Azure Pipelines OAuth Tokens
Service Name: Azure DevOps
Service Description: Azure DevOps is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing, and release management capabilities. Azure Pipelines is a cloud service that automatically builds and tests code projects and makes them available to other users.
Service Address: https://dev.azure.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level through Azure DevOps IP address restrictions.
Secret Access Scope: Grants access to Azure DevOps resources including repositories, build pipelines, release pipelines, and other Azure DevOps services based on the permissions assigned to the token.
Secret Revokement URL: https://dev.azure.com/[organization]/_usersSettings/tokens
Secret Example: 52nu7xgkqvlryz4fz6ccwxoapfhsdf3c3wmv3sx2p4i4yzrrzwwq
Suspicious Activity Investigation Instructions:
- Review Azure DevOps audit logs for unusual activity or access patterns
- Check for unauthorized pipeline runs or modifications to existing pipelines
- Monitor for unexpected code commits or repository access
- Review any changes to build or release definitions
- Check for unusual API calls made using the token
- Verify if the token was used from unexpected IP addresses or locations
Mitigation Instructions:
- Navigate to the Azure DevOps portal (dev.azure.com).
- Go to User Settings (upper-right corner) > Personal access tokens.
- Locate the compromised token in the list.
- Select Revoke next to the token.
- Create a new token with appropriate scopes if needed.
- Review and update any applications or services that were using the revoked token.
- Consider implementing shorter token lifetimes for future tokens
- Enable conditional access policies if available in your Azure AD tenant
- Review permissions assigned to service connections and adjust if necessary