✨ Software.com is now Antenna. Read more →
Skip to Content
IntegrationsGitAzure DevOps

Azure DevOps

Our Azure DevOps integration collects metadata about your organization’s activity across repositories, pull requests, and deployments. We never read, transmit, or store source code. Sensitive data, such as branch names and pull request titles, are always encrypted.

Permissions

We request only the necessary permissions to analyze Git metadata. Below is a description of the scopes requested when connecting to Azure DevOps:

  • Build: Read access to build artifacts, including build results
  • Code: Read access to source code and metadata about commits, changesets, branches, and other version control artifacts
  • Code (status): Ability to read and write commit and pull request status
  • Member Entitlement Manager: Read access to users
  • Project and Team: Read access to projects and teams
  • Release: Read access to release artifacts

You can learn more about scopes for Azure DevOps in Microsoft’s documentation .

Connecting Azure DevOps

There are two primary methods to connect your Azure DevOps organization.

Important

You must be an Entra admin or able to install Microsoft Entra enterprise applications. If you do not have permissions, you may need to request approval before you can install our application. You must have access to a “Service Account” dedicated to installing Azure DevOps apps (if preferred over using a personal account).

Option 1: Connect Using a Personal Account

This method is the simplest and fastest way to get started. It uses the personal credentials of an existing user in Azure DevOps to establish the connection.

The user who connects should have “Project Collection Administrator” or “Organization Owner” permissions in order to provide access to all the repositories in your organization.

A disadvantage of this approach is that the connection is linked to an individual’s account. If that user leaves the company or their permissions are changed, the integration will break and must be re-established by another owner.

Create an account

Sign up for an Antenna account .

Connect to Azure DevOps

If you have not yet connected a Git provider, you can connect to Azure DevOps by clicking the Azure DevOps icon on the Connect Git page. You can also navigate to Settings, then Connected Apps to view available integrations.

Sign in and authorize

Sign in to Azure DevOps using your personal Azure DevOps account. Authorize Antenna to access your Azure DevOps organization. Once authorized, we will start backfilling your historical data.

Option 2: Connect as a “Service Account”

This method involves creating a dedicated user account in your Azure DevOps organization (e.g., svc-software-com@yourcompany.com ) solely for this integration.

In this setup, the integration is not tied to an individual person, so it will not break due to personnel changes; however, it will consume an extra paid user license in Azure DevOps.

Create a new user account

Create a new user account in your Microsoft Entra ID or Active Directory that is connected to your Azure DevOps organization.

  • Add the user to your Azure DevOps organization:
  • Navigate to Organization Settings > Users and click Add users.
  • Add the new service account user (e.g., svc-software-com@yourcompany.com ).
  • Set the Access level to “Basic”. This will consume one license.

Grant Administrator permissions

Navigate to Organization Settings > Permissions.

  • Select the Project Collection Service Accounts group.
  • Click the Members tab, then Add, and add the new service account user to this group.

Connect in the Antenna app

Complete the same steps as in Option #1, but use the credentials of this newly created service account to establish the connection when connecting ADO.

Option 3: Connect as a Service Account Without Project Collection Access

Some organizations prefer not to grant the broad permissions that come with the Project Collection Service Accounts group. In that case, you can instead give the service account explicit access to only the projects and repositories you want to analyze.

This approach follows the principle of least privilege — the service account can only read the specific projects you choose, rather than having organization-wide visibility. The tradeoff is that you must manually grant access for each project.

Important

Without Basic access (or higher) and explicit repository permissions, a service account may only be able to see users and groups but not repositories. Project membership alone is not enough — Stakeholder access cannot read private project repos.

Create a service account with Basic access

Follow the same steps as in Option #2 to create a new user account, but set the Access level to “Basic” (this will consume one license). Do not add the account to the Project Collection Service Accounts group.

Add the service account to each project

Navigate to the Project Settings of each Azure DevOps project you want to analyze. Under General > Teams or Permissions, add the service account as a member of the project.

Grant repository Read access

For each project, grant the service account read access to repositories. You can do this in one of two ways:

  • Via a group: Add the service account to the project’s Readers or Contributors group, which includes repository read permissions by default.
  • Explicitly: Navigate to Project Settings > Repositories > Security > All repositories and grant the service account Read access directly.

Grant pipeline and release access (optional)

If you want deployment metrics (e.g., release frequency, lead time to deploy), ensure the service account also has read access to Pipelines, Builds, and Releases for each project.

Connect in the Antenna app

Complete the same steps as in Option #1, but use the credentials of this service account to establish the connection.

Steps to Approve a Request (Entra Admin) in Azure AD

Note

Once approved, the user who initially tried to connect Azure DevOps can repeat the same steps in Option #1 or Option #2 to connect Azure DevOps to Antenna.

If your organization requires Admin approval to install Enterprise Apps into Azure AD, follow these instructions to approve the application.

  1. Sign in to the Azure Portal  with your Azure AD administrator credentials. You will need to have at least a Cloud Application Administrator role to review and act on these requests.
  2. Navigate to Azure Active Directory in the left-hand navigation pane.
  3. In the left-hand navigation pane, go to Identity > Applications > Enterprise applications.
  4. Under the Activity section, select Admin consent requests.
  5. Select the Antenna application from the list of pending requests.
  6. Go to the Review permissions and consent tab.
  7. Click Grant Admin Consent to approve the request.

Once approved, all users who requested the app will be notified, and the application will be available for use by all users in the tenant unless you have configured it to require user assignment.

Last updated on