Skip to content

Azure DevOps

The Azure DevOps Integration provides SailPoint Entro with continuous, read-only visibility into repositories, pipelines, and projects across your Azure DevOps organization. It enables automatic detection of exposed secrets, misconfigured credentials, and high-risk tokens within source code and CI/CD environments.

Management → Accounts & Integrations → Add New Account (top right) → Azure DevOps

Purpose

Azure DevOps often contains sensitive data embedded in:

  • Pipeline variables and YAML definitions

  • Repository code and configuration files

  • Build scripts and deployment manifests

SailPoint Entro scans these components securely to identify and alert on exposed secrets before they can be exploited.

Supported Resources

Once connected, SailPoint Entro analyzes:

  • Repositories (including all active branches and commits)

  • Pipelines and build definitions

  • Service connections and automation tokens

  • Variable groups and project configurations

Architecture

+-------------------+          +-----------------------+
|   Entro Console   |          |    Azure DevOps API   |
|  (Control Plane)  | <------> |   (Projects/Users)    |
+-------------------+          +-----------------------+
          ^                                ^
          |          +-----------+         |
          +--------> | Entra ID  | <-------+
                     | (App Reg) |
                     +-----------+

SailPoint Entro communicates with Azure DevOps using OAuth 2.0 bearer tokens generated via the Microsoft Identity Platform.

Security Model

  • All communication occurs via HTTPS/TLS 1.2+
  • SailPoint Entro performs no write or modification actions
  • Client secret can be revoked anytime via the SailPoint Entro application in Entra ID

Integration Flow

  1. Add SailPoint Entro Application to Azure DevOps Org

    Add the integrated SailPoint Entro application (Service Principal) to the Azure DevOps organization and assign the relevant projects and groups.

  2. Submit Application Details to SailPoint Entro

    Provide the SailPoint Entro application details and client secret.

  3. SailPoint Entro validates access

    SailPoint Entro validates the client secret and the permitted scopes.

  4. Scanning begins

    SailPoint Entro begins scanning connected repositories, pipelines, and configurations.

  5. Findings in SailPoint Entro Console

    Findings appear in the SailPoint Entro Console with metadata and remediation guidance.