


. Configure a Project and Repository Structure to Support Secure Pipelines
This domain focuses on structuring your Azure DevOps assets to enforce isolation, reduce risk surface areas, and establish rigid governance boundaries.
Repository and Project Isolation
Evaluating when to separate single application components into isolated repositories or distinct Azure DevOps projects.
Isolating deployment source code from application source code.
Moving centralized security assets (like shared pipeline templates) away from standard developer-accessible projects into dedicated, locked-down security repositories.
Access Control Strategy
Designing and implementing specific project-level and repository-level permissions.
Restricting branch creation and enforcing branch protection rules.
Configuring secure pipeline folders and implementing strict access locks on YAML definition files.
2. Manage Identity for Projects, Pipelines, and Agents
This domain centers on establishing secure computational boundaries and ensuring the principles of least privilege apply to the identities executing the automation.
Agent Pool Security and Configuration
Configuring and evaluating the risk surface of Microsoft-hosted agent pools vs. Self-hosted pools.
Setting up specific, isolated agent infrastructure for high-privileged deployment projects.
Configuring agent identities and least-privilege run-as accounts.
Service Connections & Cloud Authentication
Evaluating and configuring the boundary scope of Azure DevOps Service Connections.
Transitioning legacy Service Principals utilizing client secrets over to secure, secretless Azure Workload Identity Federation / OpenID Connect (OIDC).
Restricting service connection visibility and usage strictly to authorized pipelines and branches.
3. Configure Secure Access to Pipeline Resources
This domain covers the containment and locking down of foundational Azure DevOps elements that a pipeline must reference during execution.
Resource Authorization
Configuring explicit pipeline access constraints on Agent Pools.
Restricting pipelines allowed to call specific Service Connections.
Securing access to Azure DevOps Environments and downstream target deployment systems.
Enforcing explicit access policies on specific Azure Repos and Git submodules.
Variables, Secrets, and Secure File Storage
Configuring pipeline access permissions to Secret Variables and centralized Variable Groups.
Securing and managing uploaded structural assets via Azure Pipelines Secure Files (e.g., Certificates, Provisioning Profiles).
Integrating and linking Azure Key Vault to Variable Groups to fetch sensitive values at runtime without hardcoding.
4. Configure and Validate Permissions
This domain tests the practical administrative capabilities required to audit, assert, and authorize user and automation flows.
User and Pipeline Role Management
Configuring and validating precise user permissions to prevent non-administrative personnel from altering pipeline pipelines.
Configuring pipeline-to-pipeline permissions to prevent unauthorized triggers or multi-stage overrides.
Approvals, Gates, and Branch Checks
Implementing and validating manual Approvals and Checks on Environments, Service Connections, and Agent Pools.
Enforcing automated Branch Control Checks to guarantee that production pipelines can only be run against targeted, protected branches (like main or release/*).
Auditing, tracing, and logging security permissions within Azure DevOps organization configurations.
5. Extend a Pipeline to Use Multiple Templates
This domain highlights advanced DevSecOps engineering—abstracting security rules into templates that individual dev teams cannot bypass.
Template Architecture and Nesting
Developing a structural model using Nested Templates (template: references) to inject mandatory build or validation steps.
Rewriting legacy, insecure single-file deployment pipelines into an isolated, multi-template architecture.
Tokenization and Secret Elimination
Configuring runtime pipelines to utilize placeholders and tokenization rather than compiling plain-text configurations into artifacts.
Scanning for, finding, and systematically removing plain-text credentials, personal access tokens (PATs), and keys from YAML files.
Logging, Scripts, and Logic Controls
Restricting agent verbose/diagnostic logging to prevent the accidental leakage of masked secrets into public pipeline logs.
Analyzing runtime execution steps to identify and conditionally bypass/remove unsafe custom script tasks (bash, powershell, cmd) within reusable templates.
Utilizing pipeline expressions and parameters to strictly type-validate parameters and limit runtime execution to approved steps.
Core Technologies Covered in the Assessment
+1