Quickstart: Connect your Azure DevOps repositories to Microsoft Defender for Cloud

Cloud workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Azure, Amazon Web Services, Google Cloud Platform, GitHub, and Azure DevOps.

In this quickstart, you connect your Azure DevOps organizations on the Environment settings page in Microsoft Defender for Cloud. This page provides a simple onboarding experience (including auto-discovery).

By connecting your Azure DevOps repositories to Defender for Cloud, you extend the security features of Defender for Cloud to your Azure DevOps resources. These features include:

  • Microsoft Defender Cloud Security Posture Management features: You can assess your Azure DevOps resources for compliance with Azure DevOps-specific security recommendations. You can also learn about all the recommendations for DevOps resources. The Defender for Cloud asset inventory page is a multicloud-enabled feature that helps you manage your Azure DevOps resources alongside your Azure resources.

  • Workload protection features: You can extend the threat detection capabilities and advanced defenses in Defender for Cloud to your Azure DevOps resources.

API calls that Defender for Cloud performs count against the Azure DevOps global consumption limit. For more information, see the common questions about Microsoft Defender for DevOps.


To complete this quickstart, you need:


Aspect Details
Release state: Preview. The Azure Preview Supplemental Terms include legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.
Pricing: For pricing, see the Defender for Cloud pricing page.
Required permissions: Account Administrator with permissions to sign in to the Azure portal.
Contributor on the Azure subscription where the connector will be created.
Security Admin in Defender for Cloud.
Organization Administrator in Azure DevOps.
Basic or Basic + Test Plans Access Level in Azure DevOps. Third-party applications gain access via OAuth, which must be set to On. Learn more about OAuth.
Regions: Central US, West Europe, Australia East
Clouds: Commercial
National (Azure Government, Microsoft Azure operated by 21Vianet)

Connect your Azure DevOps organization

To connect your Azure DevOps organization to Defender for Cloud by using a native connector:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Add environment.

  4. Select Azure DevOps.

    Screenshot that shows selections for adding Azure DevOps as a connector.

  5. Enter a name, subscription, resource group, and region.

    The subscription is the location where Microsoft Defender for DevOps creates and stores the Azure DevOps connection.

  6. Select Next: Select plans.

  7. Select Next: Authorize connection.

  8. Select Authorize.

    The authorization automatically signs in by using the session from your browser's tab. After you select Authorize, if you don't see the Azure DevOps organizations that you expect, check whether you're signed in to Microsoft Defender for Cloud on one browser tab and signed in to Azure DevOps on another browser tab.

  9. In the popup dialog, read the list of permission requests, and then select Accept.

    Screenshot that shows the button for accepting permissions.

  10. Select your relevant organizations from the drop-down menu.

  11. For projects, do one of the following:

    • Select Auto discover projects to discover all projects automatically and apply auto-discovery to all current and future projects.

    • Select your relevant projects from the drop-down menu. Then, select Auto-discover repositories or select individual repositories.

  12. Select Next: Review and create.

  13. Review the information, and then select Create.

The Defender for DevOps service automatically discovers the organizations, projects, and repositories that you selected and analyzes them for any security problems.

When you select auto-discovery during the onboarding process, repositories can take up to 4 hours to appear.

The Inventory page shows your selected repositories. The Recommendations page shows any security problems related to a selected repository.

Next steps