Azure

Azure Pipelines YAML Complete Guide: Stages/Jobs/Steps, Templates, Variable Groups, Approval Gates

2026-05-24
NicheeLab Editorial Team

Azure Pipelines is the build and release automation service in Azure DevOps Services, defining CI/CD pipelines as YAML in a Pipelines as Code style. Microsoft offers it as the flagship CI/CD service alongside GitHub Actions, and it is the de facto standard for organizations on Azure DevOps Services. This article comprehensively covers Azure Pipelines YAML structure, Templates, Variable Groups, Environments, and Workload Identity Federation.

Basic Structure of a YAML Pipeline

Azure Pipelines YAML is defined as a hierarchy.

ElementRoleExample use
triggerConditions that start the pipelinebranch / path / tag filters
poolExecution agentMicrosoft-hosted or Self-hosted
variablesVariable definitionsInline variables, Variable Groups, Variable Templates
stagesLogical stagesBuild / Test / Deploy
jobsParallel execution unitsParallel jobs within a stage
stepsSequential execution unitsSequences of script / task

Minimal Sample: Hello World

trigger:
  branches:
    include:
      - main

pool:
  vmImage: ubuntu-latest

steps:
  - script: echo "Hello, Azure Pipelines!"
    displayName: 'Print greeting'

Choosing Between Stages, Jobs, and Steps

Stages

  • Large logical blocks (Build → Test → Deploy to Dev → Deploy to Prod)
  • Stages run sequentially (configurable dependencies)
  • Each stage can have an Approval Gate

Jobs

  • Parallel execution units within a stage
  • One job per agent
  • Useful for multi-platform builds across multiple OSes

Steps

  • Sequential execution units within a job
  • The smallest execution unit

Multi-stage Pipeline Example

stages:
  - stage: Build
    jobs:
      - job: BuildJob
        steps:
          - script: npm install
          - script: npm run build
          - publish: dist
            artifact: webapp

  - stage: DeployDev
    dependsOn: Build
    jobs:
      - deployment: DeployToDev
        environment: dev
        strategy:
          runOnce:
            deploy:
              steps:
                - download: current
                  artifact: webapp
                - task: AzureWebApp@1
                  inputs:
                    azureSubscription: 'AzureServiceConnection'
                    appName: 'myapp-dev'
                    package: '$(Pipeline.Workspace)/webapp'

  - stage: DeployProd
    dependsOn: DeployDev
    jobs:
      - deployment: DeployToProd
        environment: prod
        strategy:
          runOnce:
            deploy:
              steps:
                - download: current
                  artifact: webapp
                - task: AzureWebApp@1
                  inputs:
                    azureSubscription: 'AzureServiceConnection'
                    appName: 'myapp-prod'
                    package: '$(Pipeline.Workspace)/webapp'

Pipeline Templates

Pipeline Templates are reusable YAML pipeline components, in three flavors:

  • Stage Templates: reuse an entire stage (e.g. a standard build stage)
  • Job Templates: reuse at the job level (e.g. a standard test job)
  • Step Templates: reuse a sequence of steps (e.g. NuGet install + Build)

Step Template Example

# templates/build-node.yml
parameters:
  - name: nodeVersion
    type: string
    default: '20.x'
  - name: workingDirectory
    type: string

steps:
  - task: NodeTool@0
    inputs:
      versionSpec: ${{ parameters.nodeVersion }}
  - script: npm install
    workingDirectory: ${{ parameters.workingDirectory }}
  - script: npm run build
    workingDirectory: ${{ parameters.workingDirectory }}

Calling the Template

steps:
  - template: templates/build-node.yml
    parameters:
      nodeVersion: '20.x'
      workingDirectory: 'frontend'

Variables and Variable Groups

Ways to Define Variables

  • Inline in the pipeline: variables: { appName: 'myapp' }
  • Variable Group: centrally managed in the Azure DevOps Library
  • Variable Template: a reusable variable set
  • Key Vault integration: map secrets directly from Azure Key Vault

