Azure DevOps

Overview

Arnicaโ€™s Azure DevOps application accesses customers' selected environments to extract the necessary data and take remediation actions.

Ensure service account continuity

Create a dedicated application user

To avoid a token revocation upon the impersonated user departure, it is highly recommended to create a standard application user.

According to Microsoftโ€™s authentication guidance, Arnicaโ€™s Azure DevOps application shall be authorized via OAuth2 only.

While it is a good practice to login via Service Principal to services such as Azure DevOps, this functionality is not supported by Microsoft at this point. An interactive user is required in this case to authorize the access via the Authorization Code Flow.

Prerequisites

Control access in Azure DevOps

To configure the permissions of the Application User, follow the steps below for each Azure DevOps organization:

  1. Click on Organization Settings at the bottom left side of the main Azure DevOps page.

  2. Navigate to Users page and click on Add Users.

  3. Find your Application User, select a Basic access level, and click on Add.

  4. Navigate to the Permissions menu on the left side of the page and click on Users.

  5. Find the Application User and click on it.

  6. Navigate to the tab "Member of" and add the user to Project Collection Service Accounts.

The permissions above are required for Arnica to provide accurate context and enable real-time security scanning capabilities.

Enable 3rd party application access

  1. Click on Organization Settings at the bottom left side of the main Azure DevOps page.

  2. Go to the Policies page under the Application Connection Policies category and validate that Third-party application via OAuth is enabled.

Last updated