Azure DevOps

Supported on Enterprise plans.

Available via the Web app.

Site admins can sync Git repositories hosted on Azure DevOps with Sourcegraph so that users can search and navigate the repositories.

To connect Azure DevOps to Sourcegraph, create a personal access token from your user settings page by following the below steps:

  1. Navigate to the Personal Access Tokens page from the user settings.

Visit the Personal Access Tokens page

  1. Click on New Token.

Click on New Token

  1. Under the Organization menu, select All accessible organizations to allow access to all organizations. This is required to be able to perform connection checks from the code host page and to sync repositories from multiple organizations. Alternatively, site admins may also create a unique user that has access to only the selective organizations that they would like to sync with Sourcegraph. However the token being created must have access to All accessible organizations as shown below.

Select All accessible organizations

  1. Select the following scopes:

    • Code (Read)
    • Project and Team
    • User Profile

Next, configure the code host connection by following the next steps:

  1. Go to Site admin > Manage code hosts > Add repositories.

  2. Select Azure DevOps.

  3. Provide a configuration for the Azure DevOps code host connection. Here is an example configuration:

    JSON
    {
  "url": "https://dev.azure.com/",
  "username": "<admin username>",
  "token": "<admin token>",
  "projects": ["org1/project1"],
  "orgs": ["org2"]
}

  4. Select Add repositories.

Repository syncing

Currently, all repositories belonging to the configured organizations/projects will be synced.

In addition, you may exclude one or more repositories by setting the exclude field in the code host connection.

HTTPS cloning

Sourcegraph clones repositories from Azure DevOps via HTTP(S), using the username and token required fields you provide in the configuration.

Configuration

Azure DevOps connections support the following configuration options, which are specified in the JSON editor in the site admin "Manage code hosts" area.

admin/code_hosts/azuredevops.schema.json

JSON
{
	// A flag to enforce Azure DevOps repository access permissions
	"enforcePermissions": false,
 
	// A list of repositories to never mirror from Azure DevOps Services.
	"exclude": null,
	// Other example values:
	// - [
	//     {
	//       "name": "myorg/myproject/myrepo"
	//     }
	//   ]
	// - [
	//     {
	//       "name": "myorg/myproject/myrepo"
	//     },
	//     {
	//       "name": "myorg/myproject/myotherrepo"
	//     },
	//     {
	//       "pattern": "^topsecretproject/.*"
	//     }
	//   ]
 
	// The type of Git URLs to use for cloning and fetching Git repositories.
	//
	// If "http", Sourcegraph will access repositories using Git URLs of the form http(s)://dev.azure.com/myrepo.git.
	//
	// If "ssh", Sourcegraph will access repositories using Git URLs of the form [email protected]:v3/myrepo. See the documentation for how to provide SSH private keys and known_hosts: https://sourcegraph.com/docs/admin/repo/auth#repositories-that-need-http-s-or-ssh-authentication.
	"gitURLType": "http",
 
	// An array of organization names identifying Azure DevOps organizations whose repositories should be mirrored on Sourcegraph.
	"orgs": null,
	// Other example values:
	// - ["name"]
	// - [
	//     "kubernetes",
	//     "golang",
	//     "facebook"
	//   ]
 
	// An array of projects "org/project" strings specifying which Azure DevOps projects' repositories should be mirrored on Sourcegraph.
	"projects": null,
	// Other example values:
	// - ["org/project"]
 
	// The Personal Access Token associated with the Azure DevOps username used for authentication.
	"token": null,
 
	// URL for Azure DevOps Services, set to https://dev.azure.com.
	"url": null,
	// Other example values:
	// - "https://dev.azure.com"
 
	// A username for authentication with the Azure DevOps code host.
	"username": null
}

Configuration Notes

Token Requirements

  • Personal Access Token must have All accessible organizations scope to support connection checks and multi-organization syncing
  • Required scopes: Code (Read), Project and Team, User Profile
  • Consider creating a dedicated service account with minimal required permissions for production deployments

Organization Access

Azure DevOps connections support both organization-level and project-level syncing:

  • Use "orgs": ["org1", "org2"] to sync all repositories from specific organizations
  • Use "projects": ["org1/project1", "org2/project2"] for granular project-level control
  • Both options can be combined in a single configuration

Repository Exclusion

The exclude configuration supports both exact name matching and pattern-based exclusion:

  • Exact match: {"name": "myorg/myproject/myrepo"}
  • Pattern match: {"pattern": "^topsecretproject/.*"}

