Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
This feature of Azure SRE Agent is currently in preview. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Connect repositories hosted on GitHub Enterprise Cloud (<TENANT>.ghe.com) or github.com to your Azure SRE Agent by using a BYO (Bring Your Own) GitHub App. The agent mints short-lived installation tokens from your app's private key, which is stored in Azure Key Vault and never copied.
Note
BYO GitHub App works for both github.com and *.ghe.com hosts. For github.com with OAuth or PAT, see Set up GitHub connector.
When to use BYO GitHub App authentication
Use BYO App when:
- Your organization requires app-based authentication and key custody controls.
- You're connecting
*.ghe.comrepositories (required because OAuth and PAT aren't available for GHE hosts). - You want installation-token based access rather than user tokens.
Prerequisites
| Requirement | Details |
|---|---|
| Azure SRE Agent | An agent in Running state with Administrator or Standard User role |
| GitHub App | A GitHub App created on your target host (github.com or <TENANT>.ghe.com) |
| GitHub admin access | Org or repository admin access to create, install, or verify GitHub App scope |
| Azure Key Vault | A vault where you can store the GitHub App's private key |
| Managed identity | Ability to assign Key Vault Secrets User role to the agent's managed identity |
Create a GitHub app
If you already have a GitHub App with the right permissions, skip to Store the private key in Azure Key Vault.
- Go to your GitHub host:
github.com: Go to your org > Settings > Developer settings > GitHub Apps > New GitHub App<TENANT>.ghe.com: Same path on your GHE instance
- Fill in the app details:
- GitHub App name: for example,
sre-agent-reader - Homepage URL:
https://sre.azure.com - Webhook: Uncheck Active (the agent doesn't use webhooks)
- GitHub App name: for example,
- Under Permissions, set:
- Repository permissions > Contents: Read-only (required)
- Repository permissions > Metadata: Read-only (auto-selected)
- Optionally add Issues and Pull requests read access
- Under Where can this GitHub App be installed?, select Only on this account.
- Select Create GitHub App.
- Note the Client ID shown on the app settings page.
Install the GitHub app
- On the GitHub App settings page, select Install App in the left sidebar.
- Select your organization.
- Select All repositories or select specific repos.
- Select Install.
Generate a GitHub app private key
- On the GitHub App settings page, scroll to Private keys.
- Select Generate a private key.
- A
.pemfile downloads. This file is the RSA private key the agent uses to authenticate.
Caution
Keep the PEM safe. You upload it to Key Vault in the next step. Don't commit it to a repository, and don't share it.
Store the private key in Azure Key Vault
- Open the Azure portal and go to your Key Vault.
- Go to Secrets > Generate/Import.
- Set Name (for example,
sre-agent-github-app-key) and paste the full PEM content as the Value (including-----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----headers). - Select Create.
- Open the secret, select the current version, and copy the Secret Identifier URI:
https://myvault.vault.azure.net/secrets/my-github-app-key/<VERSION>
Tip
Versioned vs. unversioned URI: You can use the versioned URI (with /<VERSION> suffix) to pin to a specific key version, or omit the version to always use the latest. Use the unversioned URI so that when you rotate the key, the agent automatically picks up the new version without updating the URI.
Grant Key Vault access to agent identity
- In the Azure portal, open Key Vault > Access control (IAM).
- Assign Key Vault Secrets User to the agent managed identity.
- Wait for role assignment to take effect.
Configure BYO app in code access
- Open your agent in the portal.
- Go to Builder > Code Access.
- Select Add repositories.
- Choose GitHub and enter the host:
github.comfor public GitHub<TENANT>.ghe.comfor Enterprise Cloud
- Continue to Authenticate.
- Select Bring your own GitHub App.
- Enter:
- Client ID
- Private key secret URI (Key Vault)
- Optional Key Vault identity (or keep system-assigned)
- Select Connect.
The wizard validates your credentials. When successful, you see Connected as GitHub App with a green checkmark.
Note
When you enter a *.ghe.com domain as the host, the wizard automatically selects Bring your own GitHub App. OAuth and PAT aren't available for GHE hosts.
Add repositories and verify the connection
- Select repositories and save.
- Confirm the Code Access card shows the connected host and auth type
GitHubApp. - Test in chat:
Get me recent issues from owner/repo.
Per-app managed identity for multiple GitHub apps
By default, the agent uses its system-assigned managed identity to read the private key from Key Vault. If you manage multiple GitHub Apps (for example, one per GHE instance), you can assign a different user-assigned managed identity to each app. This approach provides security isolation because each identity only has access to its own Key Vault secret.
Select the identity in the Key Vault identity dropdown during the configure step.
Multi-host support for GitHub connections
You can connect multiple GitHub hosts to the same agent. Each host has independent authentication:
github.com→ OAuth, PAT, or BYO Appcontoso.ghe.com→ BYO Appengineering.ghe.com→ BYO App (with a different GitHub App)
Disconnecting one host doesn't affect others.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Auth validation fails | Wrong Client ID or wrong host | Verify app was created on the same host entered in Code Access. |
| Secret read fails | Missing Key Vault RBAC or access policy | Grant Key Vault Secrets User to agent identity. |
| Repo shows Failed in Code Access | Missing app permissions or install scope | Verify Metadata: Read + Contents: Read and installation scope. |
| Chat issues work but Code Access fails | Endpoint/path checks differ | Re-run connection test and verify metadata permission. |