## Azure DevOps integration Azure DevOps provides services for source control, work tracking, builds and releases, test plans, and package management. Integrating Azure DevOps with Frontegg allows your application to access projects, repositories, pipelines, work items, and pull requests on behalf of your users through Microsoft Entra ID OAuth 2.0. Prerequisites - A Microsoft Entra ID tenant with permission to register applications (typically through the Azure portal) - An Azure DevOps organization linked to the user's Entra tenant Use Microsoft Entra ID OAuth, not legacy Azure DevOps OAuth Microsoft retired the legacy Azure DevOps OAuth platform (`app.vssps.visualstudio.com`) and stopped accepting new registrations. New apps must register through **Microsoft Entra ID → App registrations** in the Azure portal, as described below. ### Connect Azure DevOps #### Step 1: Open the Azure portal Sign in to the [Azure portal](https://portal.azure.com) with an account that can register applications in your Microsoft Entra ID tenant. Use the top search bar to find **Microsoft Entra ID** and open it. ![Azure portal home](/assets/azure-devops-1.fe348b00ed9ca5b3eefe8ffb993b86a6ed7b70d28b8bc53c554290383544612f.1ce25488.png) #### Step 2: Open app registrations In the Microsoft Entra ID menu, select **App registrations**, then click **+ New registration** at the top of the page. ![Azure App registrations](/assets/azure-devops-2.dea2a323326bb0d3e7e926d5a50188177ce8a700f6e6b1ef3cbfe4ec720899c8.1ce25488.png) #### Step 3: Register the application Fill in the **Register an application** form: - **Name** — Enter a descriptive name (for example, `Frontegg Integration`) - **Supported account types** — Select **Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)** and then choose **Allow all tenants** so users from any Entra tenant can connect - **Redirect URI** — Choose **Web** as the platform and enter your Frontegg redirect URL: `https://YOUR_MCP_GATEWAY_URL/integration-callback` Click **Register** to create the application. ![Register Azure DevOps application](/assets/azure-devops-3.1a7e86ccf56f7b3d998ba8de39c3358d4c3a856840e852d219a28e6b89b644b2.1ce25488.png) #### Step 4: Copy the Application (client) ID After registration, the application **Overview** page opens. Copy the **Application (client) ID** — this is the Client ID you will paste into the Frontegg portal. ![Azure DevOps Application client ID](/assets/azure-devops-4.98b93db184efe0c79168e4ebe68bc9d0eaa9c4f2cf67c0517aa2258e842fb151.1ce25488.png) #### Step 5: Add Azure DevOps API permissions In the application's left sidebar, open **API permissions** and click **+ Add a permission**. In the **Microsoft APIs** tab, choose **Azure DevOps**. ![Azure DevOps API picker](/assets/azure-devops-5.e0b706eed88dfca3c9a9821b2d4962b66fd30a06d74c99f91cbc4b5162f3ab03.1ce25488.png) #### Step 6: Select the user_impersonation scope Choose **Delegated permissions**, then expand **Other permissions** and select **user_impersonation**. This grants the application access to Azure DevOps REST APIs on behalf of the signed-in user. Click **Add permissions**. Granular vs. user_impersonation The Azure DevOps API tile also exposes granular `vso.*` scopes (for example, `vso.code`, `vso.work`, `vso.build`). The `user_impersonation` permission is the Microsoft-recommended option for new Entra ID OAuth apps and lets the integration request the specific granular scopes it needs at sign-in time. ![Select user_impersonation permission](/assets/azure-devops-6.59704799c3b6c6d9d904d3094c0ef0e09dca541e43d8ac6b3a4fcb5bbf64a9b3.1ce25488.png) #### Step 7: Verify configured permissions The configured permissions list now shows **Azure DevOps → user_impersonation** alongside the default **Microsoft Graph → User.Read** permission. ![Configured permissions](/assets/azure-devops-7.ad87e9e1f636cde6343d481ef01796e6ec10d6b493ee63043aa919f92011e0dc.1ce25488.png) #### Step 8: Open Certificates & secrets In the application's left sidebar, open **Certificates & secrets**. Make sure the **Client secrets** tab is selected and click **+ New client secret**. ![Certificates and secrets](/assets/azure-devops-8.8a8ac3c1f4b93b3de73e3282e6ef6de437f4982b690f9c77a5d2c2868b6e74ed.1ce25488.png) #### Step 9: Create the client secret Enter a description (for example, `Frontegg Integration`) and choose an expiration period. Click **Add** to create the secret. ![Add client secret](/assets/azure-devops-9.d257986fa3ed305fb7b6dce1041d62e3441d07092e208632fa85c4f57b5d002c.1ce25488.png) #### Step 10: Copy the client secret value Immediately copy the **Value** column of the new secret using the copy icon — this value is shown only once and cannot be retrieved later. Store it securely and paste it into the Frontegg portal as the Client Secret. Copy the secret immediately The client secret value is hidden as soon as you leave this page. If you lose it, you must delete the secret and create a new one. ![Client secret value](/assets/azure-devops-10.53b9a799190cce95b889efa2eaad5cde6700f4a52c3be1dd16ab6f90957e862d.1ce25488.png) #### Step 11: Find your Azure DevOps organization slug Open [Azure DevOps](https://dev.azure.com) and select your organization. Open **Organization settings** → **Overview** — the organization slug is shown next to the **Name** field and in the URL `https://dev.azure.com/{organization}/`. For example, in `https://dev.azure.com/mycompany/`, the organization slug is `mycompany`. ![Azure DevOps organization](/assets/azure-devops-11.3d53a7e17f7cc3b3bf651042352948db377b36f2bb5087b8fe99a299aa9cd32a.1ce25488.png) ### Configure the Frontegg portal Once you have obtained your **Application (client) ID**, **client secret value**, and **Azure DevOps organization slug** from the steps above, enter them in the integration configuration page of the Frontegg portal: 1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → Azure DevOps. 2. Enter the **Application (client) ID** as the Client ID and the **client secret value** as the Client Secret in the corresponding fields. 3. Enter your Azure DevOps organization slug in the **Azure DevOps organization** field (for example, `mycompany`). 4. Select the required **scopes**. 5. Click **Save**. Keep your credentials secure Never share or commit your client secret to version control. ### Additional resources - [Azure DevOps REST API reference](https://learn.microsoft.com/rest/api/azure/devops/) - [Microsoft Entra ID OAuth for Azure DevOps](https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/entra-oauth) - [Register an application with the Microsoft identity platform](https://learn.microsoft.com/entra/identity-platform/quickstart-register-app) - [How to get your Redirect URL](/agen-for-work/connectors/redirect-url)