Manage service connections

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019 | TFS 2018

Note

Microsoft Visual Studio Team Foundation Server 2018 and earlier versions have the following differences in naming:

  • Pipelines for build and release are called definitions
  • Runs are called builds
  • Service connections are called service endpoints
  • Stages are called environments
  • Jobs are called phases

You can create a connection from Azure Pipelines to external and remote services for executing tasks in a job. Once you establish a connection, you can view, edit, and add security to the service connection.

For example, you might want to connect to one of the following categories and their services.

  • Your Microsoft Azure subscription: Create a service connection with your Microsoft Azure subscription and use the name of the service connection in an Azure Web Site Deployment task in a release pipeline.
  • A different build server or file server: Create a standard GitHub Enterprise Server service connection to a GitHub repository.
  • An online continuous integration environment: Create a Jenkins service connection for continuous integration of Git repositories.
  • Services installed on remote computers: Create an Azure Resource Manager service connection to a VM with a managed service identity.

Tip

The Azure Resource Manager service connection is a single example of a service connection. For more information, see Common service connection types.

Prerequisites

You can create, view, use, and manage a service connection based on your assigned user roles. For more information, see User permissions.

Create a service connection

Complete the following steps to create a service connection for Azure Pipelines.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}) and select your project.

  2. Select Project settings > Service connections.

  3. Select + New service connection, select the type of service connection that you need, and then select Next.

  4. Choose an authentication method, and then select Next.

  5. Enter the parameters for the service connection. The list of parameters differs for each type of service connection. For more information, see the list of service connection types and associated parameters.

  6. Select Save to create the connection.

    Azure Resource Manager connection dialog

  7. Validate the connection, once it's created and parameters are entered. The validation link uses a REST call to the external service with the information that you entered, and indicates whether the call succeeded.

  1. In Team Foundation Server (TFS), open the Services page from the "settings" icon in the top menu bar.

  2. Select + New service connection and select the type of service connection you need.

  3. Enter the parameters for the service connection. The list of parameters differs for each type of service connection. For more information, see the list of service connection types.

  4. Select OK to create the connection.

    Azure Resource Manager connection dialog

  5. Validate the connection, once it's created and parameters are entered. The validation link uses a REST call to the external service with the information that you entered, and indicates whether the call succeeded.

Note

The new service connection window may appear different for the various types of service connections and have different parameters. See the list of parameters in Common service connection types for each service connection type.

Edit service connection

Complete the following steps to edit a service connection.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}) and select your project.

  2. Select Project settings > Service connections.

  3. Select the service connection that you want to edit.

  4. See the Overview tab of the service connection where you can see the details of the service connection. For example, you can see details like type, creator, and authentication type. For instance, token, username/password, or OAuth, and so on.

    Azure Resource Manager connection overview

  5. Next to the overview tab, you can see Usage history, which shows the list of pipelines that are using the service connection.

    Azure Resource Manager usage history

  6. To update the service connection, select Edit. Approvals and checks, Security, and Delete are part of the more options at the top-right corner.

    Azure Resource Manager more options

  1. In TFS, open the Services page from the "settings" icon in the top menu bar.

  2. Select Project settings > Service connections.

  3. Select the service connection that you want to edit.

  4. See the Overview tab of the service connection where you can see the details of the service connection. For example, you can see details like type, creator, and authentication type. For instance, token, username/password, or OAuth, and so on.

    Azure Resource Manager connection overview

  5. Next to the overview tab, you can see Usage history, which shows the list of pipelines that are using the service connection.

    Azure Resource Manager usage history

  6. To update the service connection, select Edit. Approvals and checks, Security, and Delete are part of the more options at the top-right corner.

    Azure Resource Manager more options

Secure a service connection

Complete the following steps to manage security for a service connection.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}) and select your project.

  2. Select Project settings > Service connections.

  3. Highlight the service connection that you want to edit.

  4. Go to the more options at the top-right corner and choose Security.

    Service connection hub security

  1. In TFS, open the Services page from the "settings" icon in the top menu bar.

  2. To manage user permissions at hub level, go to the more options at the top-right corner and choose Security.

    Service connection hub security

  3. To manage security for a service connection, open the service connection and go to more options at top-right corner and choose Security.

Based on usage patterns, service connection security is divided into the following categories. Edit permissions as desired.

