Azure DevOps
Visualize Azure DevOps projects, teams, and users, and monitor changes through queries and alerts.
- Installation
- Authorization
- Data Model
- Types
- Release Notes
Installation
To install this integration, you will need to configure settings both within Azure DevOps and on JupiterOne. Before enabling in JupiterOne, ensure that you have completed the setup within Azure DevOps.
Configuration on Azure DevOps
The Azure DevOps integration uses a read-only, personal access token to ingest data from the Azure DevOps platform.
You must have the necessary permissions to generate a personal access token in Azure DevOps.
You will need to generate your Personal Access Token (PAT), and grant the following permissions for the PAT:
- Project and Team :
read - Work Items:
read - Build:
read - Environment:
read & manage - User Profile:
read - Code:
read - Graph:
read - Identity:
read - Advanced Security:
read
With your PAT created, and the credentials at hand, proceed to JupiterOne for the remaining setup.
Configuration in JupiterOne
To install the Azure DevOps integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Azure DevOps. Click New Instance to begin configuring the integration.
Creating an Azure DevOps instance requires the following:
-
The Account Name used to identify the AirWatch account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled. -
Description to assist in identifying the integration instance, if desired.
-
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration. -
Your Azure DevOps URL (example: "https://dev.azure.com/jupiterone") and your Personal Access Token generated for use with JupiterOne.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| ADO Project | azure_devops_project | Project |
| ADO Team | azure_devops_team | UserGroup |
| ADO User | azure_devops_user | User |
| ADO WorkItem | azure_devops_work_item | Record |
| AuditStream | azure_devops_audit_stream | Logs |
| Azure Devops Account | azure_devops_account | Account |
| Azure DevOps Alerts | azure_devops_alert_finding | Finding |
| AzureBuildSettings | azure_devops_build_settings | Configuration |
| AzureDevOps | azure_devops | Service |
| AzureDevOpsPipeline | azure_devops_pipeline | Workflow |
| AzureDevOpsPullRequest | azure_devops_pr | PR |
| Environments | azure_devops_environment | Configuration |
| RepoAdvancedSecuritySettings | azure_devops_repo_advanced_security_settings | Configuration |
| Repository | azure_devops_repo | CodeRepo |
| ServiceEndpoint | azure_devops_service_endpoint | AccessKey |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
azure_devops | SCANS | azure_devops_project |
azure_devops_account | HAS | azure_devops_project |
azure_devops_account | HAS | azure_devops_user |
azure_devops_account | HAS | azure_devops_team |
azure_devops_account | OWNS | azure_devops_repo |
azure_devops_account | HAS | azure_devops |
azure_devops_account | HAS | azure_devops_audit_stream |
azure_devops_project | HAS | azure_devops_team |
azure_devops_project | HAS | azure_devops_work_item |
azure_devops_project | USES | azure_devops_repo |
azure_devops_project | HAS | azure_devops_pipeline |
azure_devops_project | HAS | azure_devops_environment |
azure_devops_project | HAS | azure_devops_build_settings |
azure_devops_project | HAS | azure_devops_service_endpoint |
azure_devops_repo | HAS | azure_devops_pr |
azure_devops_repo | HAS | azure_devops_alert_finding |
azure_devops_repo | HAS | azure_devops_repo_advanced_security_settings |
azure_devops_team | HAS | azure_devops_user |
azure_devops_user | MANAGES | azure_devops_account |
azure_devops_user | CREATED | azure_devops_work_item |
azure_devops_user | ASSIGNED | azure_devops_work_item |
azure_devops_user | OPENED | azure_devops_pr |
azure_devops_user | REVIEWED | azure_devops_pr |
azure_devops_user | APPROVED | azure_devops_pr |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
azure_devops_project | USES | github_repo | FORWARD |
azure_devops_project | USES | bitbucket_repo | FORWARD |
Azure Devops Audit Stream
azure_devops_audit_stream inherits from Logs
| Property | Type | Description | Specifications |
|---|---|---|---|
azureWorkspaceId | string | null | Azure Monitor / Log Analytics workspace id. | |
blobStorageUrl | string | null | Azure Blob Storage URL when consumerType is AzureBlobStorage. | |
consumerType * | string | Destination type for the stream — Splunk, AzureMonitorLogs, AzureEventGrid, AzureBlobStorage, Sentinel, SumoLogic, Custom, etc. | |
eventGridTopicHostname | string | null | Azure Event Grid topic hostname when consumerType is AzureEventGrid. | |
isEnabled * | boolean | True when the stream status is "enabled". | |
isSecretConfigured * | boolean | True when the stream has a secret/access-token credential configured (the secret itself is never persisted). | |
isSumoConfigured * | boolean | True when the stream targets Sumo Logic. The collector URL itself encodes the token in its path and is therefore treated as a secret; only the hostname is persisted via sumoLogicCollectorHost. | |
