 PART 2 — AZURE DEVOPS SETUP

⭐ Step 4 — Create Azure DevOps Service Connection using WIF

Go to:

Azure DevOps → Project Settings → Service Connections → New → Azure Resource Manager → Workload Identity Federation (automatic)

Fill:

Give it a name:

azure-wif-sc

⭐ Step 5 — Use WIF in pipeline

Here is 100% working OIDC login in ACR using WIF:

pool:
  vmImage: ubuntu-latest

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: 'azure-wif-sc'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az acr login -n $ACR_NAME
      docker build -t $ACR_NAME.azurecr.io/app:latest .
      docker push $ACR_NAME.azurecr.io/app:latest

No secret. No password. Pipeline uses OIDC token → Azure validates → issues access token.

🟩 Congratulations — WIF is working!

🟦 PART 3 — ARE THE STEPS SAME FOR OTHER CONNECTIONS?

✔ YES — WIF is used the same way for all Azure resources.

You only need to change:

Everything else stays SAME:

• Same App Registration

• Same Federated Credential

• Same Azure DevOps connection

• Same OIDC token exchange flow

✔ So the setup is 90% identical across all Azure resources. Only the RBAC role changes.

🟦 PART 4 — IMPORTANT RULES FOR WIF

🔹 You must use Microsoft-hosted agents

OIDC doesn't work with self-hosted agents yet.

🔹 Service connection must be “ARM (OIDC)”

Not Docker Registry Not generic SPN

🔹 The pipeline must match the subject claim

If your federated-credential subject uses:

repo:org/project/repo:ref:refs/heads/main

Then your pipeline must run on main branch.

🔹 One Federated Credential = One repo/branch

For multiple branches, create multiple credentials.

🟦 FINAL SUMMARY

✔ WIF replaces Service Principal secrets

✔ Most secure, recommended approach (2024–2025)

✔ Same setup for ACR, AKS, Key Vault, Storage, etc

✔ Only RBAC permission changes

✔ No secrets or variables needed

✔ Requires Azure DevOps ARM connection

If you want, I can generate:

🔹 WIF + ACR pipeline

🔹 WIF + AKS deployment pipeline

🔹 WIF + Key Vault secret fetch

🔹 WIF + Terraform (AzureRM) authentication

Just tell me: "Give me WIF for (service name)"