User permissions

Control who can create, view, use, and manage a service connection with user roles. In Project settings > Service connections, you can set the hub-level permissions, which are inherited. You can also override the roles for each service connection.

Role on a service connection Purpose
Creator Members of this role can create the service connection in the project. Contributors are added as members by default
Reader Members of this role can view the service connection.
User Members of this role can use the service connection when authoring build or release pipelines or authorize yaml pipelines.
Administrator Members of this role can use the service connection and manage membership of all other roles for the project's service connection. Project Administrators are added as members by default.

Note

Previously, Endpoint Creator and Endpoint Administrator groups were used to control who could create and manage service connections. We've moved to the pure RBAC model, which uses roles. For backward compatibility in existing projects, the Endpoint Administrator group is now the Administrator role and the Endpoint Creator group is the Creator role, which ensures there's no change in the behavior for existing service connections.

We've also introduced Sharing of service connections across projects. With this feature, service connections now become an organization-level object, however scoped to your current project by default. In User permissions, you can see Project- and Organization- level permissions. The functionality of the Administrator role is split between the two permission levels.

Project-level permissions

The project-level permissions are the user permissions with reader, user, creator and administrator roles, as explained above, within the project scope. You have inheritance and you can set the roles at the hub level and for each service connection.

The project-level Administrator can do the following tasks:

  • Manage other users and roles at the project-level
  • Rename a service connection and update the description
  • Delete a service connection, which removes it from the project

Azure Resource Manager project security

The user who created the service connection is automatically added to the Administrator role for that service connection. Users and groups assigned the Administrator role at the hub-level are inherited if the inheritance is turned on.

Organization-level permissions

Any permissions set at the organization-level reflect across all the projects where the service connection is shared. There's no inheritance for organization-level permissions.

The organization-level Administrator can do the following administrative tasks:

  • Manage organization-level users
  • Edit all the fields of a service connection
  • Share and unshare a service connection with other projects

Azure Resource Manager organization security

The user who created the service connection is automatically added as an organization-level Administrator role for that service connection. In all existing service connections, the connection Administrators are made organization-level Administrators.

Pipeline permissions

Pipeline permissions control which YAML pipelines are authorized to use the service connection. Pipeline permissions do not restrict access from Classic pipelines.

You can choose from the following options:

  • Open access for all pipelines to consume the service connection from the more options at top-right corner of the Pipeline permissions section in security tab of a service connection.

  • Lock down the service connection and only allow selected YAML pipelines to consume the service connection. If any other YAML pipeline refers to the service connection, an authorization request gets raised, which must be approved by a connection Administrator. This does not limit access from Classic pipelines.

Azure Resource Manager pipeline permissions

Project permissions - Cross project sharing of service connections

Project permissions control which projects can use the service connection. By default, service connections aren't shared with any other projects.

  • Only the organization-level administrators from User permissions can share the service connection with other projects.
  • The user who's sharing the service connection with a project should have at least Create service connection permission in the target project.
  • The user who shares the service connection with a project becomes the project-level Administrator for that service connection. The project-level inheritance is set to on in the target project.
  • The service connection name is appended with the project name and it can be renamed in the target project scope.
  • Organization-level administrator can unshare a service connection from any shared project.

Azure Resource Manager project permissions

Note

The project permissions feature is dependent on the new service connections UI. When we enable this feature, the old service connections UI will no longer be usable.

Use a service connection

Once you've created your service connection, complete the following steps to use it.

  1. Copy the connection name into your code as the azureSubscription (or the equivalent connection name) value.

If you're using YAML.

  1. Authorize the service connection using one of the following techniques:
  • To authorize any pipeline to use the service connection, go to Azure Pipelines, open the Settings page, select Service connections, and enable the setting Allow all pipelines to use this connection option for the connection.

  • To authorize a service connection for a specific pipeline, open the pipeline by selecting Edit and queue a build manually. You see a resource authorization error and an "Authorize resources" action on the error. Choose this action to explicitly add the pipeline as an authorized user of the service connection.

You can also create your own custom service connections.

