MDP Open access

Steve Danielson · Steve Danielson · commit 1ed78b67819c · 2025-04-23T10:36:11.000-04:00
diff --git a/docs/managed-devops-pools/configure-security.md b/docs/managed-devops-pools/configure-security.md
@@ -1,7 +1,7 @@
 ---
 title: Configure security
 description: Learn how to configure security settings for Managed DevOps Pools.
-ms.date: 11/18/2024
+ms.date: 04/23/2025
 ---
 
 # Configure Managed DevOps Pools security settings
@@ -175,6 +175,36 @@ Add additional organizations to the organizations list to configure your pool fo
 
 * * *
 
+## Allow all pipelines to run on the pool without an approval (open access)
+
+By default, each pipeline definition must be explictly authorized to run in a self-hosted agent pool (like a Managed DevOps Pool) before it is run for the first time in that pool. 
+
+Azure DevOps provides a [Pipeline permissions](../pipelines/policies/permissions.md#set-pipeline-permissions-for-an-individual-agent-pool) setting at the agent pool level to authorize specific pipelines to run in that pool, or to configure the pool for **Open access** to be available for all pipelines in that project.
+
+Managed DevOps Pools can configure the **Open access** setting on your behalf when creating the Managed DevOps Pool if you enable **Allow all pipelines to run on the pool without an approval (open access)** during pool creation.
+
+> [!NOTE]
+> The **Allow all pipelines to run on the pool without an approval (open access)** setting can be configured by Managed DevOps Pools only when the pool is created. After the Managed DevOps Pool is created, you can view and configure [Open access](../pipelines/policies/permissions.md#set-pipeline-permissions-for-an-individual-agent-pool) on the corresponding [agent pool](../pipelines/agents/pools-queues.md) in Azure DevOps.
+
+#### [Azure portal](#tab/azure-portal/)
+
+:::image type="content" source="./media/configure-security/open-access.png" alt-text="Screenshot of configuring open access.":::
+
+#### [ARM template](#tab/arm/)
+
+TODO
+
+#### [Azure CLI](#tab/azure-cli/)
+
+TODO
+
+* * *
+
+If you try to run a pipeline that is not authorized to access your aget pool, you'll receive an error similar to `This pipeline needs permission to access a resource before this run can continue`. There are two ways to explictly authorize a pipeline to run in a pool (in addition to confguring **Open access**).
+
+* You can go to the **Security** settings for the agent pool in your Azure DevOps organization and add the pipeline in [Pipeline permissions](../pipelines/agents/pools-queues.md#pipeline-permissions).
+* If you don't add the pipeline, you will be [prompted in Azure DevOps the first time you run the pipeline](../pipelines/troubleshooting/troubleshooting.md#this-pipeline-needs-permission-to-access-a-resource-before-this-run-can-continue). When you authorize the pipeline, it will be added to the **Pipeline permissions** list.
+
 ## Configure interactive mode
 
 If your tests need an interactive login for UI testing, enable interactive login by enabling the **EnableInteractiveMode** setting.
diff --git a/docs/managed-devops-pools/media/configure-security/open-access.png b/docs/managed-devops-pools/media/configure-security/open-access.png
diff --git a/docs/pipelines/troubleshooting/troubleshooting.md b/docs/pipelines/troubleshooting/troubleshooting.md
@@ -76,6 +76,7 @@ If the issue isn't apparent from the pipeline run summary page or browsing the l
 
 ## Common issues
 
+* [This pipeline needs permission to access a resource before this run can continue](#this-pipeline-needs-permission-to-access-a-resource-before-this-run-can-continue)
 * [Job time-out](#job-time-out)
 * [Issues downloading code](#issues-downloading-code)
 * [My pipeline is failing on a command-line step such as MSBUILD](#my-pipeline-is-failing-on-a-command-line-step-such-as-msbuild)
@@ -110,6 +111,21 @@ Azure DevOps includes build-in notifications for failed pipeline runs. To enable
 
 :::moniker-end
 
+### This pipeline needs permission to access a resource before this run can continue
+
+If your pipeline doesn't seem to start, or you receive an error message like `This pipeline needs permission to access a resource before this run can continue`, check to see if the pipeline is waiting for an authrization to run by a resource, like a service connection or agent pool.
+
+1. [Go to the pipeline](../create-first-pipeline.md#view-and-manage-your-pipelines) and manually start a run.
+1. The message **This pipeline needs permission to access a resource before this run can continue** appears. Select **View** next to the message.
+1. On the **Waiting for review** screen, select **Permit**, and on the confirmation screen, select **Permit** again.
+
+This action explictly adds the pipeline as an authorized user of the resource.
+
+Some resources allow you to configure **Open access** so that each new pipeline definition doesn't require explicit authorization.
+
+* To configure **Open access** for agent pools, see [Set pipeline permissions for an individual agent pool](../policies/permissions.md#set-pipeline-permissions-for-an-individual-agent-pool) and [Pipeline permissions](../agents/pools-queues.md#pipeline-permissions).
+* To review whether **Open access** is available for other [resource types](../process/resources.md#resource-authorization-in-yaml-pipelines), see [Manage security in Azure Pipelines](../policies/permissions.md) and search for **Open access**.
+
 ### Job time-out
 
 A pipeline can run for a long time and then fail due to job time-out. 
