Enhance CI/CD documentation for Workload Identity Federation #127844
Conversation
While the existing note accurately states that WIF is not supported, it does not help enterprise users adhere to Microsoft’s security baseline that favors federated auth over stored secrets. Adding explicit references to the official WIF docs and CLI workaround aligns this page with Microsoft’s own DevOps authentication guidelines and prevents customers from falling back to less secure credentials. Secondly, when we say something is not supported - we also need to mention the workaround. I am a Microsoft FTE ( Satishbal is my alias)
|
@xsatishx : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
Learn Build status updates of commit 67df643:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| articles/synapse-analytics/cicd/continuous-integration-delivery.md | Details |
articles/synapse-analytics/cicd/continuous-integration-delivery.md
- Line 257, Column 11: [Warning: hard-coded-locale - See documentation]
Link 'https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-cli-v2' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites. - Line 258, Column 6: [Warning: hard-coded-locale - See documentation]
Link 'https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/powershell-v2' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites. - Line 260, Column 3: [Warning: hard-coded-locale - See documentation]
Link 'https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#workload-identity-federation' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites. - Line 257, Column 11: [Suggestion: docs-link-absolute - See documentation]
Absolute link 'https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-cli-v2' will be broken in isolated environments. Replace with a relative link. - Line 258, Column 6: [Suggestion: docs-link-absolute - See documentation]
Absolute link 'https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/powershell-v2' will be broken in isolated environments. Replace with a relative link. - Line 260, Column 3: [Suggestion: docs-link-absolute - See documentation]
Absolute link 'https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#workload-identity-federation' will be broken in isolated environments. Replace with a relative link. - Line 260, Column 3: [Suggestion: preserve-view-not-set - See documentation]
You've pinned this link to a specific version of content with the view parameter. It's recommended not to pin a version unless that version is A) not the default view and B) the context is about that version specifically. To proceed with pinning a version add the &preserve-view=true to the URL. Otherwise, remove the view parameter. URL: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#workload-identity-federation
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
Changed the locale links
|
Learn Build status updates of commit da7daf2: 💡 Validation status: suggestions
articles/synapse-analytics/cicd/continuous-integration-delivery.md
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the CI/CD documentation by providing secure alternatives to the unsupported Workload Identity Federation (WIF) in Synapse Workspace deployment extension. It adds guidance on using Azure CLI and PowerShell tasks with federated service connections as a workaround.
Key Changes:
- Adds documentation referencing official Microsoft WIF documentation
- Provides CLI-based workaround using AzureCLI@2 and PowerShell tasks for secret-less authentication
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| > | ||
| > Currently, the DevOps Service Connection with **Workload Identity Federation (WIF)** is not supported in Synapse Workspace deployment extension. Switch to secret mode to make the connection successful. | ||
| > For secure, secret-less alternatives that fully support Workload Identity Federation (WIF), | ||
| > use the [AzureCLI@2](https://learn.microsoft.com/azure/devops/pipelines/tasks/reference/azure-cli-v2) |
There was a problem hiding this comment.
The task reference link points to 'azure-cli-v2' but references 'AzureCLI@2'. Consider using consistent naming. The Azure DevOps task is typically referenced as 'AzureCLI@2' in YAML but the URL slug uses 'azure-cli-v2'. Verify this is the correct link format for the intended task version.
| > use the [AzureCLI@2](https://learn.microsoft.com/azure/devops/pipelines/tasks/reference/azure-cli-v2) | ||
| > or [PowerShell](https://learn.microsoft.com/azure/devops/pipelines/tasks/reference/powershell-v2) | ||
| > pipeline tasks with a federated service connection, as described in | ||
| > [Connect to Azure using Workload Identity Federation](https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#workload-identity-federation). |
There was a problem hiding this comment.
The URL includes a fragment identifier '#workload-identity-federation' which may be case-sensitive and could break if the target page's heading changes. Consider verifying this anchor exists on the target page or using a more stable link if available.
| > [Connect to Azure using Workload Identity Federation](https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#workload-identity-federation). | |
| > [Connect to Azure using Workload Identity Federation](https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops). |
|
Can you review the proposed changes? Important: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
3 participants
While the existing note accurately states that WIF is not supported, it does not help enterprise users adhere to Microsoft’s security baseline that favors federated auth over stored secrets. Adding explicit references to the official WIF docs and CLI workaround aligns this page with Microsoft’s own DevOps authentication guidelines and prevents customers from falling back to less secure credentials.
Secondly, when we say something is not supported - we also need to mention the workaround. I am a Microsoft FTE ( Satishbal is my alias)