Common service connection types

Azure Pipelines supports the following service connection types by default:

Azure Classic | Azure Repos/TFS | Azure Resource Manager | Azure Service Bus | Bitbucket | Cargo | Chef | Docker hub or others | Other Git | Generic | GitHub | GitHub Enterprise Server | Jenkins | Kubernetes | Maven | npm | NuGet | Python package download | Python package upload | Service Fabric | SSH | Subversion | Visual Studio App Center |

Azure Classic service connection

Use the following parameters to define and secure a connection to a Microsoft Azure subscription, using Azure credentials or an Azure management certificate.

How do I create a new service connection?

Parameter Description
[authentication type] Required. Select Credentials or Certificate based.
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Environment Required. Select Azure Cloud, Azure Stack, or one of the predefined Azure Government Clouds where your subscription is defined.
Subscription ID Required. The GUID-like identifier for your Azure subscription (not the subscription name). You can copy the subscription ID from the Azure portal.
Subscription name Required. The name of your Microsoft Azure subscription.
User name Required for Credentials authentication. User name of a work or school account (for example @fabrikam.com). Microsoft accounts (for example @live or @hotmail) are't supported.
Password Required for Credentials authentication. Password for the user specified above.
Management certificate Required for Certificate-based authentication. Copy the value of the management certificate key from your publish settings XML file or the Azure portal.

If your subscription is defined in an Azure Government Cloud, ensure your application meets the relevant compliance requirements before you configure a service connection.

Azure Repos

Use the following parameters to define and secure a connection to another Azure DevOps organization.

Parameter Description
(authentication) Select Basic or Token Based authentication.
Connection name Required. The name you use to refer to the service connection in task properties. This isn't the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Connection URL Required. The URL of the TFS or the other Azure DevOps organization.
User name Required for Basic authentication. The username to connect to the service.
Password Required for Basic authentication. The password for the specified username.
Personal Access Token Required for Token Based authentication (TFS 2017 and newer and Azure Pipelines only). The token to use to authenticate with the service. Learn more.

Use the Verify connection link to validate your connection information.

For more information, see Authenticate access with personal access tokens for Azure DevOps.

Azure Resource Manager service connection

Use the following parameters to define and secure a connection to a Microsoft Azure subscription using Service Principal Authentication (SPA) or an Azure managed Service Identity. The dialog offers two main modes:

  • Automated subscription detection. In this mode, Azure Pipelines queries Azure for all of the subscriptions and instances to which you have access. They use the credentials you're currently signed in with in Azure Pipelines (including Microsoft accounts and School or Work accounts).

If you don't see the subscription you want to use, sign out of Azure Pipelines and sign in again using the appropriate account credentials.

  • Manual subscription pipeline. In this mode, you must specify the service principal you want to use to connect to Azure. The service principal specifies the resources and the access levels that are available over the connection.

Use this approach when you need to connect to an Azure account using different credentials from the credentials you're currently signed in with in Azure Pipelines. It's useful way to maximize security and limit access. Service principals are valid for two years.

For more information, see Connect to Microsoft Azure

Note

If you don't see any Azure subscriptions or instances, or you have problems validating the connection, see Troubleshoot Azure Resource Manager service connections.

Azure Service Bus service connection

Use the following parameters to define and secure a connection to a Microsoft Azure Service Bus queue.

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. This name isn't the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Service Bus ConnectionString The URL of your Azure Service Bus instance. More information.
Service Bus Queue Name The name of an existing Azure Service Bus queue.

Bitbucket Cloud service connection

Use OAuth with Grant authorization or a username and password with Basic Authentication to define a connection to Bitbucket Cloud. For pipelines to keep working, your repository access must remain active.

Grant authorization

Parameter Description
OAuth configuration Required. OAuth connection to Bitbucket.

Basic authentication

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
User name Required. The username to connect to the service.
Password Required. The password for the specified username.

Cargo service connection

Use the following parameters to define and secure a connection to a Cargo artifact repository.

Parameter Description
Authentication method Choose the authentication method to the artifacts repository: Basic username/password (including Azure DevOps PATs) or Authorization value (including crates.io tokens).
Repository URL URL for the repository. For crates.io, use https://crates.io
Username Username for connecting to the endpoint. The value can be arbitrary if using personal access tokens or the Authorization value authentication method.
Password Password for connecting to the endpoint. Personal access tokens are applicable for Azure DevOps Services organizations.
Service connection name Name for the service connection
Description Optional description of the service connection

Chef service connection

Use the following parameters to define and secure a connection to a Chef automation server.