Security Considerations

Access Control

  • Permissions Enforcement: Set "enforcePermissions": true to sync user-level access controls from Azure DevOps
  • OAuth Configuration: Required for permission syncing - users must authenticate with Azure DevOps OAuth
  • Third-party OAuth: Must be enabled in Azure DevOps organization settings under Security → Policies

Credential Management

  • Store Personal Access Tokens securely using Sourcegraph's secret management
  • Regularly rotate tokens according to your organization's security policies
  • Use dedicated service accounts rather than personal user accounts for production

Network Security

  • Ensure HTTPS-only communication by using "gitURLType": "http" with HTTPS URLs
  • For SSH access, properly manage SSH keys and known_hosts configuration
  • Configure firewall rules to allow Sourcegraph access to Azure DevOPS endpoints

Common Examples

Basic Organization Sync

JSON
{
  "url": "https://dev.azure.com/",
  "username": "service-account",
  "token": "your-personal-access-token",
  "orgs": ["your-organization"],
  "gitURLType": "http"
}

Multi-Project Configuration

JSON
{
  "url": "https://dev.azure.com/",
  "username": "service-account", 
  "token": "your-personal-access-token",
  "projects": [
    "org1/frontend-project",
    "org1/backend-project",
    "org2/shared-libraries"
  ],
  "exclude": [
    {"name": "org1/legacy-project"},
    {"pattern": "^.*/archived-.*"}
  ]
}

SSH Configuration

JSON
{
  "url": "https://dev.azure.com/",
  "username": "service-account",
  "token": "your-personal-access-token",
  "orgs": ["your-organization"],
  "gitURLType": "ssh"
}

Permissions-Enabled Setup

JSON
{
  "url": "https://dev.azure.com/",
  "username": "service-account",
  "token": "your-personal-access-token",
  "orgs": ["your-organization"],
  "enforcePermissions": true
}

Best Practices

Performance Optimization

  • Selective Syncing: Use projects instead of orgs when you only need specific repositories
  • Exclude Patterns: Use exclusion patterns to avoid syncing unnecessary repositories like archived projects
  • Rate Limit Awareness: Sourcegraph automatically handles Azure DevOps rate limits, but consider the impact on large organizations

Maintenance

  • Regular Token Rotation: Implement a process for rotating Personal Access Tokens
  • Monitor Sync Status: Regularly check repository sync status in the Site Admin interface
  • Permission Sync Monitoring: For permission-enabled setups, monitor user permission sync completion

Troubleshooting

  • Connection Issues: Verify token permissions and organization access settings
  • Missing Repositories: Check exclude patterns and ensure the token has access to all target organizations/projects
  • Permission Problems: Verify OAuth is properly configured and Third-party application access is enabled

Webhooks

Please consult this page in order to configure webhooks.

Permissions syncing

User-level permissions syncing is supported for Azure DevOps code host connections. Here is the list of prerequisites:

  1. Configure Azure DevOps as an OAuth provider by consulting this page

  2. Next verify that users can now sign up / login to your Sourcegraph instance with your Azure DevOps OAuth provider

  3. Set the following in your Azure DevOps code host connection:

    JSON
    {
  // ...
  "enforcePermissions": true
}

  4. For each Azure DevOps organization that is part of the orgs or projects list in the code host configuration, enable Third-party application access via OAuth from Organization settings > Security > Policies

Enable Third-party application access via OAuth

NOTE: We do not support preemptive permissions syncing at this point. Once a user signs up / logins to Sourcegraph with their Azure DevOps account, Sourcegraph uses the authenticated access_token to calculate permissions by listing the organizations and projects that the user has access to. As a result, immediately after signing up user level permissions may not be 100% up to date. Users are advised to wait for an initial permissions sync to complete, whose status they may check from the Permissions tab under their account settings page. Alternatively they may also trigger a permissions sync for their account from the same page.

Since permissions are already enforced by setting enforcePermission in the code host configuration, even though user permissions may not have synced completely, users will not have access to any repositories that they cannot access on Azure DevOps. As the user permissions sync progresses and eventually completes, they will be able to access the complete set of repositories on Sourcegraph that they can already access on Azure DevOps.

Rate limits

When Sourcegraph hits a rate limit imposed by Azure DevOps, Sourcegraph waits the appropriate amount of time specified by the code host before retrying the request. You can read more about how Azure DevOps imposes rate limits here.