Azure DevOps

Overview

Arnica Integrates directly with your Azure DevOps application to help secure the development environment while identifying risks in real time - alerting your team and assisting with remediation actions. Arnica's integration is configurable allowing org-level provisioning or access to specified projects to extract the necessary data and take remediation actions.

Ensure service account continuity

Create a dedicated application user

It is suggested that your integration leverage a dedicated application user for access to ensure proper provisioning and access persistence.

According to Microsoft’s authentication guidance, Arnica’s Azure DevOps application shall be authorized via OAuth2 only.

While it is a good practice to login via Service Principal to services such as Azure DevOps, this functionality is not supported by Microsoft at this point. An interactive user is required in this case to authorize the access via the Authorization Code Flow.

Prerequisites

Control access in Azure DevOps

To configure the permissions of the Application User, follow the steps below for each Azure DevOps organization:

  1. Click on Organization Settings at the bottom left side of the main Azure DevOps page.

  2. Navigate to Users page and click on Add Users.

  3. Find your Application User, select a Basic access level, and click on Add.

  4. Navigate to the Security menu on the left side of the page, and click on Permissions, then click on the Users tab.

  5. Locate the Application User created in step 3, and click on it.

  6. Navigate to the tab "Member of" and add the user to Project Collection Service Accounts.

The permissions above are required for Arnica to provide accurate context and enable real-time security scanning capabilities.

Enable 3rd party application access

  1. Click on Organization Settings at the bottom left side of the main Azure DevOps page.

  2. Navigate to the Security menu on the left side of the page, and click on Policies.

  3. Under Application connection policies, Enable Third-party application via OAuth.

Perform the Integration

  1. Head back to Arnica's Integrations page.

  2. Locate Azure DevOps and click Connect.

  3. You will then be redirected to a consent page, Click Accept:

Azure DevOps Consent Page

  1. You will then be redirected to Arnica

  2. If the integration was successful, you should see the Azure DevOps integration under the Existing Integrations section:

PreviousSCM IntegrationsNextBitbucket Cloud

Last updated

Was this helpful?