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Server URL Required. The URL of the Chef automation server.
Node Name (Username) Required. The name of the node to connect to. Typically this is your username.
Client Key Required. The key specified in the Chef .pem file.

Docker Host service connection

Use the following parameters to define and secure a connection to a Docker host.

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Server URL Required. The URL of the Docker host.
CA certificate Required. A trusted certificate authority certificate to use to authenticate with the host.
Certificate Required. A client certificate to use to authenticate with the host.
Key Required. The key specified in the Docker key.pem file.

For more information about protecting your connection to the Docker host, see Protect the Docker daemon socket.

Docker Registry service connection

Use the following parameters to define a connection to a container registry for either Azure Container Registry or Docker Hub or others.

Azure Container Registry

Parameter Description
Connection name Required. The name you use to refer to the service connection in task inputs.
Azure subscription Required. The Azure subscription containing the container registry to be used for service connection creation.
Azure Container Registry Required. The Azure Container Registry to be used for creation of service connection.

Docker Hub or others

Parameter Description
Connection name Required. The name you use to refer to the service connection in task inputs.
Docker Registry Required. The URL of the Docker registry.
Docker ID Required. The identifier of the Docker account user.
Password Required. The password for the account user identified above. (Docker Hub requires a PAT instead of a password.)
Email Optional. An email address to receive notifications.

Other Git service connection

Use the following parameters to define and secure a connection to an external Git repository server. There's a specific service connection for GitHub and GitHub Enterprise Server.

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Server URL Required. The URL of the Git repository server.
Attempt accessing this Git server from Azure Pipelines When checked, Azure Pipelines attempts to connect to the repository before queuing a pipeline run. You can disable this setting to improve performance when working with repositories that are not publicly accessible. Note that CI triggers will not work in when an Other Git repository is not publicly accessible. You can only start manual or scheduled pipeline runs.
User name Required. The username to connect to the Git repository server.
Password/Token key Required. The password or access token for the specified username.

For more information, see Artifact sources.

Generic service connection

Use the following parameters to define and secure a connection to any generic type of service or application.

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Server URL Required. The URL of the service.
User name Optional. The username to connect to the service.
Password/Token key Optional. The password or access token for the specified username.

GitHub service connection

Use the following parameters to define a connection to a GitHub repository.

Tip

There's a specific service connection for Other Git servers and GitHub Enterprise Server connections.

Parameter Description
Choose authorization Required. Either Grant authorization or Personal access token. See notes below.
Token Required for Personal access token authorization. See notes below.
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.

Note

If you select Grant authorization for the Choose authorization option, the dialog shows an Authorize button that opens the GitHub signing page. If you select Personal access token, paste it into the Token textbox. The dialog shows the recommended scopes for the token: repo, user, admin:repo_hook. For more information, see Create an access token for command line use Then, complete the following steps to register your GitHub account in your profile.

  1. Open your User settings from your account name at the right of the Azure Pipelines page heading.
  2. Choose Personal access tokens.
  3. Select Add and enter the information required to create the token.

For more information, see Artifact sources - version control.

GitHub Enterprise Server service connection

Use the following parameters to define a connection to a GitHub repository.

Tip

There's a specific service connection for Other Git servers and standard GitHub service connections.

Parameter Description
Choose authorization Required. Either Personal access token, Username and Password, or OAuth2. See notes below.
Connection name Required. The name you use to refer to the service connection in task properties. This isn't the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Server URL Required. The URL of the service.
Accept untrusted TLS/SSL certificates Set this option to allow clients to accept a self-signed certificate instead of installing the certificate in the TFS service role or the computers hosting the agent.
Token Required for Personal access token authorization. See notes below.
User name Required for Username and Password authentication. The username to connect to the service.
Password Required for Username and Password authentication. The password for the specified username.
OAuth configuration Required for OAuth2 authorization. The OAuth configuration specified in your account.
GitHub Enterprise Server configuration URL The URL is fetched from OAuth configuration.

Note

If you select Personal access token (PAT) you must paste the PAT into the Token textbox. The dialog shows the recommended scopes for the token: repo, user, admin:repo_hook. For more information, see Create an access token for command line use Then, complete the following steps to register your GitHub account in your profile.

  1. Open your User settings from your account name at the right of the Azure Pipelines page heading.
  2. Choose Personal access tokens.
  3. Select Add and enter the information required to create the token.

