https://dmtechops.com/tags/azure-devops/ Recent content in Azure-Devops on Darren Mair Hugo -- gohugo.io en-us darren@example.com (Darren Mair) darren@example.com (Darren Mair) Wed, 06 May 2026 00:00:00 +0000 https://dmtechops.com/p/running-sentinelone-deployment-safely-from-azure-devops/ Wed, 06 May 2026 00:00:00 +0000darren@example.com (Darren Mair) https://dmtechops.com/p/running-sentinelone-deployment-safely-from-azure-devops/ <p>This companion guide shows how to run the SentinelOne deployment script from Azure DevOps without storing API keys or site tokens in source control. The pipeline pattern below uses secure variables or Azure Key Vault, limits execution scope, publishes the CSV result, and keeps rollout controls explicit.</p> <h2 id="architecture-at-a-glance">Architecture at a glance </h2><p>The production pattern is simple:</p> <ol> <li>Store the SentinelOne API key and site tokens as protected secrets.</li> <li>Run the PowerShell script from an Azure DevOps pipeline agent.</li> <li>Pass only the subscription scope and operational switches at runtime.</li> <li>Publish the generated CSV report as a build artifact.</li> <li>Review failures, stopped VMs, and exceptions outside the pipeline.</li> </ol> <h2 id="what-changed-in-the-script">What changed in the script </h2><p>The deployment script now supports three secret sources, in this order:</p> <ol> <li>Explicit PowerShell parameters.</li> <li>Environment variables.</li> <li>Azure Key Vault secrets.</li> </ol> <p>That means the pipeline does not need to edit the script before each run. It only needs to inject the correct values at execution time.</p> <h2 id="recommended-secret-names">Recommended secret names </h2><p>If you use environment variables, align with the names the script already resolves:</p> <table> <thead> <tr> <th>Secret</th> <th>Environment variable</th> </tr> </thead> <tbody> <tr> <td>SentinelOne console API key</td> <td><code>SENTINELONE_API_KEY</code></td> </tr> <tr> <td>Production site token</td> <td><code>S1_SITE_TOKEN_PROD</code></td> </tr> <tr> <td>Pre-production site token</td> <td><code>S1_SITE_TOKEN_PREPROD</code></td> </tr> <tr> <td>QA site token</td> <td><code>S1_SITE_TOKEN_QA</code></td> </tr> <tr> <td>Development site token</td> <td><code>S1_SITE_TOKEN_DEV</code></td> </tr> </tbody> </table> <p>If you use Azure Key Vault, the script defaults to these secret names:</p> <table> <thead> <tr> <th>Secret</th> <th>Key Vault secret name</th> </tr> </thead> <tbody> <tr> <td>SentinelOne console API key</td> <td><code>sentinelone-console-api-key</code></td> </tr> <tr> <td>Production site token</td> <td><code>sentinelone-site-token-prod</code></td> </tr> <tr> <td>Pre-production site token</td> <td><code>sentinelone-site-token-preprod</code></td> </tr> <tr> <td>QA site token</td> <td><code>sentinelone-site-token-qa</code></td> </tr> <tr> <td>Development site token</td> <td><code>sentinelone-site-token-dev</code></td> </tr> </tbody> </table> <h2 id="option-1-use-azure-devops-secret-variables">Option 1: Use Azure DevOps secret variables </h2><p>This is the quickest secure starting point if you are not yet standardised on Key Vault.</p> <p>Create a variable group with secret variables for:</p> <ol> <li><code>SENTINELONE_API_KEY</code></li> <li><code>S1_SITE_TOKEN_PROD</code></li> <li><code>S1_SITE_TOKEN_PREPROD</code></li> <li><code>S1_SITE_TOKEN_QA</code></li> <li><code>S1_SITE_TOKEN_DEV</code></li> </ol> <p>Then reference that group from the pipeline.</p> <h2 id="option-2-use-azure-key-vault">Option 2: Use Azure Key Vault </h2><p>For longer-term operations, Key Vault is the better pattern because it separates secret lifecycle management from the pipeline definition.</p> <p>In that model:</p> <ol> <li>The pipeline service connection reads secrets from Key Vault.</li> <li>The pipeline exports those values as environment variables for the script.</li> <li>The script runs unchanged.</li> </ol> <p>You can also let the script read Key Vault directly by passing <code>-KeyVaultName</code> and, if required, <code>-KeyVaultSubscriptionId</code>. In Azure DevOps, I prefer retrieving secrets in the pipeline first because it keeps the execution contract visible in one place.</p> <h2 id="production-ready-pipeline-example">Production-ready pipeline example </h2><p>The YAML below is designed for a manually triggered operational run. It supports dry runs, targeted subscription scope, optional remediation of failed extensions, and CSV artifact publishing.