Azure DevOps

Overview

StackGuardian offers three secure methods for connecting to Azure DevOps, each tailored for different security and operational needs:

• Using a Client Secret - Employs a secret key with an Azure AD application for authentication.
• Using Workload Identity - Leverages Azure’s identity federation for enhanced security without managing secrets.
• Using a Personal Access Token - Uses a token tied to a user account for authentication.

Choose the method that best fits your organization’s security requirements and operational preferences.

Prerequisites

For Client Secret and Workload Identity methods, you must:

1. Create and configure an Azure AD application with appropriate permissions
2. Add the Service Principal as a user in your Azure DevOps organization
3. Grant it Basic access level (required for API access)
4. Assign it to projects with at least Reader permissions

Service Principal configuration in Azure DevOps

Once configured, you can use the application credentials in StackGuardian.

Using Client Secret (Service Principal)

To connect Azure DevOps using a Client Secret, you need an Azure AD application registered with:

• Tenant ID (Directory ID)
• Client ID (Application ID)
• Client Secret from Azure AD
• Permissions to access Azure DevOps

Configure Connector in StackGuardian

1. Go to the Connectors tab in the StackGuardian Orchestrator.
2. Click on Version Control Providers > Connect with VCS Provider.
3. Click on Connect to Azure DevOps.
4. Enter a Connector Name.
5. Select Client Secret as the Access Type.
6. Enter the following information:
   • Tenant ID (Directory ID)
   • Subscription ID
   • Client ID (Application ID)
   • Client Secret Value
7. Click Create to finalize the configuration of the Connector.

Client Secret connector creation

Using Workload Identity (Service Principal)

Using Workload Identity via OpenID Connect (OIDC) avoids managing client secrets. It allows StackGuardian to authenticate with Azure DevOps using a trusted identity provider.

For this, you must have an Azure AD application registered with:

• Tenant ID (Directory ID)
• Client ID (Application ID)
• Federated credentials configured for StackGuardian
• Permissions to access Azure DevOps

Configure Connector in StackGuardian

1. Go to the Connectors tab in the StackGuardian Orchestrator.
2. Click on Version Control Providers > Connect with VCS Provider.
3. Click on Connect to Azure DevOps.
4. Enter a Connector Name.
5. Select Workload Identity as the Access Type.
6. Enter the following information:
   • Tenant ID (Directory ID)
   • Subscription ID
   • Client ID (Application ID)
7. Click Create to finalize the configuration of the Connector.

Workload Identity connector creation

Using Personal Access Token

To connect Azure DevOps using a Personal Access Token, you need to create a token in Azure DevOps with limited permissions:

1. On the Azure DevOps platform, go to the target repository for the Access Token.
2. Select User Settings on the top navbar, beside your profile name.
3. Under the dropdown select Personal Access Tokens.
4. Click on New Token.
5. Provide a name for the token that relates to the app or task using it.
6. Select the required Scopes for the token.
7. Click Create to generate the token.
8. Copy the generated token and securely store it for later use.

Azure DevOps token creation

Configure Connector in StackGuardian

To complete the connection, visit the StackGuardian platform and follow these steps:

1. Go to the Connectors tab in the StackGuardian Orchestrator.
2. Click on Version Control Providers > Connect with VCS Provider.
3. Click on Connect to Azure DevOps.
4. Enter a Connector Name.
5. Select Personal Access Token as the Access Type.
6. In the Azure DevOps Personal Access Token field, paste the Access Token created earlier.
7. Click Create to finalize the configuration of the Connector.

Personal Access Token connector creation