Azure Pipelines is the build and release automation service in Azure DevOps Services, defining CI/CD pipelines as YAML in a Pipelines as Code style. Microsoft offers it as the flagship CI/CD service alongside GitHub Actions, and it is the de facto standard for organizations on Azure DevOps Services. This article comprehensively covers Azure Pipelines YAML structure, Templates, Variable Groups, Environments, and Workload Identity Federation.
Azure Pipelines YAML is defined as a hierarchy.
| Element | Role | Example use |
|---|---|---|
| trigger | Conditions that start the pipeline | branch / path / tag filters |
| pool | Execution agent | Microsoft-hosted or Self-hosted |
| variables | Variable definitions | Inline variables, Variable Groups, Variable Templates |
| stages | Logical stages | Build / Test / Deploy |
| jobs | Parallel execution units | Parallel jobs within a stage |
| steps | Sequential execution units | Sequences of script / task |
trigger:
branches:
include:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: echo "Hello, Azure Pipelines!"
displayName: 'Print greeting'stages:
- stage: Build
jobs:
- job: BuildJob
steps:
- script: npm install
- script: npm run build
- publish: dist
artifact: webapp
- stage: DeployDev
dependsOn: Build
jobs:
- deployment: DeployToDev
environment: dev
strategy:
runOnce:
deploy:
steps:
- download: current
artifact: webapp
- task: AzureWebApp@1
inputs:
azureSubscription: 'AzureServiceConnection'
appName: 'myapp-dev'
package: '$(Pipeline.Workspace)/webapp'
- stage: DeployProd
dependsOn: DeployDev
jobs:
- deployment: DeployToProd
environment: prod
strategy:
runOnce:
deploy:
steps:
- download: current
artifact: webapp
- task: AzureWebApp@1
inputs:
azureSubscription: 'AzureServiceConnection'
appName: 'myapp-prod'
package: '$(Pipeline.Workspace)/webapp'Pipeline Templates are reusable YAML pipeline components, in three flavors:
# templates/build-node.yml
parameters:
- name: nodeVersion
type: string
default: '20.x'
- name: workingDirectory
type: string
steps:
- task: NodeTool@0
inputs:
versionSpec: ${{ parameters.nodeVersion }}
- script: npm install
workingDirectory: ${{ parameters.workingDirectory }}
- script: npm run build
workingDirectory: ${{ parameters.workingDirectory }}steps:
- template: templates/build-node.yml
parameters:
nodeVersion: '20.x'
workingDirectory: 'frontend'variables: { appName: 'myapp' }variables:
- group: KeyVaultGroup # Azure DevOps Library で Key Vault Reference 設定済み
jobs:
- job: Deploy
steps:
- script: |
echo "Database connection: $(DB_CONNECTION_STRING)"
env:
DB_CONNECTION_STRING: $(DB_CONNECTION_STRING)With Key Vault integration, secret values never sit in Azure DevOps - they are fetched dynamically from Key Vault at pipeline runtime. No pipeline changes are needed when secrets are rotated, making this a mandatory pattern for production.
Environments logically manage deployment targets (Dev/Stage/Prod) in Azure DevOps. The following can be configured on each Environment:
For a Deploy Stage to a Production Environment, compose multi-gate logic like 'requires 2 approvers', 'deploy only outside business hours', and 'no Azure Monitor alerts in the last hour' to ship safely. Environments also retain deploy history, providing audit trails of who deployed what and when. This is a mandatory capability for SOC2 / ISO 27001 compliance.
Service Connections centrally manage authentication from Azure DevOps to external systems (Azure, GitHub, Docker, Kubernetes).
WIF launched in Azure Pipelines in 2023. You configure a Federated Credential on the Service Principal and authenticate to Azure with OIDC tokens. Secret and certificate management is fully eliminated, dropping CI/CD secret-leak risk to zero. See Managed Identity vs Service Principal for details. For new Azure DevOps projects, WIF is the only correct choice and the industry standard.
