Edit

Copilot code reviews, GitHub Copilot autofix, and Apple Silicon for macOS pipeline agents

This sprint we are releasing new features in preview that are designed to enhance code quality, security, and build capabilities. Copilot-powered code reviews for Azure Repos (limited public preview) bring AI-assisted insights directly into pull requests, helping teams identify issues and improve code more efficiently. GitHub Copilot Autofix for code scanning (limited public preview) further strengthens security by automatically suggesting fixes for detected vulnerabilities. In addition, Apple Silicon (ARM64) support for macOS pipeline agents (pay-as-you-go preview) expands build options, enabling native macOS workloads with improved performance and flexibility. These preview features provide an opportunity to explore the next generation of developer productivity and platform support in Azure DevOps.

Check out the release notes for details.

GitHub Advanced Security for Azure DevOps

Azure Boards

Azure Pipelines

Azure Repos

GitHub Advanced Security for Azure DevOps

GitHub Copilot Autofix for code scanning (limited public preview)

GitHub Copilot Autofix is now available in limited public preview for GitHub Advanced Security for Azure DevOps. Copilot Autofix analyzes CodeQL code scanning alerts and suggests targeted code fixes, automatically creating a pull request with a fix. Developers can review the suggested fix and merge the pull request, reducing the time spent remediating security vulnerabilities.

Copilot Autofix for code scanning in GitHub Advanced Security for Azure DevOps

Organizations interested in participating can sign up for the preview and, once approved, enable Copilot Autofix for their organization and repositories.

For more information, see Copilot Autofix for code scanning (preview).

CodeQL default setup rollout completed

The public preview rollout of CodeQL default setup for code scanning is now complete and available to all GitHub Advanced Security for Azure DevOps customers. By using CodeQL default setup, you can enable code scanning for your repositories without any manual pipeline configuration. Once enabled, CodeQL automatically scans your code by using Azure Pipelines and surfaces security vulnerabilities in your repository alerts.

To get started, see Configure code scanning.

Advanced Security status checks for pull requests (general availability)

Advanced Security status checks for pull requests are now generally available. Use the configurable AdvancedSecurity/NewHighAndCritical and AdvancedSecurity/AllHighAndCritical branch policies to block pull request completion when high or critical severity alerts are detected, helping your team prevent new vulnerabilities from reaching protected branches.

For more information, see Configure status checks as branch policies.

Build identity access to view alerts is being removed

Building on the change first introduced in Sprint 269: Build identity access restricted for Advanced Security APIs, we are completing the removal of the build identity service's permission to view Advanced Security alerts. This change rolls out starting July 1, 2026 and finishes July 15, 2026.

After the rollout completes, you can't use build service accounts to view alerts for pipeline gating. If your pipelines rely on the build service account to read alerts and gate builds, move to Advanced Security status checks, which give your team a native way to block pull request completion when new high or critical severity alerts are detected.

For next steps, see Configure status checks as branch policies. For more background on this change, see Build identities can access Advanced Security read alerts again.

Azure Boards

Coding agent model selection option

Different models can produce different results when using the Copilot coding agent with work items, particularly when using custom instructions or custom agents.

You can now choose which model the coding agent uses when creating a pull request from a work item, giving you more control over what works best for your team and codebase.

Coding agent model selection option in Azure Boards

Azure Pipelines

Finer-grained comment requirement for running PR validation runs from GitHub repositories

To help protect your pipelines against unauthorized use, you can require comments from team members or contributors before pull request validation runs begin.

Before this sprint, the comment requirement applied to pull requests from both within the same repository and from forks. If you wanted to require team-member comments only for pull requests from forks, that wasn't possible.

Starting this sprint, you can configure comment requirements independently per pull request source. In the following example, comments are required only for pull requests that originate from repository forks.

Image showing build pull requests from forks of repository.

Access Azure DevOps with Microsoft Entra authentication

You can now use the new Azure DevOps service connection to access Azure DevOps with a Microsoft Entra workload identity (service principal or managed identity) instead of personal access tokens (PATs) or session tokens.

Using Azure DevOps service connections helps improve pipeline security in several ways:

  • Least privilege: Use scoped service connection permissions instead of broad shared build service account permissions
  • PAT-free authentication: Eliminate the need to create, store, and rotate personal access tokens
  • No persistent secrets: Use Microsoft Entra federated credentials instead of passwords
  • Audit trail: Authentication attempts are logged in Azure DevOps audit logs

Configuring an Azure DevOps service connection

To create the Azure DevOps service connection, you first need to add a service principal or managed identity as a user to the organization and assign it permissions.

To create the service connection, choose Azure DevOps (Preview):

Screenshot that shows new service connection type.

and select the service principal or managed identity you just created as the identity used:

Screenshot that shows service connection configuration.

You should assign the identity the permissions to the organization it needs. You can do this by following the View access in the current organization link and e.g. adding it to the Readers group of the current project.