Jenkins service connection

Use the following parameters to define a connection to the Jenkins service.

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Server URL Required. The URL of the service.
Accept untrusted TLS/SSL certificates Set this option to allow clients to accept a self-signed certificate instead of installing the certificate in the TFS service role or the computers hosting the agent.
User name Required. The username to connect to the service.
Password Required. The password for the specified username.

For more information, see Azure Pipelines Integration with Jenkins and Artifact sources - Jenkins.

Kubernetes service connection

Use the following parameters when you define a connection to a Kubernetes cluster. Choose from the following service connection options:

  • Azure subscription
  • Service account
  • Kubeconfig

Azure subscription option

Parameter Description
Connection name Required. The name you use to refer to the service connection in task inputs.
Azure subscription Required. The Azure subscription containing the cluster to be used for service connection creation.
Cluster Name of the Azure Kubernetes Service cluster.
Namespace Namespace within the cluster.

For an Azure RBAC enabled cluster, a ServiceAccount gets created in the chosen namespace along with RoleBinding object, so that the created ServiceAccount can do actions only on the chosen namespace.

For an Azure RBAC disabled cluster, a ServiceAccount gets created in the chosen namespace, but, the created ServiceAccount has cluster-wide privileges (across namespaces).

Note

This option lists all the subscriptions the service connection creator has access to across different Azure tenants. If you can't see subscriptions from other Azure tenants, check your Microsoft Entra permissions in those tenants.

Service account option

Parameter Description
Connection name Required. The name you use to refer to the service connection in task inputs.
Server URL Required. Cluster's API server URL.
Secret Secret associated with the service account to be used for deployment

Use the following command to fetch the Server URL.

kubectl config view --minify -o 'jsonpath={.clusters[0].cluster.server}'

Use the following sequence of commands to fetch the Secret object that's required to connect and authenticate with the cluster.

kubectl get serviceAccounts <service-account-name> -n <namespace> -o 'jsonpath={.secrets[*].name}'

In the following command, replace the service-account-secret-name with the output of the previous command.

kubectl get secret <service-account-secret-name> -n <namespace> -o json

Copy and paste the Secret object fetched in YAML form into the Secret text-field.

Note

When using the service account option, ensure that a RoleBinding exists, which grants permissions in the edit ClusterRole to the desired service account. This is needed so that the service account can be used by Azure Pipelines for creating objects in the chosen namespace.

Kubeconfig option

Parameter Description
Connection name Required. The name you use to refer to the service connection in task inputs.
Kubeconfig Required. Contents of the kubeconfig file.
Context Context within the kubeconfig file that is to be used for identifying the cluster.

Maven service connection

Use the following parameters when you define and secure a connection to a Maven repository.

Parameter Description
Connection name Required. The name you use to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Registry URL Required. The URL of the Maven repository.
Registry ID Required. This is the ID of the server that matches the ID element of the repository/mirror that Maven tries to connect to.
Username Required when connection type is Username and Password. The username for authentication.
Password Required when connection type is Username and Password. The password for the username.
Personal Access Token Required when connection type is Authentication Token. The token to use to authenticate with the service. Learn more.

npm service connection

Use the following parameters when you define and secure a connection to an npm server.

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Registry URL Required. The URL of the npm server.
Username Required when connection type is Username and Password. The username for authentication.
Password Required when connection type is Username and Password. The password for the username.
Personal Access Token Required when connection type is External Azure Pipelines. The token to use to authenticate with the service. Learn more.

NuGet service connection

Use the following parameters when you define and secure a connection to a NuGet server.

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Feed URL Required. The URL of the NuGet server.
ApiKey Required when connection type is ApiKey. The authentication key.
Personal Access Token Required when connection type is External Azure Pipelines. The token to use to authenticate with the service. Learn more.
Username Required when connection type is Basic authentication. The username for authentication.
Password Required when connection type is Basic authentication. The password for the username.

To configure NuGet to authenticate with Azure Artifacts and other NuGet repositories, see NuGet Authenticate.

Python package download service connection

Use the following parameters when you define and secure a connection to a Python repository for downloading Python packages.

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Python repository url for download Required. The URL of the Python repository.
Personal Access Token Required when connection type is Authentication Token. The token to use to authenticate with the service. Learn more.
Username Required when connection type is Username and Password. The username for authentication.
Password Required when connection type is Username and Password. The password for the username.

