Azure DevOps Onboarding
The Azure DevOps Integration securely connects your Azure DevOps organization with SailPoint Entro to enable continuous scanning of repositories, pipelines, and configurations for exposed secrets. This section describes the setup process, prerequisites, and connection steps.
Integration Prerequisites
Before onboarding, ensure the following:
-
An App Registration created in Entra ID (e.g., "Entro App").
-
The Client ID, Client Secret, and Tenant ID for the application.
-
Organization Administrator rights in Azure DevOps.
To connect Azure DevOps to SailPoint Entro:
-
Azure DevOps Configuration
To allow SailPoint Entro to scan your projects, you must add the App Registration as a user within your Azure DevOps organization:
-
Navigate to Organization Settings → Users.
-
Select Add users.
-
In the Users or Service Principals field, search for and select your Entro App.
-
Set Access level to
Basic. -
In the Add to projects field, select all relevant projects you wish SailPoint Entro to monitor.
-
Set Azure DevOps Groups to
Project Readers. -
Ensure Send email invites is unchecked (service principals do not require email invites).
-
Select Add.
-
-
Connect to SailPoint Entro
-
Navigate: Management → Accounts & Integrations → Add New Account (top right) → Azure DevOps.
-
Fill in the following fields:
-
Environment Nickname: A descriptive name (e.g.,
ADO-PROD). -
Tenant ID: Your Microsoft Entra Tenant ID.
-
Client ID: The Application ID of the Entro App.
-
Client Secret: A valid secret generated for the App Registration.
-
-
Worker Group (Connector): Choose the appropriate group to run the scans.
-
Select Create Account.
-
-
Validation and Scanning
Once connected:
-
SailPoint Entro validates the client secret via Entra ID (Application Registration) API
-
Access is confirmed as read-only
-
Scanning begins automatically across repositories and pipelines
-
Findings appear in your SailPoint Entro Console with metadata and severity context
-
Security Notes
- All operations occur over HTTPS/TLS 1.2+
- SailPoint Entro performs read-only operations; no data is modified
- Client secret can be revoked anytime via the SailPoint Entro application in Entra ID