Key Vault Integration Example

variables:
  - group: KeyVaultGroup  # Azure DevOps Library で Key Vault Reference 設定済み

jobs:
  - job: Deploy
    steps:
      - script: |
          echo "Database connection: $(DB_CONNECTION_STRING)"
        env:
          DB_CONNECTION_STRING: $(DB_CONNECTION_STRING)

With Key Vault integration, secret values never sit in Azure DevOps - they are fetched dynamically from Key Vault at pipeline runtime. No pipeline changes are needed when secrets are rotated, making this a mandatory pattern for production.

Environments and Approval Gates

Environments logically manage deployment targets (Dev/Stage/Prod) in Azure DevOps. The following can be configured on each Environment:

  • Approval: Required Reviewers (1-3 mandatory approvers)
  • Gates: branch restriction, time window, Azure Monitor alerts, ServiceNow ticket checks
  • Resources: link Kubernetes / VM Resources to the Environment

For a Deploy Stage to a Production Environment, compose multi-gate logic like 'requires 2 approvers', 'deploy only outside business hours', and 'no Azure Monitor alerts in the last hour' to ship safely. Environments also retain deploy history, providing audit trails of who deployed what and when. This is a mandatory capability for SOC2 / ISO 27001 compliance.

Service Connections and Workload Identity Federation

Service Connections centrally manage authentication from Azure DevOps to external systems (Azure, GitHub, Docker, Kubernetes).

Evolution of Azure Authentication

  1. Service Principal + Secret (legacy, requires rotation)
  2. Service Principal + Certificate (moderate)
  3. Workload Identity Federation (WIF) (modern recommendation, no secrets)

WIF launched in Azure Pipelines in 2023. You configure a Federated Credential on the Service Principal and authenticate to Azure with OIDC tokens. Secret and certificate management is fully eliminated, dropping CI/CD secret-leak risk to zero. See Managed Identity vs Service Principal for details. For new Azure DevOps projects, WIF is the only correct choice and the industry standard.

Deployment Strategies

StrategyBehaviorWhen to use
RunOnceCompletes in a single deploySimple production deploys
RollingUpdate instances sequentiallyVM Scale Sets, phased releases
CanaryRelease to a small subset of instances firstLimited testing of new features
Blue-GreenDeploy by swapping between two environmentsApp Service Deployment Slots

Best Practices

  1. Always version-control your YAML (history and review via Git)
  2. Ensure reusability with Templates (managed centrally in a shared repository)
  3. Variable Groups + Key Vault integration (hardened secret management)
  4. Environments + Approval Gates (safe production releases)
  5. Workload Identity Federation (secretless CI/CD)
  6. Self-hosted Agents for secure environments (don't run sensitive IaC on public agents)
  7. Version-controlled artifacts (centralize nuget/npm/maven in Azure Artifacts)
  8. Keep pipeline runtime under 30 minutes (split or parallelize longer runs)
  9. Failure notifications (Teams / Slack integration)
  10. Lint Pipeline as Code (use the azure-pipelines-vscode extension)

Azure Pipelines vs GitHub Actions

ItemAzure PipelinesGitHub Actions
OwnerAzure DevOps ServicesGitHub
YAML syntaxazure-pipelines.yml.github/workflows/*.yml
Microsoft-hosted AgentFree 1,800 min/month (Public Repo)Free 2,000 min/month (Free Tier)
Approval GateEnvironment featureEnvironment + Reviewers
MarketplaceAzure DevOps MarketplaceGitHub Marketplace (overwhelmingly richer)
When to useExisting Azure DevOps environmentsNew projects, GitHub-centric

Related Certifications

Frequently Asked Questions

What are YAML pipelines in Azure Pipelines?

