As well as creating the variables that go with a specific build, you can create variable groups. These variable groups can, in turn, be linked to one or more builds. This is an effective way of sharing variables between builds; some examples of these might be the name of your company, trademark texts, product names, and so on. Let's see how we can work with variable groups:

1. Access variable groups through the menu by clicking on Library in the Pipelines menu (see label 1 in the following screenshot). This displays a list of the existing variable groups that you can edit and you can add a new group here as well, as in the following screenshot:

2. Here, you can work with variables in the same way that you would with the variables that come with a build. The only differences are highlighted in the following list:
   • You cannot mark variables in a group as settable at queue time.
   • You can allow or deny the use of this group in all pipelines. If you deny their use in all pipelines, then only you can use the variable group. You can authorize other users or groups through the Security option (labeled with a 2 in the preceding screenshot).
   • You can reference an Azure key vault for which this variable group will act as a placeholder. After logging into Azure, you can select a key vault and select which values that are stored in the key vault you want to be accessible through the variable group.

Azure Key Vault is an Azure offering that can be used for the secure storage of secrets. Secrets in a key vault are automatically versioned, so older values are not overwritten but replaced by a newer version. In addition to this, you can specify segregated access policies that specify, per user, whether they can read, write, update, or delete values. All these actions are audited in a key vault, so you can also find who has made which change. If you are linking Azure DevOps to a key vault, then a new service principal will be created in your active directory that has access to that key vault. Now, whenever Azure DevOps needs a variable from the variable group, the actual values will be pulled from the key vault.

Variable groups can be linked to the variables of a build under the Variable groups tab (refer to the screenshot in the previous section).

As well as working with variable groups, you can also work with files in the library. You can upload files that are not accessible by other users but that can be used within a build. This is useful for files with private keys, license keys, and other secrets.

Just as you can with variable groups, you can specify whether each secure file can be used by any build or authorize specific users only.