Azure DevOps Secretless CI/CD via Workload Identity Federation

Key Questions

What is secretless CI/CD in Azure DevOps?

Secretless CI/CD uses Workload Identity Federation to eliminate stored secrets, relying on federated tokens and managed identities. This enables passwordless authentication via Entra ID.

How does Workload Identity Federation work in Azure?

It issues short-lived federated tokens for workload authentication, supporting credential rotation and zero-trust models. Integrates with AzDO pipelines for signing and secure deployments.

What are the benefits for zero-trust AI agents in Azure DevOps?

Zero-trust AI agents use CBA and SPIFFE for secure, secretless access. This reduces attack surfaces in CI/CD, with tasks like YAML repros prototyping agent-based workflows.

Federated tokens/managed IDs/creds rotation; zero-trust AI agents/Entra passwordless/CBA; AzDO CLI signing. Tasks: YAML repros/agent prototypes/SPIFFE/Azure signing.

Sources (1)

Updated Apr 13, 2026

DevTech Deep Dive

Azure DevOps Secretless CI/CD via Workload Identity Federation

Key Questions

What is secretless CI/CD in Azure DevOps?

How does Workload Identity Federation work in Azure?

What are the benefits for zero-trust AI agents in Azure DevOps?

Create AzDO pipeline for signing and publishing CLI acquisition scripts · Issue #15933 · microsoft/aspire