Python package upload service connection

Use the following parameters when you define and secure a connection to a Python repository for uploading Python packages.

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Python repository url for upload Required. The URL of the Python repository.
EndpointName Required. Unique repository name used for twine upload. Spaces and special characters aren't allowed.
Personal Access Token Required when connection type is Authentication Token. The token to use to authenticate with the service. Learn more.
Username Required when connection type is Username and Password. The username for authentication.
Password Required when connection type is Username and Password. The password for the username.

Service Fabric service connection

Use the following parameters when you define and secure a connection to a Service Fabric cluster.

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Cluster Endpoint Required. The TCP endpoint of the cluster.
Server Certificate Thumbprint Required when connection type is Certificate based or Microsoft Entra ID.
Client Certificate Required when connection type is Certificate based.
Password Required when connection type is Certificate based. The certificate password.
Username Required when connection type is Microsoft Entra ID. The username for authentication.
Password Required when connection type is Microsoft Entra ID. The password for the username.
Use Windows security Required when connection type is Others.
Cluster SPN Required when connection type is Others and using Windows security.

SSH service connection

Use the following parameters when you define and secure a connection to a remote host using Secure Shell (SSH).

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Host name Required. The name of the remote host machine or the IP address.
Port number Required. The port number of the remote host machine to which you want to connect. The default is port 22.
User name Required. The username to use when connecting to the remote host machine.
Password or passphrase The password or passphrase for the specified username if using a keypair as credentials.
Private key The entire contents of the private key file if using this type of authentication.

For more information, see SSH task and Copy files over SSH.

Subversion service connection

Use the following parameters when you define and secure a connection to the Subversion repository.

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
Server repository URL Required. The URL of the repository.
Accept untrusted TLS/SSL certificates Set this option to allow the client to accept self-signed certificates installed on the agent computer(s).
Realm name Optional. If you use multiple credentials in a build or release pipeline, use this parameter to specify the realm containing the credentials specified for the service connection.
User name Required. The username to connect to the service.
Password Required. The password for the specified username.

Visual Studio App Center service connection

Use the following parameters when you define and secure a connection to Visual Studio App Center.

Parameter Description
Connection name Required. The name used to refer to the service connection in task properties. It's not the name of your Azure account or subscription. If you're using YAML, use the name as the azureSubscription or the equivalent subscription name value in the script.
API token Required. The token to use to authenticate with the service. For more information, see the API docs.

Extensions for other service connections

Other service connection types and tasks can be installed as extensions. See the following examples of service connections available through extensions:

  • TFS artifacts for Azure Pipelines. Deploy on-premises TFS builds with Azure Pipelines through a TFS service connection and the Team Build (external) artifact, even when the TFS machine isn't reachable directly from Azure Pipelines. For more information, see External TFS and this blog post.

  • TeamCity artifacts for Azure Pipelines. This extension provides integration with TeamCity through a TeamCity service connection, enabling artifacts produced in TeamCity to be deployed by using Azure Pipelines. For more information, see TeamCity.

  • System Center Virtual Machine Manager (SCVMM) Integration. Connect to an SCVMM server to provision virtual machines and do actions on them such as managing checkpoints, starting and stopping virtual machines (VMs), and running PowerShell scripts.

  • VMware Resource Deployment. Connect to a VMware vCenter Server from Visual Studio Team Services or TFS to provision. Start, stop, or snapshot VMware virtual machines.

  • Power Platform Build Tools. Use Microsoft Power Platform Build Tools to automate common build and deployment tasks related to apps built on Microsoft Power Platform. After installing the extension, the Power Platform service connection type has the following properties.

Parameter Description
Connection Name Required. The name you will use to refer to this service connection in task properties.
Server URL Required. The URL of the Power Platform instance. Example: https://contoso.crm4.dynamics.com
Tenant ID Required. Tenant ID (also called directory ID in Azure portal) to authenticate to. Refer to https://aka.ms/buildtools-spn for a script that shows Tenant ID and configures Application ID and associated Client Secret. The application user must also be created in CDS
Application ID Required. Azure Application ID to authenticate with.
Client secret of Application ID Required. Client secret of the Service Principal associated to above Application ID used to prove identity.

You can also create your own custom service connections.

Help and support