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trigger</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">pr</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">parameters</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">subscriptionIds</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Subscription IDs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">excludedLocations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Excluded locations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;ukwest&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">excludedVmNames</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Excluded VM names</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;ufwduks001v,ufwduks002v,uavsjbtempuks001&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">autoStartVMs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Auto-start stopped VMs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">boolean</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">reinstallFailedExtensions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Reinstall failed extensions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">boolean</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">whatIf</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Dry run only</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">boolean</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="l">sentinelone-deployment-secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">scriptPath</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">scripts/Sentinel_Check_&amp;_Install_v1.ps1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">reportPath</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l">$(Build.ArtifactStagingDirectory)/sentinelone/SentinelCheck_Results.csv</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">pool</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">vmImage</span><span class="p">:</span><span class="w"> </span><span class="l">windows-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">stages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">DeploySentinelOne</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy SentinelOne</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">job</span><span class="p">:</span><span class="w"> </span><span class="l">RunDeployment</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Run deployment script</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">checkout</span><span class="p">:</span><span class="w"> </span><span class="l">self</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">task</span><span class="p">:</span><span class="w"> </span><span class="l">AzurePowerShell@5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Run SentinelOne deployment script</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">inputs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">azureSubscription</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;sc-azure-platform-prod&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ScriptType</span><span class="p">:</span><span class="w"> </span><span class="l">InlineScript</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">azurePowerShellVersion</span><span class="p">:</span><span class="w"> </span><span class="l">LatestVersion</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">Inline</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> $subscriptionIds = @() </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.subscriptionIds }}&#39;.Trim()) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $subscriptionIds = &#39;${{ parameters.subscriptionIds }}&#39;.Split(&#39;,&#39;).Trim() | Where-Object { $_ } </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> $excludedLocations = &#39;${{ parameters.excludedLocations }}&#39;.Split(&#39;,&#39;).Trim() | Where-Object { $_ } </span></span></span><span class="line"><span class="cl"><span class="sd"> $excludedVmNames = &#39;${{ parameters.excludedVmNames }}&#39;.Split(&#39;,&#39;).Trim() | Where-Object { $_ } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments = @{ </span></span></span><span class="line"><span class="cl"><span class="sd"> SubscriptionIds = $subscriptionIds </span></span></span><span class="line"><span class="cl"><span class="sd"> ExcludedLocations = $excludedLocations </span></span></span><span class="line"><span class="cl"><span class="sd"> ExcludedVMNames = $excludedVmNames </span></span></span><span class="line"><span class="cl"><span class="sd"> CsvPath = &#39;$(reportPath)&#39; </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.autoStartVMs }}&#39; -eq &#39;true&#39;) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments[&#39;AutoStartVMs&#39;] = $true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.reinstallFailedExtensions }}&#39; -eq &#39;true&#39;) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments[&#39;ReinstallFailedExtensions&#39;] = $true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> if (&#39;${{ parameters.whatIf }}&#39; -eq &#39;true&#39;) { </span></span></span><span class="line"><span class="cl"><span class="sd"> $scriptArguments[&#39;WhatIf&#39;] = $true </span></span></span><span class="line"><span class="cl"><span class="sd"> } </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> &amp; &#39;$(Build.SourcesDirectory)/$(scriptPath)&#39; @scriptArguments</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SENTINELONE_API_KEY</span><span class="p">:</span><span class="w"> </span><span class="l">$(SENTINELONE_API_KEY)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_PROD</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_PROD)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_PREPROD</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_PREPROD)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_QA</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_QA)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">S1_SITE_TOKEN_DEV</span><span