Skip to content

PAT Migration: dn-bot-dnceng-build-r-code-r-project-r-profile-r (dotneteng-status)#6490

Open
missymessa wants to merge 1 commit intomainfrom
missymessa-10136
Open

PAT Migration: dn-bot-dnceng-build-r-code-r-project-r-profile-r (dotneteng-status)#6490
missymessa wants to merge 1 commit intomainfrom
missymessa-10136

Conversation

@missymessa
Copy link
Copy Markdown
Member

@missymessa missymessa commented Mar 31, 2026

Work Item

AB#10136 - PAT Migration: dn-bot-dnceng-build-r-code-r-project-r-profile-r

Summary

Migrates the \dn-bot-dnceng-build-r-code-r-project-r-profile-r\ PAT used by the dotneteng-status web app (build monitor) to Entra bearer-token authentication using a new dotneteng-status-identity Managed Identity.

Code Changes (4 files)

Configuration:

  • settings.json — Removed \AccessToken\ vault reference from \�uild-monitor/dnceng\ (MI will be used instead)
  • settings.Staging.json — Added \AzureDevOps.build-monitor/dnceng.ManagedIdentityClientId\ = \8cd89985-08e4-4baa-86f1-76ee58b6b393\
  • settings.Production.json — Added \AzureDevOps.build-monitor/dnceng.ManagedIdentityClientId\ = \�73bcdd4-aba9-40a7-af0c-f95b8eb5ab62\

Secret Manager:

  • dotneteng-status-secrets.yaml — Deprecated \dn-bot-dnceng-build-r-code-r-project-r-profile-r\ (changed to \ ype: text\ with deprecation notice)

Azure Resources Provisioned (out-of-repo)

Managed Identities Created:

Environment MI Name Client ID Resource Group Subscription
Staging dotneteng-status-identity \8cd89985-08e4-4baa-86f1-76ee58b6b393\ monitoring \cab65fc3-...\
Production dotneteng-status-identity \�73bcdd4-aba9-40a7-af0c-f95b8eb5ab62\ monitoring \68672ab8-...\

App Service MI Assignments:

  • \dotneteng-status-staging\ ← dotneteng-status-identity (staging)
  • \dotneteng-status\ ← dotneteng-status-identity (production)

Azure DevOps Organization Access (\dnceng):

MI AzDO SP Descriptor Group
Prod \�adsp.ZDMxNmY0MjQtMDIwNC03MWQyLWE3ZDctZmVmN2FmMjhiNDYw\ [internal] Readers
Staging \�adsp.MTgwYWFkYTAtNTRjYi03NmFiLWIyMTYtZmM0MTUxMTg0NGNj\ [internal] Readers

How It Works

The \AzureDevOpsClient\ already supports MI-based auth — when \ManagedIdentityClientId\ is set and \AccessToken\ is absent, it uses \ManagedIdentityCredential\ to acquire Entra bearer tokens for Azure DevOps. The existing \AzureDevOpsClient.PostDeploymentTests\ validate this code path.

Post-Merge Cleanup

After validating the MI works in production:

  1. Delete the deprecated \dn-bot-dnceng-build-r-code-r-project-r-profile-r\ entry from \dotneteng-status-secrets.yaml\
  2. Remove the corresponding PAT secrets from Key Vaults (\dotneteng-status-prod, \dotneteng-status-staging, \dotneteng-status-local)
  3. Revoke the \dn-bot-dnceng-build-r-code-r-project-r-profile-r\ PAT from the \dn-bot\ Azure DevOps account

@missymessa
PAT Migration: dn-bot-dnceng-build-r-code-r-project-r-profile-r (dotn…
ff18e34 
…eteng-status) AB#10136

Migrate the build-monitor/dnceng PAT to dotneteng-status-identity Managed
Identity for Entra bearer-token authentication.

Changes:
- settings.json: Remove AccessToken vault reference from build-monitor/dnceng
- settings.Staging.json: Add ManagedIdentityClientId for build-monitor/dnceng
- settings.Production.json: Add ManagedIdentityClientId for build-monitor/dnceng
- dotneteng-status-secrets.yaml: Deprecate dn-bot-dnceng-build-r-code-r-project-r-profile-r

Infrastructure (out-of-repo):
- Created dotneteng-status-identity MI in monitoring RG (both subscriptions)
- Assigned MI to dotneteng-status / dotneteng-status-staging App Services
- Added both MIs as service principals in dnceng AzDO org
- Granted [internal] Readers access to both prod and staging MIs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@missymessa