Skip to content

Azure DevOps

Personal Access Token

Service Name: Azure DevOps

Service Description: Azure DevOps is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities. It covers the entire application lifecycle and enables DevOps capabilities.

Service Address: https://dev.azure.com/

Validation Type: API Auth, NHI Enriched

IP Allow list: IP restrictions can be configured at the organization level through Azure DevOps security policies.

Secret Access Scope: Grants programmatic access to Azure DevOps resources and services based on the scopes defined during token creation (repositories, builds, work items, etc.).

Secret Revokement URL: https://dev.azure.com/{organization}/_usersSettings/tokens

Secret Example: 52nu7knpz6qbjtmdvxzogjtdwfmwbzrxgenwk3lf4tdenxad5xzq

Suspicious Activity Investigation Instructions:

  • Review Azure DevOps audit logs for unusual API calls or resource access.
  • Check for unauthorized repository clones, code changes, or pipeline executions.
  • Monitor for unexpected project modifications or permission changes.
  • Review access patterns and geographic locations of token usage.
  • Check for unusual build or release pipeline modifications.

Mitigation Instructions:

  • Navigate to Azure DevOps and go to your user profile (top right corner).
  • Select "Personal access tokens" from the user settings menu.
  • Find the compromised token in the list.
  • Click on the "Revoke" button next to the token.
  • Create a new token with appropriate scopes if needed.
  • Review all repositories for unauthorized changes.
  • Check pipeline configurations for unauthorized modifications.
  • Review organization security policies and consider implementing IP restrictions.
  • Consider enabling additional security features like conditional access policies if using Azure AD.