class="p">:</span><span class="w"> </span><span class="l">$(S1_SITE_TOKEN_DEV)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">task</span><span class="p">:</span><span class="w"> </span><span class="l">PublishBuildArtifacts@1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">displayName</span><span class="p">:</span><span class="w"> </span><span class="l">Publish SentinelOne report</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="l">succeededOrFailed()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">inputs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">PathtoPublish</span><span class="p">:</span><span class="w"> </span><span class="l">$(Build.ArtifactStagingDirectory)/sentinelone</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ArtifactName</span><span class="p">:</span><span class="w"> </span><span class="l">sentinelone-report</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">publishLocation</span><span class="p">:</span><span class="w"> </span><span class="l">Container</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="key-pipeline-decisions">Key pipeline decisions </h2><p>This example deliberately makes a few opinionated choices:</p> <table> <thead> <tr> <th>Decision</th> <th>Reason</th> </tr> </thead> <tbody> <tr> <td><code>trigger: none</code></td> <td>Deployment should be an intentional operational action, not a CI side effect.</td> </tr> <tr> <td>Manual parameters</td> <td>Operators can narrow scope without editing YAML.</td> </tr> <tr> <td><code>whatIf</code> defaults to <code>true</code></td> <td>Safe by default. Live execution is a conscious change.</td> </tr> <tr> <td><code>condition: succeededOrFailed()</code> on artifact publish</td> <td>You still want the CSV output when some installs fail.</td> </tr> <tr> <td>Windows hosted agent</td> <td>Keeps execution consistent with Azure PowerShell task behavior.</td> </tr> </tbody> </table> <h2 id="key-vault-backed-variable-groups">Key Vault-backed variable groups </h2><p>If you already use Azure Key Vault with Azure DevOps variable groups, the pipeline gets even cleaner. In that setup:</p> <ol> <li>Link the variable group to your Key Vault.</li> <li>Map the Key Vault secrets to the same variable names used above.</li> <li>Keep the YAML unchanged.</li> </ol> <p>This avoids duplicating secret values between Azure DevOps and Key Vault.</p> <h2 id="guardrails-i-recommend-in-production">Guardrails I recommend in production </h2><p>For a real enterprise rollout, add these controls around the pipeline:</p> <ol> <li>Restrict who can queue the pipeline.</li> <li>Separate non-production and production service connections.</li> <li>Use approvals for production stages if you later split the pipeline into environments.</li> <li>Log the approved subscription list for every execution.</li> <li>Keep exception VM names and excluded regions under review.</li> </ol> <h2 id="recommended-repository-structure">Recommended repository structure </h2><p>The pipeline is easier to maintain when the repo structure is explicit:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">azure-pipelines/ </span></span><span class="line"><span class="cl"> sentinelone-deployment.yml </span></span><span class="line"><span class="cl">scripts/ </span></span><span class="line"><span class="cl"> Sentinel_Check_&amp;_Install_v1.ps1 </span></span><span class="line"><span class="cl">docs/ </span></span><span class="line"><span class="cl"> sentinelone-runbook.md </span></span></code></pre></td></tr></table> </div> </div><p>If the script currently lives outside source control, move it into a controlled repository before putting the pipeline into service. That gives you traceability for every operational change.</p> <h2 id="operational-runbook-flow">Operational runbook flow </h2><p>The process for an operator should be straightforward:</p> <ol> <li>Queue the pipeline.</li> <li>Start with a non-production subscription and dry run enabled.</li> <li>Review the pipeline log and generated CSV.</li> <li>Re-run live only after the dry-run scope looks correct.</li> <li>Review failed installs, stopped VMs, and skipped subscriptions separately.</li> </ol> <h2 id="final-thoughts">Final thoughts </h2><p>The safest way to run the SentinelOne deployment script is to treat it like an operational control, not an admin laptop task. Azure DevOps gives you repeatability, approvals, artifacts, and audit history. Combined with the script’s new secret-resolution logic, that gives you a workable production model without putting credentials in the repo.</p> https://dmtechops.com/p/azure-devops-best-practices-guide/ Tue, 05 May 2026 00:00:00 +0000darren@example.com (Darren Mair) https://dmtechops.com/p/azure-devops-best-practices-guide/ <img src="https://dmtechops.com/p/azure-devops-best-practices-guide/azure-devops-guide-banner.svg" alt="Featured image of post Azure DevOps Best Practices - End-to-End Guide" /><p>This guide is designed as an implementation playbook, not a theory article.