Skip to main content

Azure DevOps

Azure DevOps integration allows your product to connect with Azure Repos, Pipelines, and Work Items (Boards) to fetch repository metadata, monitor CI/CD pipelines, manage issues, and analyze code changes. This integration is valuable for DevSecOps workflows, vulnerability tracking, and project visibility across software development lifecycles.

Credentials Needed

To integrate with Azure DevOps, you can use either a Personal Access Token (PAT) or an OAuth2 Application (for multi-user setups).

For Personal Access Token (Recommended for simplicity):

  • Organization Name
  • Personal Access Token (PAT)

For OAuth2 (Multi-user integration):

  • Client ID
  • Client Secret
  • Tenant ID (if using Azure AD authentication)
  • Redirect URI (Callback URL)

The PAT method is the most common and straightforward way to connect for repository, pipeline, and board data access.

Permissions Needed / API Scopes

Azure DevOps PATs use scopes to define what operations the token can perform. Select scopes based on your product's integration purpose.

FunctionalityScopeDescription
Read repositoriesCode (Read)View repositories and commits
Manage repositoriesCode (Read & Write)Create or update repositories (optional)
Manage work items (issues/bugs)Work Items (Read & Write)Create, update, or read work items
Read pipelinesBuild (Read)View build and release pipelines
Read organization-level metadataService Connections (Read) or Project and Team (Read)Optional
Read user profilesUser Profile (Read)Access user data for audit or mapping

Minimal Scopes for Read Access & Issue Management: Code (Read), Build (Read), Work Items (Read & Write)

Creating Users / Access Tokens

Step 1: Create a Personal Access Token (PAT)

  1. Sign in to your Azure DevOps organization: https://dev.azure.com
  2. Click on your profile icon → Personal Access Tokens
  3. Click + New Token
  4. Fill in details:
    • Name: AzureDevOpsIntegrationToken
    • Organization: Select the target organization
    • Expiration: Choose a reasonable validity period (e.g., 90 days or 1 year)
    • Scopes:
      • Code (Read)
      • Build (Read)
      • Work Items (Read & Write)
  5. Click Create
  6. Copy the generated Personal Access Token immediately — it will be shown only once

Step 2 (Optional): Create an OAuth Application

For multi-user integrations:

  1. Go to Azure Portal → Azure Active Directory → App registrations → New registration
  2. Fill out:
    • Name: AzureDevOpsIntegrationApp
    • Redirect URI: Your product's OAuth callback URL
  3. After registration, note down:
    • Application (Client) ID
    • Directory (Tenant) ID
  4. Go to Certificates & Secrets → New client secret, create one, and copy its value
  5. Use the Azure DevOps OAuth endpoints:
    • Authorize URL: https://app.vssps.visualstudio.com/oauth2/authorize
    • Token URL: https://app.vssps.visualstudio.com/oauth2/token
    • Scope: vso.code_read vso.build_read vso.work_write

Test Connectivity

Test your integration using curl or REST API:

# Replace <ORG>, <PROJECT>, and <TOKEN>
curl -u :<TOKEN> https://dev.azure.com/<ORG>/_apis/projects?api-version=7.0

# List repositories
curl -u :<TOKEN> https://dev.azure.com/<ORG>/<PROJECT>/_apis/git/repositories?api-version=7.0

# List pipelines (build definitions)
curl -u :<TOKEN> https://dev.azure.com/<ORG>/<PROJECT>/_apis/build/definitions?api-version=7.0

# Create a work item (example)
curl -u :<TOKEN> \
  -H "Content-Type: application/json-patch+json" \
  -X POST \
  -d '[{"op": "add", "path": "/fields/System.Title", "value": "Test Work Item"}]' \
  https://dev.azure.com/<ORG>/<PROJECT>/_apis/wit/workitems/$Issue?api-version=7.0

If the requests return valid responses (HTTP 200/201), your credentials and permissions are correctly configured.

Save the Results in the Platform and Create Connection

  1. In your platform's connector configuration, securely store:
    • AZURE_DEVOPS_ORG
    • AZURE_DEVOPS_PAT
    • (Optional for OAuth) CLIENT_ID, CLIENT_SECRET, TENANT_ID, REDIRECT_URI
  2. Create a connector labeled Azure DevOps Integration
  3. Test the connection by fetching repository or pipeline data

Best Practices

  • Use Personal Access Tokens (PATs) for single-user or service integrations; use OAuth2 for multi-user or SaaS-level integrations
  • Assign only the minimum required scopes for your integration
  • Rotate PATs regularly and use short expiration periods where possible
  • Store tokens securely using Azure Key Vault or your product's secret manager
  • Enable audit logs in Azure DevOps for tracking integration activity
  • For organization-wide access, consider using Service Principals and App Registrations with OAuth for scalability
  • Handle rate limits and use pagination when fetching large amounts of data via the Azure DevOps REST API