| Strategy | Behavior | When to use |
|---|---|---|
| RunOnce | Completes in a single deploy | Simple production deploys |
| Rolling | Update instances sequentially | VM Scale Sets, phased releases |
| Canary | Release to a small subset of instances first | Limited testing of new features |
| Blue-Green | Deploy by swapping between two environments | App Service Deployment Slots |
| Item | Azure Pipelines | GitHub Actions |
|---|---|---|
| Owner | Azure DevOps Services | GitHub |
| YAML syntax | azure-pipelines.yml | .github/workflows/*.yml |
| Microsoft-hosted Agent | Free 1,800 min/month (Public Repo) | Free 2,000 min/month (Free Tier) |
| Approval Gate | Environment feature | Environment + Reviewers |
| Marketplace | Azure DevOps Marketplace | GitHub Marketplace (overwhelmingly richer) |
| When to use | Existing Azure DevOps environments | New projects, GitHub-centric |
What are YAML pipelines in Azure Pipelines?
Azure Pipelines is the build and release automation service in Azure DevOps Services, defining CI/CD pipelines as YAML in a Pipelines as Code style. The azure-pipelines.yml file lives in the repository and is auto-updated on every Git commit. Classic Pipelines (UI-based, legacy) and YAML Pipelines (the modern mainstream) coexist; new projects should pick YAML without exception. It integrates with GitHub, Azure Repos, and Bitbucket Cloud, and runs on Microsoft-hosted Agents (Windows/Linux/macOS) or Self-hosted Agents. Microsoft positions it as the flagship CI/CD service alongside GitHub Actions, and it is the de facto standard for organizations on Azure DevOps Services.
What is the basic structure of a YAML pipeline?
It is hierarchical: 1) trigger (branch/path/tag conditions that start the pipeline), 2) pool (execution agent: Microsoft-hosted or Self-hosted), 3) variables (inline variables, Variable Groups, Variable Templates), 4) stages (logical phases like Build/Test/Deploy), 5) jobs (parallel units within a stage), 6) steps (sequential script/task steps within a job). Example: `trigger: branches: include: - main` → `pool: vmImage: ubuntu-latest` → `stages: - stage: Build jobs: - job: BuildJob steps: - script: npm install`. Conditions, dependencies, and Approval Gates can be defined at every level. A simple pipeline fits in 30 lines, while enterprise pipelines with Templates can scale to 1000+ lines.
How do you choose between Stages, Jobs, and Steps?
Stage: a large logical block (Build → Test → Deploy to Dev → Deploy to Prod). Stages run sequentially (with configurable dependencies) and each can have an Approval Gate. Job: the parallel execution unit within a stage; one agent per job, useful for multi-OS builds. Step: the sequential execution unit within a job, the smallest unit. Example: Build Stage → ParallelJob (npm build + npm test in parallel) → DeployStage → Job (Deploy to Azure). Approval Gates between stages use the Environment feature to require Reviewers, plus automated Gates (branch, time of day, service connection). Standard enterprise practice is to always require a manual approval on the Deploy Stage to Production.
What are Pipeline Templates?
Pipeline Templates are reusable YAML pipeline components in three flavors: 1) Stage Templates (reuse an entire stage, e.g. a standard build stage), 2) Job Templates (reuse a job, e.g. a standard test job), 3) Step Templates (reuse a sequence of steps, e.g. NuGet install + Build). Parameters provide flexibility (language, OS, container image, etc.). Templates can be shared across repositories by referencing another Repository in Resources. The established enterprise pattern is to manage common templates in a single Pipeline Library repository and reuse them across every CI/CD pipeline. With 10-20 templates you can cover 100+ projects and dramatically reduce maintenance cost.
How do Variable Groups and secret management work?
Variable Groups are variable sets shared across pipelines (e.g. per-environment connection strings), managed in the Azure DevOps Library pane. Variable Groups can link to Azure Key Vault to map secrets directly: the secret value never sits inside Azure DevOps but is fetched dynamically from Key Vault at pipeline runtime. This eliminates secret copies in Azure DevOps and removes the need to update pipelines when secrets are rotated. Implementation: 1) grant the Service Connection access to Key Vault (Workload Identity Federation recommended), 2) enable 'Link secrets from an Azure key vault' on the Variable Group, 3) reference it in the pipeline with `variables: group: KeyVaultGroup`. This is a mandatory pattern in production and significantly hardens secret management.
How do Environments and Approval Gates work?
