A PowerShell script tool to bulk update Azure DevOps ARM Service Connections from service principal authentication to the recommended workload identity federation method.
Azure DevOps Workload Identity Federation - Updating your Azure DevOps ARM Service Connections to use the recommended Workload Identity Federation
This tool is designed for Azure DevOps administrators and DevOps engineers who need to efficiently migrate multiple ARM Service Connections to use workload identity federation, eliminating the need to manage secrets and improving security. It automates the conversion process, saving time and reducing the risk of pipeline failures due to expired secrets.
This tool relies on an undocumented Azure DevOps API endpoint, which may change without notice. Users should ensure they have appropriate permissions in Azure DevOps and test the script in a non-production environment before bulk applying changes. Using DevOps Shield for inventory management is recommended for continuous tracking of service connections.
Clone the repository or download the Convert-ServicePrincipals.ps1 script
Ensure you have PowerShell installed on your machine
Obtain an inventory of your Azure DevOps ARM Service Connections either manually or using DevOps Shield
Prepare necessary Azure DevOps organization and project details for the scriptpowershell ./scripts/Convert-ServicePrincipals.ps1
Executes the bulk conversion of ARM Service Connections from service principal authentication to workload identity federation.