isWebhookConfigured * | boolean | True when the stream targets a custom webhook. Webhook URLs frequently carry an access token in the path or query string and are therefore treated as secrets; only the hostname is persisted via webhookHost. | |
sentinelWorkspaceId | string | null | Microsoft Sentinel workspace id. | |
splunkUrl | string | null | Splunk HTTP event collector URL when consumerType is Splunk. | |
statusReason | string | null | Reason populated when the stream is disabled by the system (e.g. invalid credentials). | |
sumoLogicCollectorHost | string | null | Hostname of the Sumo Logic HTTP collector when consumerType is SumoLogic. The full URL embeds the collector token in its path and is intentionally not persisted. | |
webhookHost | string | null | Hostname of the custom webhook when consumerType is Custom. The full URL frequently embeds an auth token in the path or query string and is intentionally not persisted. |
Azure Devops Repo Advanced Security Settings
azure_devops_repo_advanced_security_settings inherits from Configuration
| Property | Type | Description | Specifications |
|---|---|---|---|
codeSecurityChangedById | string | null | Identity UUID of the actor who last toggled code-security. | |
codeSecurityEnablementLastChangedOn | number | null | Epoch milliseconds when the code-security enablement state was last changed. | |
isAdvancedSecurityEnabled | boolean | null | Whether GitHub Advanced Security is enabled on the repository (parent flag). | |
isAutofixEnabled | boolean | null | Whether auto-fix for code-scanning findings is enabled on the repository. | |
isCodeQlEnabled | boolean | null | Whether CodeQL static analysis is enabled on the repository. | |
isCodeSecurityEnabled | boolean | null | Whether GitHub Advanced Security code security (CodeQL, dependency scanning) is enabled on the repository. | |
isDependencyScanningInjectionEnabled | boolean | null | Whether dependency-scanning injection is enabled on the repository. | |
isPushBlockingOnSecretDetected | boolean | null | Whether pushes containing detected secrets are blocked on the repository. | |
isSecretProtectionEnabled | boolean | null | Whether GitHub Advanced Security secret protection is enabled on the repository. | |
projectId * | string | Azure DevOps project id that owns the repository the settings describe. | |
repositoryId * | string | Azure DevOps repository id the settings entity describes. | |
secretProtectionChangedById | string | null | Identity UUID of the actor who last toggled secret-protection. | |
secretProtectionEnablementLastChangedOn | number | null | Epoch milliseconds when the secret-protection enablement state was last changed. |
Azure Devops Service Endpoint
azure_devops_service_endpoint inherits from AccessKey
| Property | Type | Description | Specifications |
|---|---|---|---|
authScheme * | string | Authorization scheme — e.g. UsernamePassword, Token, OAuth2, ServicePrincipal, WorkloadIdentityFederation, ManagedServiceIdentity, Certificate, None. | |
authUsername | string | null | Username carried by the endpoint when the authorization scheme uses a username/secret pair. | |
azureEnvironment | string | null | Azure environment (e.g. AzureCloud, AzureUSGovernment) for the endpoint. | |
azureTenantId | string | null | Azure AD tenant id used by the endpoint when the scheme is Azure-flavored. | |
createdById | string | null | Identity UUID of the user that created the endpoint. | |
createdByUniqueName | string | null | Unique name (UPN/email) of the user that created the endpoint. | |
creationMode | string | null | Creation mode (Manual or Automatic) — security-relevant for service-principal endpoints. | |
endpointType * | string | Provider type for the service endpoint (e.g. azurerm, github, dockerregistry, kubernetes, sonarqube). | |
isReady | boolean | null | True when the endpoint has been initialized and is healthy. | |
isShared * | boolean | True when the service endpoint is shared with other projects in the same organization. | |
ownerScope | string | null | Owner scope of the endpoint (e.g. Library or agentcloud). Renamed to avoid clobbering the inherited owner property. | |
registryType | string | null | Registry type label (used when endpointType is dockerregistry). | |
registryUrl | string | null | Registry URL (used when endpointType is dockerregistry). | |
scopeLevel | string | null | Scope level for the endpoint (e.g. Subscription, ManagementGroup). | |
servicePrincipalId | string | null | Service principal id used by the endpoint when the scheme is ServicePrincipal. | |
sharedProjectIds | array | null | IDs of additional projects the endpoint is shared with (preserves audit fidelity for projects not ingested). | |
statusMessage | string | null | Operation status message when the endpoint is failed or pending. | |
subscriptionId | string | null | Azure subscription id targeted by the endpoint (azurerm). | |
subscriptionName | string | null | Azure subscription display name targeted by the endpoint (azurerm). | |
targetUrl | string | null | Remote endpoint URL the service connection targets. |
Release Notes
- 2025-07-31 — Azure DevOps repository entities now carry the CodeRepo entity class in addition to Repository, enabling cross-integration code repository queries.