</p> <p>It combines:</p> <ul> <li>Delivery operating model practices</li> <li>Azure Boards structure and governance</li> <li>Git branching and pull request controls</li> <li>CI/CD architecture in Azure Pipelines</li> <li>Secure-by-design controls and permissions</li> <li>Implementation-ready scripts and templates</li> </ul> <h2 id="who-this-is-for">Who This Is For </h2><ul> <li>Engineering managers and platform leads</li> <li>DevOps engineers and SRE teams</li> <li>Security and compliance teams partnering with delivery</li> <li>Team leads setting standards across multiple repos/projects</li> </ul> <h2 id="how-to-use-this-guide">How To Use This Guide </h2><ol> <li>Read the operating model and target-state first.</li> <li>Implement Boards + Repos controls together.</li> <li>Add pipeline templates and environment checks.</li> <li>Roll out secure-by-design controls in phases.</li> <li>Use the scripts and templates section as your starter kit.</li> </ol> <h2 id="expanded-table-of-contents">Expanded Table of Contents </h2><ol> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/" >Operating Model and Target State</a> <ul> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#why-start-here" >Why Start Here</a></li> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#recommended-team-topology" >Recommended Team Topology</a></li> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#platform-principles" >Platform Principles</a></li> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#target-state-blueprint" >Target State Blueprint</a></li> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#raci-example" >RACI (Example)</a></li> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#non-negotiable-baseline" >Non-Negotiable Baseline</a></li> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#key-metrics" >Key Metrics</a></li> <li><a class="link" href="https://dmtechops.com/p/1-operating-model-and-target-state/#anti-patterns-to-avoid" >Anti-Patterns to Avoid</a></li> </ul> </li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/" >Azure Boards Best Practices</a> <ul> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#objectives-for-boards" >Objectives for Boards</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#process-and-work-item-design" >Process and Work Item Design</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#team-and-area-path-strategy" >Team and Area Path Strategy</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#iteration-cadence" >Iteration Cadence</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#boards-security-baseline" >Boards Security Baseline</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#access-model-example" >Access Model Example</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#board-workflow-hygiene" >Board Workflow Hygiene</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#queries-and-dashboards" >Queries and Dashboards</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#traceability-controls" >Traceability Controls</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#boards-implementation-checklist" >Boards Implementation Checklist</a></li> <li><a class="link" href="https://dmtechops.com/p/2-azure-boards-best-practices/#common-failure-modes" >Common Failure Modes</a></li> </ul> </li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/" >Repos, Branching, and PR Strategy</a> <ul> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#branching-strategy-choices" >Branching Strategy Choices</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#branch-naming-convention" >Branch Naming Convention</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#protected-branch-baseline" >Protected Branch Baseline</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#pull-request-standard" >Pull Request Standard</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#codeowners-and-review-coverage" >CODEOWNERS and Review Coverage</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#repository-permissions-baseline" >Repository Permissions Baseline</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#merge-strategy-guidance" >Merge Strategy Guidance</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#example-policy-matrix" >Example Policy Matrix</a></li> <li><a class="link" href="https://dmtechops.com/p/3-repos-branching-and-code-governance/#anti-patterns" >Anti-Patterns</a></li> </ul> </li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/" >Pipelines, Environments, and Approval Gates</a> <ul> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#pipeline-architecture-principles" >Pipeline Architecture Principles</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#reference-stage-model" >Reference Stage Model</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#environment-strategy" >Environment Strategy</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#approval-and-check-baseline" >Approval and Check Baseline</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#approval-design-patterns" >Approval Design Patterns</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#use-exclusive-locks-carefully" >Use Exclusive Locks Carefully</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#pipeline-hardening-checklist" >Pipeline