Azure Pipelines is the build and release automation service in Azure DevOps Services, defining CI/CD pipelines as YAML in a Pipelines as Code style. The azure-pipelines.yml file lives in the repository and is auto-updated on every Git commit. Classic Pipelines (UI-based, legacy) and YAML Pipelines (the modern mainstream) coexist; new projects should pick YAML without exception. It integrates with GitHub, Azure Repos, and Bitbucket Cloud, and runs on Microsoft-hosted Agents (Windows/Linux/macOS) or Self-hosted Agents. Microsoft positions it as the flagship CI/CD service alongside GitHub Actions, and it is the de facto standard for organizations on Azure DevOps Services.

What is the basic structure of a YAML pipeline?

It is hierarchical: 1) trigger (branch/path/tag conditions that start the pipeline), 2) pool (execution agent: Microsoft-hosted or Self-hosted), 3) variables (inline variables, Variable Groups, Variable Templates), 4) stages (logical phases like Build/Test/Deploy), 5) jobs (parallel units within a stage), 6) steps (sequential script/task steps within a job). Example: `trigger: branches: include: - main` → `pool: vmImage: ubuntu-latest` → `stages: - stage: Build jobs: - job: BuildJob steps: - script: npm install`. Conditions, dependencies, and Approval Gates can be defined at every level. A simple pipeline fits in 30 lines, while enterprise pipelines with Templates can scale to 1000+ lines.

How do you choose between Stages, Jobs, and Steps?

Stage: a large logical block (Build → Test → Deploy to Dev → Deploy to Prod). Stages run sequentially (with configurable dependencies) and each can have an Approval Gate. Job: the parallel execution unit within a stage; one agent per job, useful for multi-OS builds. Step: the sequential execution unit within a job, the smallest unit. Example: Build Stage → ParallelJob (npm build + npm test in parallel) → DeployStage → Job (Deploy to Azure). Approval Gates between stages use the Environment feature to require Reviewers, plus automated Gates (branch, time of day, service connection). Standard enterprise practice is to always require a manual approval on the Deploy Stage to Production.

What are Pipeline Templates?

Pipeline Templates are reusable YAML pipeline components in three flavors: 1) Stage Templates (reuse an entire stage, e.g. a standard build stage), 2) Job Templates (reuse a job, e.g. a standard test job), 3) Step Templates (reuse a sequence of steps, e.g. NuGet install + Build). Parameters provide flexibility (language, OS, container image, etc.). Templates can be shared across repositories by referencing another Repository in Resources. The established enterprise pattern is to manage common templates in a single Pipeline Library repository and reuse them across every CI/CD pipeline. With 10-20 templates you can cover 100+ projects and dramatically reduce maintenance cost.

How do Variable Groups and secret management work?

Variable Groups are variable sets shared across pipelines (e.g. per-environment connection strings), managed in the Azure DevOps Library pane. Variable Groups can link to Azure Key Vault to map secrets directly: the secret value never sits inside Azure DevOps but is fetched dynamically from Key Vault at pipeline runtime. This eliminates secret copies in Azure DevOps and removes the need to update pipelines when secrets are rotated. Implementation: 1) grant the Service Connection access to Key Vault (Workload Identity Federation recommended), 2) enable 'Link secrets from an Azure key vault' on the Variable Group, 3) reference it in the pipeline with `variables: group: KeyVaultGroup`. This is a mandatory pattern in production and significantly hardens secret management.

How do Environments and Approval Gates work?

Environments logically manage deployment targets (Dev/Stage/Prod) in Azure DevOps. Each Environment can have Approvals (Required Reviewers), Gates (branch restriction, time window, Azure Monitor alerts, ServiceNow integration), and Resources (Kubernetes/VM). For a Deploy Stage to a Production Environment you can compose gates like 'requires 2 approvers', 'deploy only outside business hours', and 'no Azure Monitor alerts in the last hour' to ship safely. Environments also retain deploy history, providing audit trails of who deployed what and when - a mandatory capability for SOC2 / ISO 27001 compliance.

