This repository demonstrates a complete Azure governance model using Bicep templates and PowerShell scripts. It shows how to implement end-to-end governance from Azure DevOps CI/CD pipelines to Azure deployments, following enterprise-grade cloud architecture best practices.
While Terraform and Bicep excel at Azure infrastructure provisioning, they, like the Azure DevOps REST API and Azure CLI, lack a cohesive approach for provisioning complete Azure DevOps projects with all necessary configurations. Simple tasks like creating a team require multiple sequential API calls to configure area paths, iteration paths, and group memberships separately. This repository solves these challenges with fully functional PowerShell scripts built on the Azure.DevOps.PSModule, providing a streamlined, declarative approach to Azure DevOps resource management.
The full implementation combines Bicep templates for Azure infrastructure and Microsoft Entra ID group management with PowerShell scripts for Azure DevOps automation. It adopts modern security practices including workload identity federation for Azure Pipelines, replacing traditional service principals to improve security and manageability.
- Practical guidance for implementing end-to-end governance at scale
- Template scripts and CI/CD pipelines for resource provisioning, and policy enforcement
- Secure authentication with workload identity federation
Use the Project template to provision Azure DevOps projects.
This script creates, updates or rolls back an Azure DevOps Project within a specified organization. It provides options to configure project properties such as description, default team, process template, source control type, visibility, and feature states.
-
Install the required modules:
Az.AccountsAzure.DevOps.PSModule
-
Authenticate with
Connect-AzAccount.
The scripts will reuse your Azure context to authenticate with Azure DevOps. -
Copy or edit the sample config file and set global configuration:
{ "$schema": "../../../schemas/config.schema.json", "uniqueId": "2vk6", "prefix": "demo", "service": "e2egov", "location": "westeurope", "collectionUri": "https://dev.azure.com/<your-org>" }Parameter files can use placeholders like
{prefix}-{service}. These placeholders will be replaced with values set in this global config file. -
Copy or edit the sample parameter file to match your parameters:
{ "$schema": "../../../../../schemas/project.schema.json", "collectionUri": "{collectionUri}", "projects": [ { "name": "{prefix}-{service}", "description": "Default project description", "defaultTeam": "Default Team", "sourceControl": "Git", "process": "Agile", "features": { "boards": "enabled", "repos": "enabled", "pipelines": "enabled", "artifacts": "enabled", "testPlans": "disabled" }, "visibility": "Private" } ] } -
Execute the
deploy.ps1script:cd src/res/core/project ./deploy.ps1 -Verbose -WhatIf
For ad-hoc runs, pass parameters inline as shown in this sample. The script is idempotent, so rerunning it updates existing projects, and -Rollback safely removes them when needed.
For a deeper walkthrough based on a reference scenario covering a fictional European Cloud Company with OpCo use cases, see the Azure Governance from CI/CD Pipelines to Azure Resource Manager walkthrough.
Image: Reference scenario European Cloud Company
This project uses GitHub Issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates.
- For latest unreleased changes, please see CHANGELOG.
- For new issues, file your bug or feature request as a new issue.
- For help and questions, please raise an issue or start a new discussion.
Part of Martin's Cloud on GitHub
Copyright (c) 2025 MSc365.eu by Martin Swinkels
Portions of the documentation in this repository are adapted from Microsoft Corporation's documentation and the article "End-to-end governance in Azure when using CI/CD" by Julie Ng (Microsoft Corporation), used under the MIT License.
This project is published under the MIT license.
See MIT License for details.
This repository is provided "as is" and is subject to limited support. While reasonable efforts have been made to ensure its usefulness, there are no warranties or guarantees regarding accuracy, reliability, security, or ongoing maintenance. By using this code, you acknowledge and agree that you do so at your own risk. It is your responsibility to validate, test, and ensure suitability for your specific use case, particularly in production environments. We welcome community contributions and feedback to improve the project; however, official support will limited.
Under no circumstances shall the authors, contributors, or affiliated organizations be held liable for any direct, indirect, incidental, or consequential damages arising from the use of this repository, including but not limited to loss of data, business interruption, or system failures. Use of this code implies acceptance of these terms.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.