Quickstart: Connect your Azure DevOps repositories to Microsoft Defender for Cloud

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same. Microsoft Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), GitHub, and Azure DevOps (ADO).

To protect your ADO-based resources, you can connect your ADO organizations on the environment settings page in Microsoft Defender for Cloud. This page provides a simple onboarding experience (including auto discovery).

By connecting your Azure DevOps repositories to Defender for Cloud, you'll extend Defender for Cloud's enhanced security features to your ADO resources. These features include:

  • Defender for Cloud's Cloud Security Posture Management (CSPM) features - Assesses your Azure DevOps resources according to ADO-specific security recommendations. You can also learn about all the recommendations for DevOps resources. Resources are assessed for compliance with built-in standards that are specific to DevOps. Defender for Cloud's asset inventory page is a multicloud enabled feature that helps you manage your Azure DevOps resources alongside your Azure resources.

  • Defender for Cloud's Workload Protection features - Extends Defender for Cloud's threat detection capabilities and advanced defenses to your Azure DevOps resources.

API calls performed by Defender for Cloud count against the Azure DevOps Global consumption limit. For more information, see the FAQ section.

Prerequisites

Availability

Aspect Details
Release state: Preview
The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: For pricing, see the Defender for Cloud pricing page.
Required permissions: - Azure account: with permissions to sign into Azure portal
- Contributor: on the Azure subscription where the connector will be created
- Security Admin Role: in Defender for Cloud
- Organization Administrator: in Azure DevOps
- In Azure DevOps, configure: Third-party applications gain access via OAuth, which must be set to On . Learn more about OAuth
Regions: Central US
Clouds:  Commercial clouds
 National (Azure Government, Azure China 21Vianet)

Connect your Azure DevOps organization

To connect your Azure DevOps organization:

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment Settings.

  3. Select Add environment.

  4. Select Azure DevOps.

    Screenshot that shows you where to navigate to select the DevOps connector.

  5. Enter a name, select a subscription, resource group, and region.

    Note

    The subscription will be the location where Defender for DevOps will create and store the Azure DevOps connection.

  6. Select Next: Select plans.

  7. Select Next: Authorize connection.

  8. Select Authorize.

    Note

    The authorization will automatically login using the session from your browser's tab. After you select Authorize, if you don't see the Azure DevOps organizations you expect to see, check whether you are logged in to Microsoft Defender for Cloud in one browser tab and logged in to Azure DevOps in another browser tab.

  9. In the popup screen, read the list of permission requests, and select Accept.

    Screenshot that shows you the accept button, to accept the permissions.

  10. Select your relevant organization(s) from the drop-down menu.

  11. For projects

    • Select Auto discover projects to discover all projects automatically and apply auto discover to all current and future projects.

      or

    • Select your relevant project(s) from the drop-down menu.

    Note

    If you select your relevant project(s) from the drop down menu, you will also need to select auto discover repositories or select individual repositories.

  12. Select Next: Review and create.

  13. Review the information and select Create.

The Defender for DevOps service automatically discovers the organizations, projects, and repositories you select and analyzes them for any security issues.

When auto-discovery is selected during the onbaording process, it can take up to 4 hours for repositories to appear.

The Inventory page populates with your selected repositories, and the Recommendations page shows any security issues related to a selected repository.

Learn more

FAQ

Do API calls made by Defender for Cloud count against my consumption limit?

Yes, API calls made by Defender for Cloud count against the Azure DevOps Global consumption limit. Defender for Cloud makes calls on-behalf of the user who onboards the connector.

Why is my organization list empty in the UI?

If your organization list is empty in the UI after you onboarded an Azure DevOps connector, you need to ensure that the organization in Azure DevOps is connected to the Azure tenant that has the user who authenticated the connector.

For information on how to correct this issue, check out the DevOps trouble shooting guide.

Next steps

Learn more about Defender for DevOps.

Learn how to configure the MSDO Azure DevOps extension.

Learn how to configure pull request annotations in Defender for Cloud.