Hardening Checklist</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#minimal-deployment-job-example" >Minimal Deployment Job Example</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#template-extension-pattern" >Template Extension Pattern</a></li> <li><a class="link" href="https://dmtechops.com/p/4-pipelines-environments-and-approval-gates/#common-cicd-anti-patterns" >Common CI/CD Anti-Patterns</a></li> </ul> </li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/" >Secure by Design: Permissions, Secrets, and Scanning</a> <ul> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#security-model-summary" >Security Model Summary</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#identity-and-authentication" >Identity and Authentication</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#authorization-and-permissions" >Authorization and Permissions</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#service-connection-security" >Service Connection Security</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#secrets-and-variables" >Secrets and Variables</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#secure-pipeline-input-handling" >Secure Pipeline Input Handling</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#code-dependency-and-secret-scanning" >Code, Dependency, and Secret Scanning</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#agent-and-infrastructure-security" >Agent and Infrastructure Security</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#bypass-and-break-glass-governance" >Bypass and Break-Glass Governance</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#security-operations-metrics" >Security Operations Metrics</a></li> <li><a class="link" href="https://dmtechops.com/p/5-secure-by-design-permissions-secrets-and-scanning/#quick-security-checklist" >Quick Security Checklist</a></li> </ul> </li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/" >Implementation Scripts and Templates</a> <ul> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#prerequisites" >Prerequisites</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#script-create-core-branch-policies-powershell--azure-cli" >Script: Create Core Branch Policies (PowerShell + Azure CLI)</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#script-policy-as-code-via-configuration-file" >Script: Policy-As-Code via Configuration File</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#template-secure-pipeline-entry-extends" >Template: Secure Pipeline Entry (<code>extends</code>)</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#template-codeql-scanning-starter" >Template: CodeQL Scanning Starter</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#template-dependency-scanning-starter" >Template: Dependency Scanning Starter</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#example-deployment-with-environment-gate" >Example: Deployment with Environment Gate</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#script-find-repositories-missing-branch-policy-baseline" >Script: Find Repositories Missing Branch Policy Baseline</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#script-enumerate-projects-and-group-membership-audit-starter" >Script: Enumerate Projects and Group Membership (Audit Starter)</a></li> <li><a class="link" href="https://dmtechops.com/p/6-implementation-scripts-and-templates/#implementation-notes" >Implementation Notes</a></li> </ul> </li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/" >Rollout Plan and Maturity Model</a> <ul> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#rollout-strategy" >Rollout Strategy</a></li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#maturity-model" >Maturity Model</a></li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#kpi-targets-example" >KPI Targets (Example)</a></li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#change-management-and-adoption" >Change Management and Adoption</a></li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#exception-management-model" >Exception Management Model</a></li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#audit-evidence-pack-recommended" >Audit Evidence Pack (Recommended)</a></li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#90-day-action-plan" >90-Day Action Plan</a></li> <li><a class="link" href="https://dmtechops.com/p/7-rollout-plan-and-maturity-model/#final-guidance" >Final Guidance</a></li> </ul> </li> </ol> <h2 id="reference-sources">Reference Sources </h2><p>This playbook is aligned with current Microsoft documentation, including:</p> <ul> <li>Azure Boards security model and permissions</li> <li>Azure Repos branch policies and branching guidance</li> <li>Azure Pipelines security guidance, templates, environments, approvals/checks</li> <li>Authentication/authorization and security groups guidance</li> <li>GitHub Advanced Security for Azure DevOps (secret, dependency, code scanning)</li> </ul> <p>Where this guide makes choices (for example, branching model or gate strictness), those choices are opinionated implementation recommendations intended to be practical in enterprise teams.</p>