I was following this guide https://learn.microsoft.com/en-us/azure/devops/repos/git/create-pr-status-server-with-azure-functions?view=azure-devops to create a custom branch policy. The gist of the article is: when an ADO PR is created or updated, the following happens:
- ADO invokes an Azure Functions webhook
- Azure Functions execute some custom branch policy logic (e.g. adds custom status to the PR).
Azure functions use Personal Access Token to authenticate with ADO to post a custom status. Two things I don't like about this approach:
- PAT's max life span is 2 years. After 2 years you need to update your PAT token - easy to forget, extra effort to automate.
- PAT is issued by a user. I'd like to have a separate "system" user for the custom branch policy. I don't want to reuse an "alive" user (people tend to quit) nor I want to create a "fake" live user for this purpose (company's security policies implications).
So, I wonder if there is a way to use Azure Functions Managed Identity/Service Principal directly in ADO: give ADO permissions to the managed identity and use Azure AD token to authenticate user in ADO API.
I know that you can set up your ADO organization to user Azure AD users. This is how my organization is set up currently:
All "alive" users are shown but I don't see any Managed Identities/Service Principals. It looks like only users are synchronized with ADO.