Environments logically manage deployment targets (Dev/Stage/Prod) in Azure DevOps. Each Environment can have Approvals (Required Reviewers), Gates (branch restriction, time window, Azure Monitor alerts, ServiceNow integration), and Resources (Kubernetes/VM). For a Deploy Stage to a Production Environment you can compose gates like 'requires 2 approvers', 'deploy only outside business hours', and 'no Azure Monitor alerts in the last hour' to ship safely. Environments also retain deploy history, providing audit trails of who deployed what and when - a mandatory capability for SOC2 / ISO 27001 compliance.
What are Service Connections and Workload Identity Federation?
Service Connections centrally manage authentication from Azure DevOps to external systems (Azure, GitHub, Docker, Kubernetes). The evolution of Azure authentication: 1) Service Principal + Secret (legacy, requires rotation), 2) Service Principal + Certificate (moderate), 3) Workload Identity Federation (modern recommendation, no secrets). WIF launched in Azure Pipelines in 2023 - you configure a Federated Credential on the Service Principal and authenticate to Azure with OIDC tokens. No more secret or certificate management, eliminating CI/CD secret-leak risk. See the Managed Identity vs Service Principal article for details. For new Azure DevOps projects, WIF is the only correct choice and the industry standard.
Which certifications cover this topic?
AZ-400 (DevOps Engineer Expert) is the headline certification: Azure Pipelines YAML is tested deeply in Domain 3 (Build and Release Pipelines, 40-45%). AZ-104 (Administrator) covers Azure resource deployment basics, AZ-204 (Developer Associate, retiring 2026-07) covers CI/CD from a developer's view, AZ-305 (Solutions Architect Expert) covers DevOps strategy from an architect's view, and SC-100 (Cybersecurity Architect Expert) covers DevSecOps. For DevOps engineers and SREs at organizations on Azure DevOps Services, mastering Azure Pipelines YAML is mandatory and a core technology on the Azure DevOps engineer career roadmap.
Related articles and deep dives
Azure Pipelines Multi-stage YAML パターン集|Template・Approval Gate・Conditional・Matrix・Deployment Strategy【2026 年版】
Azure Pipelines Multi-stage YAML の実装パターン完全集。Stage / Job / Step / Task 階層・Pipeline Templates 再利用・Approval Gate & Manual Validation・Conditional Execution・Variable Groups・Matrix Strategy・Deployment Strategy (RunOnce/Rolling/Canary/Blue-Green)・関連認定試験 (AZ-400 / AZ-204) を日本語で網羅。
Azure Managed Identity vs Service Principal 完全比較|認証パターンの選定と実装ベストプラクティス【2026 年版】
Azure の認証エンティティ Managed Identity と Service Principal を完全比較。System-assigned / User-assigned の使い分け、Client Secret vs Certificate vs Workload Identity Federation の選定、AKS Workload Identity、Azure サービス対応状況、関連認定試験 (SC-300 / AZ-204 / AZ-400) を日本語で網羅。実装パターン集付き。
Azure Key Vault 完全ガイド|Secret/Key/Certificate 管理・Managed Identity 統合・セキュリティベストプラクティス【2026 年版】
Azure Key Vault の完全ガイド。Standard vs Premium vs Managed HSM ティア選定、Secret / Key / Certificate の使い分け、RBAC ベースアクセス制御、Managed Identity 統合 (シークレットレスアプリ)、Soft Delete / Purge Protection、Private Endpoint、Microsoft Defender for Key Vault、関連認定試験 (AZ-204 / SC-300 / SC-100) を日本語で網羅。
Azure Kubernetes Service (AKS) 入門ガイド|アーキテクチャ・Networking・Ingress・セキュリティ完全解説【2026 年版】
Azure Kubernetes Service (AKS) の入門ガイド。Control Plane と Node Pool の構造、Azure CNI Overlay vs Kubenet の選定、Application Gateway / NGINX Ingress 選定、Workload Identity (新方式)、Private Cluster・Microsoft Defender for Containers・Azure Policy のセキュリティ、関連認定試験 (AZ-104 / AZ-204 / AZ-400 / CKA) を日本語で網羅。
The technical information in this article is based on the Azure Pipelines Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship. Microsoft, Azure, Azure DevOps, and GitHub are trademarks of the Microsoft group of companies. Information reflects official public materials as of May 24, 2026. Always confirm the latest details on the official pages.
Practice with certification-focused question sets
View the Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...