Screenshot that shows hservice connection details

Using the new Azure DevOps service connection

To check out a repository from a different organization:

resources:
  repositories:
  - repository: external-repo
    type: git
    endpoint: my-azdo-connection
    name: 'external-project/external-repo'
    ref: 'refs/heads/main'

steps:
- checkout: self
- checkout: external-repo

To reference a YAML template from a different organization:

resources:
  repositories:
    - repository: templates 
      type: git
      endpoint: my-azdo-connection
      name: 'external-project/external-repo'
      ref: "refs/heads/main"    
      
steps:
- template: azdosc-template.yml@templates

To access an artifacts feed using one of the authentication tasks:

- task: NuGetAuthenticate@1
  inputs:
    nuGetServiceConnections: 'my-azdo-connection'

- task: DotNetCoreCLI@2
  inputs:
    command: 'restore'
    projects: '**/*.csproj'

Using the new Azure DevOps service connection in a script

The new AzureCLI@3 task can be used to access Azure DevOps with Entra authentication in a number of ways. In all cases, you configure the service connection by setting connectionType: 'azureDevOps' and assigning azureDevOpsServiceConnection to an Azure DevOps service connection you created:

- task: AzureCLI@3
  inputs:
    connectionType: 'azureDevOps'
    azureDevOpsServiceConnection: 'my-azdo-connection'

This creates an Entra ID authenticated session with the Azure DevOps CLI:

- task: AzureCLI@3
  displayName: Secret-less
  inputs:
    connectionType: 'azureDevOps'
    azureDevOpsServiceConnection: 'my-azdo-connection'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az devops configure -l

      az devops project list --query "value[].{Name:name, Id:id}" `
                            -o table

      az pipelines pool list --query "[].{Id:id, Name:name}" `
                            -o table

      az rest --method get `
              --url "https://status.dev.azure.com/_apis/status/health?api-version=7.1-preview.1" `
              --resource 499b84ac-1321-427f-aa17-267ca6975798 `
              --query "sort_by(services[?id=='Pipelines'].geographies | [], &name)" `
              -o table

If you do have a need for a token, for example you have an existing script where you use a PAT or System.AccessToken inline in script, there is also a method to obtain an Entra Access Token that can be used to access Azure DevOps:

- task: AzureCLI@3
  displayName: Use Entra access token
  inputs:
    connectionType: 'azureDevOps'
    azureDevOpsServiceConnection: 'my-azdo-connection'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      # Get access token for Azure DevOps
      $token = az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" `
                                           --query "accessToken" `
                                           --output tsv
      
      # Use token in REST API call
      $headers = @{
        Authorization = "Bearer $token"
        "Content-Type" = "application/json"
      }
      
      $body = @{
        name = "Test Build"
      } | ConvertTo-Json
      
      Invoke-RestMethod -Uri "$(System.CollectionUri)$(System.TeamProject)/_apis/build/definitions?api-version=7.1" `
                        -Method POST `
                        -Headers $headers `
                        -Body $body

More information

For more information on how to configure the Azure DevOps service connection, see the documentation.

Apple Silicon for macOS pipeline agents (pay-as-you-go preview)

We are making Apple Silicon macOS agents available in Azure Pipelines as a public preview. Starting with Apple Silicon, we will bring some of the same sizes available in GitHub Actions over to Azure Pipelines.

Operating system Hardware specification Image YAML VM image label Pool
macOS 26 Standard macOS 26 arm64 macos-26-arm64 GitHub-hosted Agents
macOS 26 XLarge macOS 26 arm64 XL macos-26-arm64-xl GitHub-hosted Agents

These agents use Pay-as-you-Go pricing with a per-minute rate tied to the size of the agent, see pricing.

To use the new agents, enable GitHub-hosted agents in billing settings:

Screenshot that shows how to enable pay-as-you-go pricing.

This will provision the new GitHub-hosted Agents pool used for Pay-as-you-Go agents.

Using Apple Silicon images

Once provisioned, you can use the Apple Silicon macos-26-arm64 image like this:

pool:
  name: 'GitHub-hosted Agents'
  vmImage: 'macos-26-arm64'
steps:
- bash: |
    echo Hello from macOS Tahoe arm64
    uname -a
    sw_vers

And for the even more powerful macos-26-arm64-xl image like this:

pool:
  name: 'GitHub-hosted Agents'
  vmImage: 'macos-26-arm64-xl'
steps:
- bash: |
    echo Hello from XL macOS Tahoe arm64
    uname -a
    hostinfo | grep memory

Monitoring per-minute usage

Pay-as-you-Go agents are charged per minute. To monitor the number of minutes used, the updated analytics tab of the GitHub-hosted Agents pool let's you view the number of minutes used per project, filter on image and drill down on Agent SKU and pipeline:

Screenshot that shows how to use the analytics tab.

In Azure Cost Management you can track minutes used and break down the usage by Azure DevOps organization and project:

Screenshot that shows how to monitor pay-as-you-go cost.

You can leverage Azure Cost Management support for budgets and alerts to forecast and monitor your spend.

More information

For more information on how to enable Apple Silicon agents and agent specifications, review the GitHub-hosted agents documentation.

Azure Repos

Copilot code reviews for Azure Repos (limited public preview)

GitHub Copilot can now review pull requests directly in Azure Repos. When a pull request is ready for review, developers can request a Copilot review to analyze proposed changes and identify potential bugs, code quality issues, and maintainability concerns.

Feedback is provided directly in the pull request, helping teams catch issues earlier and improve code quality before merging.

Requesting a Copilot code review in Azure Repos

This feature is available through a limited public preview. Organizations interested in participating can sign up for the preview and, once approved, enable Copilot Code Reviews for their organization and repositories.

Enable commit comparison in branch compare page

You can now search for and select commits by SHA directly from the version picker on the branch compare page.

Previously, comparing commits required manually constructing a URL. With the new Commits tab in the version picker, commit-to-commit and branch-to-commit comparisons are available directly in the UI.

Commit comparison in branch compare page

Next steps

Note

These features will roll out over the next two to three weeks. Head over to Azure DevOps and take a look.

Go to Azure DevOps

How to provide feedback

We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.

Make a suggestion

You can also get advice and your questions answered by the community on Stack Overflow.

  • Last updated on