Let's simplify publishing new NuGet packages for x++ builds
5 - DevOps Variable Groups
Part 5: Configure Variable Groups
In Azure DevOps, a variable group is a reusable collection of configuration values and secrets (like API keys, URLs, or environment settings) that can be shared across multiple pipelines and releases. Variable groups store the credentials and configuration that pipelines need at runtime. You'll create three groups — one for authentication, one for Teams notifications, and one for environment options. Teams is optional but I thought it would be helpful if my pipelines were sending me teams messages in a channel dedicated to it's activity rather than emailing me. Variable groups can optionally be backed by an Azure Key Vault to store variable values if you'd prefer they not be stored in DevOps.Using a Key Vault is considered best practice but if setting in a lab, this is addtional complexity.
Step 1: Create PowerPlatform-Auth
This group is used by every pipeline that interacts with Power Platform.
- Go to Pipelines > Library
- Click + Variable group
- Name: PowerPlatform-Auth
- Add these variables:
| Variable | Value | Secret? |
|---|---|---|
| PP_TENANT_ID | Your Entra tenant ID (GUID) | No |
| PP_APPLICATION_ID | Application (client) ID from Part 3 | No |
| PP_CLIENT_SECRET | Client secret value from Part 3 | Yes (click the lock icon) |
- Click Save
Pre-Authorize Pipelines
To avoid the "Permit" prompt on first pipeline run:
- Click on the PowerPlatform-Auth variable group
- Go to Pipeline permissions (top menu, or ... > Security)
- Click + and add all pipelines that will use it. When a pipeline runs, you will be prompted for access by the pipeline if it is not already provided.
Tip: If you click "Open access" now, any pipeline in the project can use these credentials. For production, scope it to specific pipelines after setup is complete or don't pre-authorize that pipeline
Step 2: Create Teams-Secrets
This group provides the Teams webhook URL for pipeline notifications.
- Pipelines > Library > + Variable group
- Name: Teams-Secrets
- Add:
| Variable | Value | Secret? |
|---|---|---|
| TeamsWebhookUrl | Your Teams webhook URL | Yes |
Getting a Teams Webhook URL
Using Workflows (recommended — Microsoft is deprecating Connectors):
- Open Microsoft Teams > target channel
- Click ... > Workflows
- Search for Post to a channel when a webhook request is received
- Follow the prompts to create the workflow
- Copy the webhook URL and add to notes for later use
Step 3: Create FinOps-Options
This group tells the post-provisioning pipeline which environment to copy data from.
- Pipelines > Library > + Variable group
- Name: FinOps-Options
- Add:
| Variable | Value | Secret? |
|---|---|---|
| database-source-environment-guid | GUID of your known good source environment | No |
If you don't know this yet, it can be left blank. A common scenario would be to use the guid for the PROD environment or GOLD if you're not live yet. Empty is acceptable if unknown but some automations steps will be skipped if blank.
Finding the Environment GUID
Option A: Power Platform Admin Center
- Go to admin.powerplatform.microsoft.com
- Click Environments > select the source environment
- The GUID is in the browser URL: environments/{GUID}/hub and it is also on screen next to "Environment ID:"
Option B: PowerShell
Install-Module Microsoft.PowerApps.Administration.PowerShell -Force Add-PowerAppsAccount Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName | Format-Table
The EnvironmentName column contains the GUID.
- Click Save
- Pre-authorize pipelines: PR Validation, Post-Provision Copy
What You've Accomplished
- Created PowerPlatform-Auth with SPN credentials
- Created Teams-Secrets with a webhook URL for notifications
- Created FinOps-Options with the known good source environment GUID
- Pre-authorized pipeline access to avoid "Permit" prompts
