Admin: Azure DevOps Integration
This guide explains how Azure DevOps integration works in AZExecute, what administrators must configure at tenant level, and how application owners connect individual applications to DevOps service connections for automated secret updates.
How It Works
Azure DevOps integration has two layers:
1. Tenant-level enablement in System Settings controls whether Azure DevOps options are available in application configuration.
2. Per-application configuration binds one application to one DevOps organization, one project, and one service connection.
During secret rotation, the platform updates credentials on the configured DevOps service connection for that application.
Tenant-Level Settings (System → Azure DevOps)
DevOps Integration
Master toggle that enables Azure DevOps integration capabilities in the application configuration experience.
Use ServicePrincipal for connections
Controls the tenant configuration mode together with PAT validation rules in admin settings.
Azure DevOps Personal Access Token
Required by validation when Use ServicePrincipal for connections is disabled. The value is stored encrypted in tenant settings.
Include Home Tenant Organizations
When users sign in as guest users, this option includes organizations from their home tenant in the organization picker.
Per-Application Configuration Flow
Application owners configure DevOps integration in the application secret settings dialog.
1. Enable Azure DevOps Integration on the application.
2. Select Organization (grouped by tenant where available).
3. Select Project.
4. Pass permission checks (Project/Endpoint/Project Collection Administrators).
5. Select a supported Service Connection.
6. Save application settings.
Supported Service Connection Types
The selector allows only service connection types that can be updated by current credential refresh logic.
• azurerm (manual service principal secret)
• dockerregistry with registry type Others
Permissions and Access Requirements
Project and service-connection visibility depends on user membership and consent.
• User must have consent to access Azure DevOps APIs for the tenant.
• User must be member of one of: Endpoint Administrators, Project Administrators, or Project Collection Administrators.
• Without required membership, project selection is blocked with warning and service connections are not loaded.
Secret Rotation Behavior
When an application secret is rotated and DevOps integration is enabled for that application, the backend updates the target service connection credential.
• For azurerm, the service principal key parameter is replaced.
• For supported docker registry connections, the password parameter is replaced.
• Operation is logged in application rotation flow output.
Troubleshooting
No organizations shown
Verify tenant consent for Azure DevOps API access and confirm the signed-in user has access to at least one organization.
Project appears but cannot be selected for service connections
User likely lacks required admin group membership in that project. Assign Endpoint Administrators or Project Administrators role.
Service connection disabled in selector
The connection type is not currently supported for secret credential refresh in this flow.
Validation blocks save when ServicePrincipal mode is off
Provide a PAT in tenant Azure DevOps settings, then save again.
If you encounter any issues or need further assistance, please contact us at
info@azexecute.com. Our support team is here to help you.