Skip to content

Azure DevOps Onboarding

The Azure DevOps Integration securely connects your Azure DevOps organization with SailPoint Entro to enable continuous scanning of repositories, pipelines, and configurations for exposed secrets. This section describes the setup process, prerequisites, and connection steps.


Integration Prerequisites

Before onboarding, ensure the following:

  • An App Registration created in Entra ID (e.g., "Entro App").

  • The Client ID, Client Secret, and Tenant ID for the application.

  • Organization Administrator rights in Azure DevOps.


To connect Azure DevOps to SailPoint Entro:

  1. Azure DevOps Configuration

    To allow SailPoint Entro to scan your projects, you must add the App Registration as a user within your Azure DevOps organization:

    1. Navigate to Organization SettingsUsers.

    2. Select Add users.

    3. In the Users or Service Principals field, search for and select your Entro App.

    4. Set Access level to Basic.

    5. In the Add to projects field, select all relevant projects you wish SailPoint Entro to monitor.

    6. Set Azure DevOps Groups to Project Readers.

    7. Ensure Send email invites is unchecked (service principals do not require email invites).

    8. Select Add.

  2. Connect to SailPoint Entro

    1. Navigate: Management → Accounts & Integrations → Add New Account (top right) → Azure DevOps.

    2. Fill in the following fields:

      • Environment Nickname: A descriptive name (e.g., ADO-PROD).

      • Tenant ID: Your Microsoft Entra Tenant ID.

      • Client ID: The Application ID of the Entro App.

      • Client Secret: A valid secret generated for the App Registration.

    3. Worker Group (Connector): Choose the appropriate group to run the scans.

    4. Select Create Account.

  3. Validation and Scanning

    Once connected:

    • SailPoint Entro validates the client secret via Entra ID (Application Registration) API

    • Access is confirmed as read-only

    • Scanning begins automatically across repositories and pipelines

    • Findings appear in your SailPoint Entro Console with metadata and severity context

Security Notes

  • All operations occur over HTTPS/TLS 1.2+
  • SailPoint Entro performs read-only operations; no data is modified
  • Client secret can be revoked anytime via the SailPoint Entro application in Entra ID