Authentication
For a deep dive on configuring Managed Identity or Workload Identity Federation, follow this guide.
The Observes task supports two service connection types, selected via the Authentication Method input: Observes and ARM. Each supports multiple credential kinds.
Option 1: Observes Service Connection
An Observes service connection is created under Project Settings > Service connections > New service connection > Observes Azure DevOps Scanner. It supports three credential kinds:
1a. PAT (Personal Access Token)
Best for quick setup. Least recommended for production due to manual token rotation.
Create the service connection:
- Go to Project Settings > Service connections > New service connection > Observes Azure DevOps Scanner
- Select Basic Authentication as the Authentication method
- Enter the PAT token in the input field
- Name the Service Connection and save (for example:
service-connection-observes-pat)
Pipeline:
- task: observes@1
displayName: 'Observes Security Scan'
inputs:
authMethod: observes
observesServiceConnection: 'service-connection-observes-pat'
organization: 'my-ado-org'
1b. Service Principal - Client Secret
Create the service connection:
- Go to Project Settings > Service connections > New service connection > Observes Azure DevOps Scanner
- Select Token Based Authentication as the Authentication method
- Enter your Tenant ID, Client ID, and Client Secret
- Name the Service Connection and save (for example:
service-connection-observes-app-reg-secret)
Pipeline:
- task: observes@1
displayName: 'Observes Security Scan'
inputs:
authMethod: observes
observesServiceConnection: 'service-connection-observes-app-reg-secret'
organization: 'my-ado-org'
1c. Service Principal - Certificate
Create the service connection:
- Go to Project Settings > Service connections > New service connection > Observes Azure DevOps Scanner
- Select Certificate Based as the Authentication method
- Enter your Tenant ID, Client ID, and upload the PEM certificate
- Name the Service Connection and save (for example:
service-connection-observes-app-reg-cert)
Pipeline:
- task: observes@1
displayName: 'Observes Security Scan'
inputs:
authMethod: observes
observesServiceConnection: 'service-connection-observes-app-reg-cert'
organization: 'my-ado-org'
Option 2: ARM Service Connection
Uses a standard Azure Resource Manager service connection. If you already have an ARM service connection configured in your project, you can point the Observes task directly at it - no separate Observes service connection needed. Because an ARM connection does not embed an Azure DevOps organization name, the organization field is always required when using this method.
The task automatically maps the ARM connection's credential kind to the correct scanner auth mode:
Note: System-Assigned Managed Identity connections only work on self-hosted agents running on Azure compute with a managed identity attached. For Microsoft-hosted runners, use Workload Identity Federation / User-Assigned Managed Identities instead.
2a. Workload Identity Federation (recommended)
Head over to this guide for more information about managed identity set ups.
Create the service connection:
- Go to Project Settings > Service connections > New service connection > Azure Resource Manager
- Select Workload Identity Federation (automatic) - ADO creates and configures the app registration for you
- Select your subscription and optionally scope to a resource group
- Name the Service Connection and save (for example:
service-connection-arm-app-reg-wif)
Pipeline:
- task: observes@1
displayName: 'Observes Security Scan'
inputs:
authMethod: arm
armServiceConnection: 'service-connection-arm-app-reg-wif'
organization: 'my-ado-org'
2b. Service Principal - Client Secret
Create the service connection:
- Go to Project Settings > Service connections > New service connection > Azure Resource Manager
- Select Service Principal (manual)
- Enter your Tenant ID, Subscription ID, Client ID, and Client Secret
- Name the Service Connection and save (for example:
service-connection-arm-app-reg-secret)
Pipeline:
- task: observes@1
displayName: 'Observes Security Scan'
inputs:
authMethod: arm
armServiceConnection: 'service-connection-arm-app-reg-secret'
organization: 'my-ado-org'
2c. Service Principal - Certificate
Create the service connection:
1. Go to Project Settings > Service connections > New service connection > Azure Resource Manager
2. Select Service Principal (manual)
3. Enter your Tenant ID, Subscription ID, Client ID, and upload the certificate
4. Name the Service Connection and save (for example: service-connection-arm-app-reg-cert)
Pipeline:
- task: observes@1
displayName: 'Observes Security Scan'
inputs:
authMethod: arm
armServiceConnection: 'service-connection-arm-app-reg-cert'
organization: 'my-ado-org'
Full example - all methods in one pipeline
trigger: none
pool:
vmImage: ubuntu-latest
jobs:
# ARM - Workload Identity Federation
- job: RunObservesArmWif
steps:
- task: observes@1
displayName: 'ARM - WIF'
inputs:
authMethod: arm
armServiceConnection: 'service-connection-arm-app-reg-wif'
organization: 'my-ado-org'
# ARM - Service Principal (secret)
- job: RunObservesArmSecret
steps:
- task: observes@1
displayName: 'ARM - SP Secret'
inputs:
authMethod: arm
armServiceConnection: 'service-connection-arm-app-reg-secret'
organization: 'my-ado-org'
# ARM - Service Principal (certificate)
- job: RunObservesArmCert
steps:
- task: observes@1
displayName: 'ARM - SP Certificate'
inputs:
authMethod: arm
armServiceConnection: 'service-connection-arm-app-reg-cert'
organization: 'my-ado-org'
# Observes - PAT
- job: RunObservesObsPat
steps:
- task: observes@1
displayName: 'Observes - PAT'
inputs:
authMethod: observes
observesServiceConnection: 'service-connection-observes-pat'
organization: 'my-ado-org'
# Observes - Service Principal (secret)
- job: RunObservesObsSecret
steps:
- task: observes@1
displayName: 'Observes - SP Secret'
inputs:
authMethod: observes
observesServiceConnection: 'service-connection-observes-app-reg-secret'
organization: 'my-ado-org'
# Observes - Service Principal (certificate)
- job: RunObservesObsCert
steps:
- task: observes@1
displayName: 'Observes - SP Certificate'
inputs:
authMethod: observes
observesServiceConnection: 'service-connection-observes-app-reg-cert'
organization: 'my-ado-org'