Skip to content

Azure Pipelines OAuth Tokens

Service Name: Azure DevOps

Service Description: Azure DevOps is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing, and release management capabilities. Azure Pipelines is a cloud service that automatically builds and tests code projects and makes them available to other users.

Service Address: https://dev.azure.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through Azure DevOps IP address restrictions.

Secret Access Scope: Grants access to Azure DevOps resources including repositories, build pipelines, release pipelines, and other Azure DevOps services based on the permissions assigned to the token.

Secret Revokement URL: https://dev.azure.com/[organization]/_usersSettings/tokens

Secret Example: 52nu7xgkqvlryz4fz6ccwxoapfhsdf3c3wmv3sx2p4i4yzrrzwwq

Suspicious Activity Investigation Instructions:

  • Review Azure DevOps audit logs for unusual activity or access patterns
  • Check for unauthorized pipeline runs or modifications to existing pipelines
  • Monitor for unexpected code commits or repository access
  • Review any changes to build or release definitions
  • Check for unusual API calls made using the token
  • Verify if the token was used from unexpected IP addresses or locations

Mitigation Instructions:

  • Navigate to the Azure DevOps portal (dev.azure.com).
  • Go to User Settings (upper-right corner) > Personal access tokens.
  • Locate the compromised token in the list.
  • Select Revoke next to the token.
  • Create a new token with appropriate scopes if needed.
  • Review and update any applications or services that were using the revoked token.
  • Consider implementing shorter token lifetimes for future tokens
  • Enable conditional access policies if available in your Azure AD tenant
  • Review permissions assigned to service connections and adjust if necessary