Do CI/CD pipelines in Azure DevOps require a dedicated user without MFA?
During security audits I've seen several times that DevOps made a 'special' user account for CI/CD pipelines, especially when using Azure DevOps. Often this user is the only user where multi-factor authentication (MFA) is disabled, which I think is not desirable. I understand that MFA can't be used in a conventional way when using machine-to-machine communication but is this the intended way of doing things?
Assuming it's used for deployment, I'd imagine that instead a special deploy token should be used in pipelines. But if so, is that token bound to one specific developers account or is there a more secure way to do this?
Alternatively, if that 'special' user is used for another purpose, for example mounting network storage, I think the used mechanism in itself should entirely be questioned for this purpose? As it introduces the potential weakness of having an active user account without MFA.
