Quickstart: Connect your Azure DevOps Environment to Microsoft Defender for Cloud

This quickstart shows you how to connect your Azure DevOps organizations on the Environment settings page in Microsoft Defender for Cloud. This page provides a simple onboarding experience to autodiscover your Azure DevOps repositories.

By connecting your Azure DevOps organizations to Defender for Cloud, you extend the security capabilities of Defender for Cloud to your Azure DevOps resources. These features include:

  • Foundational Cloud Security Posture Management (CSPM) features: You can assess your Azure DevOps security posture through Azure DevOps-specific security recommendations. You can also learn about all the recommendations for DevOps resources.

  • Defender CSPM features: Defender CSPM customers receive code to cloud contextualized attack paths, risk assessments, and insights to identify the most critical weaknesses that attackers can use to breach their environment. Connecting your Azure DevOps repositories allows you to contextualize DevOps security findings with your cloud workloads and identify the origin and developer for timely remediation. For more information, learn how to identify and analyze risks across your environment.

API calls that Defender for Cloud performs count against the Azure DevOps global consumption limit. For more information, see the common questions about DevOps security in Defender for Cloud.


To complete this quickstart, you need:

  • An Azure account with Defender for Cloud onboarded. If you don't already have an Azure account, create one for free.


Aspect Details
Release state: General Availability.
Pricing: For pricing, see the Defender for Cloud pricing page.
Required permissions: Account Administrator with permissions to sign in to the Azure portal.
Contributor to create a connector on the Azure subscription.
Project Collection Administrator on the Azure DevOps Organization.
Basic or Basic + Test Plans Access Level on the Azure DevOps Organization.
Make sure you have BOTH Project Collection Administrator permissions and Basic Access Level for all Azure DevOps organizations you wish to onboard. Stakeholder Access Level is not sufficient.
Third-party application access via OAuth, which must be set to On on the Azure DevOps Organization. Learn more about OAuth and how to enable it in your organizations.
Regions and availability: Refer to the support and prerequisites section for region support and feature availability.
Clouds: Commercial
National (Azure Government, Microsoft Azure operated by 21Vianet)


Security Reader role can be applied on the Resource Group/Azure DevOps connector scope to avoid setting highly privileged permissions on a Subscription level for read access of DevOps security posture assessments.

Connect your Azure DevOps organization


After connecting Azure DevOps to Defender for Cloud, the Microsoft Defender for DevOps Container Mapping extension will be automatically shared and installed on all connected Azure DevOps organizations. This extension allows Defender for Cloud to extract metadata from pipelines, such as a container's digest ID and name. This metadata is used to connect DevOps entities with their related cloud resources. Learn more about container mapping.

To connect your Azure DevOps organization to Defender for Cloud by using a native connector:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Environment settings.

  3. Select Add environment.

  4. Select Azure DevOps.

    Screenshot that shows selections for adding Azure DevOps as a connector.

  5. Enter a name, subscription, resource group, and region.

    The subscription is the location where Microsoft Defender for Cloud creates and stores the Azure DevOps connection.

  6. Select Next: select plans. Configure the Defender CSPM plan status for your Azure DevOps connector. Learn more about Defender CSPM and see Support and prerequisites for premium DevOps security features.

    Screenshot that shows plan selection for DevOps connectors.

  7. Select Next: Configure access.

  8. Select Authorize. Ensure you're authorizing the correct Azure Tenant using the drop-down menu in Azure DevOps and by verifying you're in the correct Azure Tenant in Defender for Cloud.

  9. In the popup dialog, read the list of permission requests, and then select Accept.

    Screenshot that shows the button for accepting permissions.

  10. For Organizations, select one of the following options:

    • Select all existing organizations to auto-discover all projects and repositories in organizations you're currently a Project Collection Administrator in.
    • Select all existing and future organizations to auto-discover all projects and repositories in all current and future organizations you're a Project Collection Administrator in.


    Third-party application access via OAuth must be set to On on for each Azure DevOps Organization. Learn more about OAuth and how to enable it in your organizations.

    Since Azure DevOps repositories are onboarded at no extra cost, autodiscover is applied across the organization to ensure Defender for Cloud can comprehensively assess the security posture and respond to security threats across your entire DevOps ecosystem. Organizations can later be manually added and removed through Microsoft Defender for Cloud > Environment settings.

  11. Select Next: Review and generate.

  12. Review the information, and then select Create.


To ensure proper functionality of advanced DevOps posture capabilities in Defender for Cloud, only one instance of an Azure DevOps organization can be onboarded to the Azure Tenant you're creating a connector in.

The DevOps security blade shows your onboarded repositories grouped by Organization. The Recommendations blade shows all security assessments related to Azure DevOps repositories.

Next steps