What are Service Connections and Workload Identity Federation?

Service Connections centrally manage authentication from Azure DevOps to external systems (Azure, GitHub, Docker, Kubernetes). The evolution of Azure authentication: 1) Service Principal + Secret (legacy, requires rotation), 2) Service Principal + Certificate (moderate), 3) Workload Identity Federation (modern recommendation, no secrets). WIF launched in Azure Pipelines in 2023 - you configure a Federated Credential on the Service Principal and authenticate to Azure with OIDC tokens. No more secret or certificate management, eliminating CI/CD secret-leak risk. See the Managed Identity vs Service Principal article for details. For new Azure DevOps projects, WIF is the only correct choice and the industry standard.

Which certifications cover this topic?

AZ-400 (DevOps Engineer Expert) is the headline certification: Azure Pipelines YAML is tested deeply in Domain 3 (Build and Release Pipelines, 40-45%). AZ-104 (Administrator) covers Azure resource deployment basics, AZ-204 (Developer Associate, retiring 2026-07) covers CI/CD from a developer's view, AZ-305 (Solutions Architect Expert) covers DevOps strategy from an architect's view, and SC-100 (Cybersecurity Architect Expert) covers DevSecOps. For DevOps engineers and SREs at organizations on Azure DevOps Services, mastering Azure Pipelines YAML is mandatory and a core technology on the Azure DevOps engineer career roadmap.

Related articles and deep dives

Azure Pipelines Multi-stage YAML パターン集|Template・Approval Gate・Conditional・Matrix・Deployment Strategy【2026 年版】

Azure Pipelines Multi-stage YAML の実装パターン完全集。Stage / Job / Step / Task 階層・Pipeline Templates 再利用・Approval Gate & Manual Validation・Conditional Execution・Variable Groups・Matrix Strategy・Deployment Strategy (RunOnce/Rolling/Canary/Blue-Green)・関連認定試験 (AZ-400 / AZ-204) を日本語で網羅。

Azure Managed Identity vs Service Principal 完全比較|認証パターンの選定と実装ベストプラクティス【2026 年版】

Azure の認証エンティティ Managed Identity と Service Principal を完全比較。System-assigned / User-assigned の使い分け、Client Secret vs Certificate vs Workload Identity Federation の選定、AKS Workload Identity、Azure サービス対応状況、関連認定試験 (SC-300 / AZ-204 / AZ-400) を日本語で網羅。実装パターン集付き。

Azure Key Vault 完全ガイド|Secret/Key/Certificate 管理・Managed Identity 統合・セキュリティベストプラクティス【2026 年版】

Azure Key Vault の完全ガイド。Standard vs Premium vs Managed HSM ティア選定、Secret / Key / Certificate の使い分け、RBAC ベースアクセス制御、Managed Identity 統合 (シークレットレスアプリ)、Soft Delete / Purge Protection、Private Endpoint、Microsoft Defender for Key Vault、関連認定試験 (AZ-204 / SC-300 / SC-100) を日本語で網羅。

Azure Kubernetes Service (AKS) 入門ガイド|アーキテクチャ・Networking・Ingress・セキュリティ完全解説【2026 年版】

Azure Kubernetes Service (AKS) の入門ガイド。Control Plane と Node Pool の構造、Azure CNI Overlay vs Kubenet の選定、Application Gateway / NGINX Ingress 選定、Workload Identity (新方式)、Private Cluster・Microsoft Defender for Containers・Azure Policy のセキュリティ、関連認定試験 (AZ-104 / AZ-204 / AZ-400 / CKA) を日本語で網羅。

The technical information in this article is based on the Azure Pipelines Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship. Microsoft, Azure, Azure DevOps, and GitHub are trademarks of the Microsoft group of companies. Information reflects official public materials as of May 24, 2026. Always confirm the latest details on the official pages.

Check what you learned with practice questions

Practice with certification-focused question sets

View the Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.