Azure DevOps Pipeline with powershell just enough administration

I have started to use Azure Devops pipelines to execute PowerShell scripts on remote servers for scheduled tasks. I created a standard AD account which I use in these pipelines and store the credentials in the secret variables.

I was wondering what are the best practices to give this account permissions by adding to the AD remote management users group or the dhcp admins group, and then specific permissions to access certain folders to get file information. Normally I create a remote session to the server/computer I want to carry out tasks. I want to avoid giving this account domain admin. Would PowerShell JEA be appropriate here? Should I use a service account? The task on the agent seems to run as NT AUTHORITY\NETWORK SERVICE, how would I give permissions to allow it to do stuff on / get info from servers, is it ideal?

How do others do this? Just looking for some ideas or some guidance into what direction to go in.

Should I have posted this in devops-camp? I saw there’s nothing there.


May want to ask this in a forum dedicated to Azure DevOps questions:

Azure DevOps - Microsoft Community Hub