# Azure DevOps

**Note:** Azure DevOps integrations require a Pro plan. If you haven't upgraded yet, please upgrade your plan [here](https://solidityscan.com/billing).

This guide explains how to prepare your Azure DevOps environment so SolidityScan can scan your repositories.

***

## Prerequisites

Before connecting SolidityScan to Azure DevOps, complete the steps below in order.

***

## Step 1 - Create User in Microsoft Entra (Azure AD)

Create a dedicated service user for SolidityScan integration.

1. Open **Microsoft Entra Admin Center**: <https://entra.microsoft.com>
2. Navigate to: **Users** → **New user** → **Create new user**
3. Create a dedicated user, for example: `solidityscan@yourcompany.onmicrosoft.com`

**IMPORTANT:** The account used to connect Azure DevOps must be an **Entra (Azure AD) work user**, not a personal Microsoft account.

Also ensure:

* **User type** = **Member** (not Guest)
* This user will later appear inside Azure DevOps automatically once invited

***

## Step 2 - Add User to Azure DevOps Organization

Add the Entra user into your Azure DevOps organization.

1. Open your Azure DevOps organization: `https://dev.azure.com/YOUR_ORG`
2. Navigate to: **Organization Settings** → **Users** → **Add users**
3. Add the Entra user you created.

**CRITICAL:** **Access Level** must be **Basic**.

When adding the user, use these settings:

| Setting      | Required Value       |
| ------------ | -------------------- |
| User Type    | Member               |
| Access Level | **Basic** (required) |

Do **not** select **Stakeholder** - this access level will cause integration failures.

***

## Step 3 - Give Project Access

Grant the service user access to the specific project.

1. Navigate to: **Project Settings** → **Permissions** → **Contributors** group
2. Click: **Members** → **Add** → Add the user

This grants project-level access to the SolidityScan service user.

***

## Step 4 - Give Repository Permissions

**VERY IMPORTANT:** This step is commonly missed and will cause scan failures even when OAuth is working.

1. Navigate to: **Project Settings** → **Repositories** → **Your Repository** → **Security**
2. Search for and add the user: `solidityscan@yourcompany.onmicrosoft.com`
3. Set the following permissions to **Allow**:

| Permission                     | Required |
| ------------------------------ | -------- |
| Read                           | Allow    |
| Contribute                     | Allow    |
| Read & execute                 | Allow    |
| View project-level information | Allow    |

**Minimum requirement:** Repo **Read** access must be allowed. Without repo permission, OAuth works but repo APIs return **401 Unauthorized**.

***

## Step 5 - Allow Third-Party OAuth Apps

1. Navigate to: **Organization Settings** → **Policies**
2. Enable: **Allow third-party application access via OAuth**

This allows SolidityScan to authenticate and access Azure DevOps on behalf of the connected user.

***

## Step 6 - Connect Azure DevOps in SolidityScan

In the SolidityScan application:

1. Log in to SolidityScan
2. Go to **Integrations**
3. Click **Connect Azure DevOps**
4. Log in using the Entra user created in Step 1
5. Accept the required permissions

***

## Step 7 - Final One-Time Authorization

After connecting, open your Azure DevOps organization at least once in a browser:

`https://dev.azure.com/YOUR_ORG`

This completes the OAuth authorization flow.

***

## Where Will the User Appear?

After setup, the service user exists in two places:

| Location                  | Purpose                       |
| ------------------------- | ----------------------------- |
| Microsoft Entra           | Identity and login account    |
| Azure DevOps Organization | Repository and project access |

Both are required for a successful integration.

***

## Common Errors and Causes

| Error                      | Cause                                     |
| -------------------------- | ----------------------------------------- |
| 401 Unauthorized           | Access level is not set to Basic          |
| Repository not visible     | User not added to repository security     |
| Repository list empty      | User was added as Guest instead of Member |
| OAuth works but scan fails | Repository permission not configured      |

***

## Final Checklist

Before connecting SolidityScan, confirm all of the following:

* [ ] Entra user created as a work account (not personal Microsoft account)
* [ ] User added to Azure DevOps Organization
* [ ] Access Level set to **Basic**
* [ ] User added to **Contributors** group in Project Settings
* [ ] User added to **Repository Security** with **Read** permission


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://apidoc.solidityscan.com/solidityscan-security-api/integrations/azure-devops.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.