| title | Pipeline resource security |
|---|---|
| description | Learn about protected Azure Pipelines resources, and how to use permissions, checks, and approvals to help secure them in pipeline runs. |
| ms.assetid | 9e635504-f56a-4d59-8629-ced0cbb03c77 |
| ms.date | 10/02/2025 |
| ms.topic | concept-article |
| monikerRange | <=azure-devops |
[!INCLUDE version-lt-eq-azure-devops]
This article describes security features that help safeguard protected resources in Azure Pipelines. Pipelines might need to access open or protected resources during runs.
Artifacts, pipelines, test plans, and work items are open resources. Pipelines can freely access these resources, and you can fully automate workflows by subscribing to resource trigger events. For more information about protecting open resources, see Protect projects.
Protected resources such as repositories and environments need more access restrictions. To help keep protected resources safe, you can require permissions, checks, and approvals for pipelines to access protected resources.
[!INCLUDE security-prerequisites]
Azure Pipelines protected resources include the following items:
- Repositories
- Environments
- Service connections
- Agent pools
- Secure files
- Secret variables in variable groups
You can set permissions so that only specific users and pipelines in a project can access protected resources. You can also define checks and approvals that must succeed before a pipeline stage that uses the resource can start. For example, you can require manual approval before a pipeline stage can use an environment. Failed checks can suspend or fail the pipeline run.
Adding a repository to a pipeline requires authorization from a user with Contribute access to the repository. You can also protect repository resources by limiting the scope of the Azure Pipelines access token to only repositories explicitly listed in the pipeline's resources section. For more information, see Securely access repositories from pipelines and Protect a repository resource.
You can set user permissions and pipeline permissions for protected resources.
Grant User permissions only to users who require them. Members of the User role for a resource can manage approvals and checks.
Pipeline permissions guard against copying protected resources to other pipelines. To manage pipeline permissions, explicitly grant access only to specific pipelines you trust.
You must have the Project Administrator role to enable access to a protected resource across all pipelines in a project. For better security, don't enable Open access, which allows all pipelines in the project to use the resource. For more information, see Add an admin role to a protected resource.
To more completely secure protected resources in pipelines, add checks that must be satisfied before pipelines can consume protected resources. You can require specific approvals or other criteria. For more information, see Define approvals and checks.
You can block pipeline requests for protected resources pending manual approval by specified users or groups. This check provides an extra layer of security by allowing review of the code before a pipeline run can proceed.
Branch control ensures that only authorized branches can access protected resources. A protected branch check for a resource prevents pipelines from automatically running on unauthorized branches. By using branch control, you can extend your branch-specific manual code review requirements.
Use this check to ensure that a pipeline deployment starts within a specified day and time window.
Select View all checks to see and apply other checks such as required templates.