We need to deploy code via DevOps to another tenants environment, not resource, but just the code. This will be on a VM in their tenant. Would the below work for this?
Setup Self-Hosted Agent: Install and configure a self-hosted agent on a machine in their environment (VM).
This agent will be the one responsible for the build and release tasks set in our Azure DevOps pipeline.
Register Agent with Azure DevOps: We provide them with a script which includes the command to register the agent with our Azure DevOps, along with the PAT token
They execute the script on their VM. The script registers the agent with their Azure DevOps organization using the provided registration token.
Once the script is executed successfully, the agent is registered within our Azure DevOps organization. It becomes available for use in our Azure DevOps pipelines for running build and release tasks.
Is this correct and will this work?
My understanding is that we don't need to use a service principle for this, as we aren't deploying recourses to them, just code into their VM. Or do we still need a service principle on top of this?
The method you are considering is correct and it can achieve your requirement.
Self-hosted agents created on other tenant VMs can be directly used in the Build and Release Pipelines to deploy code to the corresponding VMs.
In this case, we do not need to use Service Principal for authentication link and tenant will not affect the link between Self-hosted agent and Azure DevOps Service.
For more detailed info, you can refer to this doc: Self-hosted agents
On the other hand, if there are multiple VMs that need to be deployed at the same time, you can also consider using Deployment Group to implement batch deployment.