Connect Azure DevOps environments to Defender for Cloud

This page provides a simple onboarding experience to connect Azure DevOps environments to Microsoft Defender for Cloud, and automatically discover Azure DevOps repositories.

By connecting your Azure DevOps environments to Defender for Cloud, you extend the security capabilities of Defender for Cloud to your Azure DevOps resources and improve security posture. Learn more.

Prerequisites

To complete this quickstart, you need:

Availability

Aspect Details
Release state: General Availability.
Pricing: For pricing, see the Defender for Cloud pricing page.
Required permissions: Account Administrator with permissions to sign in to the Azure portal.
Contributor to create a connector on the Azure subscription.
Project Collection Administrator on the Azure DevOps Organization.
Basic or Basic + Test Plans Access Level on the Azure DevOps Organization.
Make sure you have BOTH Project Collection Administrator permissions and Basic Access Level for all Azure DevOps organizations you wish to onboard. Stakeholder Access Level is not sufficient.
Third-party application access via OAuth, which must be set to On on the Azure DevOps Organization. Learn more about OAuth and how to enable it in your organizations.
Regions and availability: Refer to the support and prerequisites section for region support and feature availability.
Clouds: Commercial
National (Azure Government, Microsoft Azure operated by 21Vianet)

Note

Security Reader role can be applied on the Resource Group/Azure DevOps connector scope to avoid setting highly privileged permissions on a Subscription level for read access of DevOps security posture assessments.

Connect your Azure DevOps organization

Note

After connecting Azure DevOps to Defender for Cloud, the Microsoft Defender for DevOps Container Mapping extension will be automatically shared and installed on all connected Azure DevOps organizations. This extension allows Defender for Cloud to extract metadata from pipelines, such as a container's digest ID and name. This metadata is used to connect DevOps entities with their related cloud resources. Learn more about container mapping.

To connect your Azure DevOps organization to Defender for Cloud by using a native connector:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Add environment.

  4. Select Azure DevOps.

    Screenshot that shows selections for adding Azure DevOps as a connector.

  5. Enter a name, subscription, resource group, and region.

    The subscription is the location where Microsoft Defender for Cloud creates and stores the Azure DevOps connection.

  6. Select Next: Configure access.

  7. Select Authorize. Ensure you're authorizing the correct Azure Tenant using the drop-down menu in Azure DevOps and by verifying you're in the correct Azure Tenant in Defender for Cloud.

  8. In the popup dialog, read the list of permission requests, and then select Accept.

    Screenshot that shows the button for accepting permissions.

  9. For Organizations, select one of the following options:

    • Select all existing organizations to auto-discover all projects and repositories in organizations you're currently a Project Collection Administrator in.
    • Select all existing and future organizations to auto-discover all projects and repositories in all current and future organizations you're a Project Collection Administrator in.

    Note

    Third-party application access via OAuth must be set to On on for each Azure DevOps Organization. Learn more about OAuth and how to enable it in your organizations.

    Since Azure DevOps repositories are onboarded at no extra cost, autodiscover is applied across the organization to ensure Defender for Cloud can comprehensively assess the security posture and respond to security threats across your entire DevOps ecosystem. Organizations can later be manually added and removed through Microsoft Defender for Cloud > Environment settings.

  10. Select Next: Review and generate.

  11. Review the information, and then select Create.

Note

To ensure proper functionality of advanced DevOps posture capabilities in Defender for Cloud, only one instance of an Azure DevOps organization can be onboarded to the Azure Tenant you're creating a connector in.

Upon successful onboarding, DevOps resources (e.g., repositories, builds) will be present within the Inventory and DevOps security pages. It might take up to 8 hours for resources to appear. Security scanning recommendations might require an additional step to configure your pipelines. Refresh intervals for security findings vary by recommendation and details can be found on the Recommendations page.

Next steps