Azure DevOps Integration Setup
This guide walks you through creating an Azure DevOps personal access token (PAT), identifying your organization, and configuring the integration in RAD Security. Azure DevOps provides Git repositories, work item tracking, and CI/CD pipelines. Once integrated, RADBot and Automations can read repositories, query and update work items, review and open pull requests, and inspect builds and pipelines — live, on demand.This is an AI-first integration: it connects your Azure DevOps organization to RADBot and Automations over the official Azure DevOps MCP server. It does not continuously sync data into RAD Security — RADBot queries Azure DevOps directly when a question or automation requires it.
Prerequisites
Before you begin, ensure you have:- Access to an Azure DevOps organization (the
{organization}inhttps://dev.azure.com/{organization}) - Permission to create a personal access token for the account RAD Security will use
- Access to a RAD Security workspace with integration permissions
Service Account Recommended: Create or use a dedicated Azure DevOps user for this integration rather than a personal account. Personal accounts may be removed when team members leave, which will break the integration. A PAT also inherits the permissions of the account that creates it, so a dedicated, least-privilege account keeps RADBot’s access scoped.
Step 1: Choose the Account RAD Security Will Use
Use a dedicated user
Use (or create) a dedicated Azure DevOps user — for example a Microsoft Entra ID service account — and add it to your organization as a Member.
Grant project access
Add the user to the projects you want RADBot to work with, with the minimum access level required (for example, Basic with Contributor on the relevant repositories and work items). RADBot’s reach is limited to the projects and repositories this account can see.
Azure DevOps permissions are project- and repository-scoped. Grant access only to the projects relevant to your security work.
Step 2: Create a Personal Access Token
Sign in as the service account
Sign in to
https://dev.azure.com/{organization} as the account from Step 1.Open Personal Access Tokens
- Click the User settings icon (top right, next to your avatar)
- Select Personal access tokens
- Click + New Token
Configure the token
- Name: a descriptive name, e.g.
RAD Security - Organization: select the organization you want to connect
- Expiration: set an expiration that matches your security policy (Azure DevOps PATs cannot be set to never expire on most organizations)
Select scopes
Grant the scopes that match the capabilities you want RADBot to have. For full read + write access, select:
| Scope | Access | Enables |
|---|---|---|
| Code | Read & write | Browse repos, files, and branches; read and create/update pull requests |
| Work Items | Read & write | Query work items; create, update, and comment on them |
| Build | Read | List builds and pipelines |
| Project and Team | Read | List projects (also used to verify the connection) |
To give RADBot read-only access, select the Read variants of these scopes instead. The integration exposes write actions, but Azure DevOps will reject them if the PAT lacks write scopes — the PAT is your security boundary.
Step 3: Configure in RAD Security
In your RAD Security workspace, navigate to Data Sources → Integrations, select Azure DevOps, and enter:| Parameter | Description | Example |
|---|---|---|
| Organization | Your Azure DevOps organization name — the {organization} segment in https://dev.azure.com/{organization} | contoso |
| Personal Access Token | The PAT generated in Step 2 | xxxxxxxxxxxxxxxx... |
| Default Project (optional) | A default project to scope operations to when one is not specified | Platform |
The Organization is just the org name, not a full URL. The integration calls
https://dev.azure.com/<organization>/_apis/projects to verify the organization and token.Verify Integration
Open the integration
Navigate to Data Sources → Integrations → Engineering and locate your Azure DevOps integration.
Your Azure DevOps integration is now configured. RADBot and Automations can work with your repositories, work items, pull requests, and pipelines.
What RADBot Can Do
The exact actions available are the intersection of these capabilities and the scopes granted to your PAT.Repositories & Pull Requests
Repositories & Pull Requests
- List repositories and branches
- Read file and directory contents
- List pull requests
- Create and update pull requests (requires Code write scope)
Work Items
Work Items
- Query and read work items
- Create and update work items (requires Work Items write scope)
- Add comments to work items (requires Work Items write scope)
Pipelines & Builds
Pipelines & Builds
- List pipelines in a project
- List builds and inspect their status
Search & Discovery
Search & Discovery
- List projects
- Search code across repositories
Use Cases
Investigate with Live Context
Let RADBot read repositories, pull requests, and work items while investigating an incident.
Automated Work Items
Use Automations to create or update Azure DevOps work items from high-severity findings.
Code Search
Search code across repositories for security anti-patterns, secrets, or vulnerable constructs.
Pipeline Visibility
Ask RADBot about recent builds and pipeline status when triaging delivery risk.
Troubleshooting
Verification fails — invalid or expired token
Verification fails — invalid or expired token
Possible causes:
- The PAT is incorrect, was revoked, or has expired
- The token was copied with extra whitespace
- Sign in as the service account and confirm the token under User settings → Personal access tokens
- Re-generate the PAT if it expired or was revoked, and update the Personal Access Token field in RAD Security
Azure DevOps sometimes returns a sign-in page (HTTP 203) instead of a 401 for an invalid token. RAD Security treats this as an invalid or expired token.
Verification fails — organization not found
Verification fails — organization not found
Possible causes:
- The Organization value is wrong, or a full URL was entered instead of just the org name
- Enter only the organization name — the
{organization}inhttps://dev.azure.com/{organization}(e.g.contoso, nothttps://dev.azure.com/contoso)
RADBot can read but write actions fail
RADBot can read but write actions fail
Possible causes:
- The PAT was created with read-only scopes
- The service account lacks permission to write to the target project or repository
- Re-generate the PAT with Code (Read & write) and Work Items (Read & write) scopes
- Confirm the service account has Contributor access to the relevant projects
A project or repository is not visible to RADBot
A project or repository is not visible to RADBot
Possible causes:
- The service account does not have access to that project or repository
- Grant the service account access to the project in Azure DevOps, then try again
Rotating the Personal Access Token
Rotating the Personal Access Token
- Sign in as the service account and create a new PAT with the same scopes
- Update the Personal Access Token field on the RAD Security integration
- Save — RAD Security re-verifies on save
- Revoke the old PAT in Azure DevOps
Security Best Practices
Use a Service Account
Never use a personal account. Use a dedicated Azure DevOps user so access survives staff changes and stays auditable.
Least Privilege
Grant the smallest set of scopes and project access RADBot needs. Use read-only scopes if you do not want write actions.
Set Token Expiration
Give the PAT an expiration that matches your security policy, and rotate it before it expires.
Audit Activity
Periodically review work items and pull requests created by the service account to detect unexpected behavior.
Next Steps
Engineering Integrations Overview
Learn about other engineering integrations
RADBot
Learn how RADBot uses your integrations during investigations
Data Sources
Explore all available data sources