# Required permissions #### Required permissions for Azure DevOps and Azure DevOps Server specify the access levels Xopero ONE needs to securely back up and restore your data. *** ## Permissions for Azure DevOps ### User access levels The account used for integration must have an appropriate access level assigned within **Azure DevOps**: * **Basic**. * **Visual Studio Subscriber** — professional or enterprise tier. * **GitHub Enterprise** — similar to basic. * **Stakeholder** (not recommended) — this level has limited access and cannot properly protect repositories. {% hint style="warning" %} **Xopero ONE** can only protect projects that the integrated user account has explicit access to. {% endhint %} ### OAuth integration {% hint style="danger" %} **Xopero** supports only organizational accounts (**Microsoft Entra ID**) — **personal accounts are not supported**. For private accounts, use PAT instead. {% endhint %} To integrate **Azure DevOps** with **Xopero ONE** using **OAuth**, make sure the account has an administrator role. Otherwise, you may encounter permission errors or find that the approval button is inactive. When integrating **Azure DevOps** via **OAuth**, the following scopes are required: * [x] Build: **read and execute** (vso.build\_execute) * [x] Code: **read, write and manage** (vso.code\_manage) * [x] Environment: **read and manage** (vso.environment\_manage) * [x] Projects and Teams: **read, write and manage** (vso.project\_manage) * [x] Variable Groups: **read and create** (vso.variablegroups\_write) * [x] Wiki: **read and write** (vso.wiki\_write) * [x] Work Items: **read and write** (vso.work\_write) * [x] Packaging: **read, write and manage** (vso.packaging\_manage) * [x] Artifacts: user\_impersonation * [x] Login and read the profile ### Installation permissions for OAuth The ability to authorize the **Xopero ONE** **OAuth** application depends on your organization's **User consent settings** within **Azure DevOps**. The following options are available:

Consent policy	Authorization requirement
Allow user consent for apps from verified publishers, for selected permissions	Any user can authorize the app, provided that all requested permissions are classified as low impact by your administrator.
Do not allow user consent	Only users with the Application Administrator or Global Administrator role can authorize the integration.
Let Microsoft manage your consent settings (Recommended)	Authorization is subject to Microsoft's current security guidelines. While this currently allows for Xopero ONE integration, availability may change based on Microsoft's evolving policies.

### Personal Access Token (PAT) integration #### Prerequisites: * [x] **Organization** — when generating PAT, you **must enable** the **All accessible organizations** value in the **Organization** field. #### Required scopes: * [x] Build: **read and execute** * [x] Code: **read, write and manage** * [x] Environment: **read and manage** * [x] Project and Team: **read, write and manage** * [x] Variable Groups: **read and create** * [x] Wiki: **read and write** * [x] Work Items: **read and write** * [x] Packaging: **read, write and manage** {% hint style="danger" %} When performing a backup with minimal permissions, some metadata might be excluded. To ensure complete protection, select the permissions based on your data protection needs. Note that with read-only permissions, backups can be made, **but restoring requires a new token or password with write access**. {% endhint %} ### Granular permission settings To ensure both backup and restore operations succeed, the following permissions are required: 1. **Organization level:** 1. **General:** 1. Create new projects (restore) 2. **Boards:** 1. Create process (restore) 2. Edit process (restore) 2. **Project level:** 1. **General:** 1. View project-level information (backup) 3. **Repositories level:** 1. Create branch (restore) 2. Create repository (restore) 3. Read (backup) *** ## Permissions for Azure DevOps Server ### Personal Access Token (PAT) integration For on-premise installations, use the personal access token (PAT) method. #### Prerequisites: * [x] **Organization** — when generating PAT, you **must enable** the **All accessible organizations** value in the **Organization** field. #### Required scopes: * [x] Build: **read and execute** * [x] Code: **read, write and manage** * [x] Environment: **read and manage** * [x] Project and Team: **read, write and manage** * [x] Variable Groups: **read and create** * [x] Wiki: **read and write** * [x] Work Items: **read and write** * [x] Packaging: **read, write and manage** {% hint style="danger" %} When performing a backup with minimal permissions, some metadata might be excluded. To ensure complete protection, select the permissions based on your data protection needs. Note that with read-only permissions, backups can be made, but **restoring requires a new token or password with write access**. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://helpcenter.xopero.com/xopero-one-en/backup-and-recovery/devops/azure-devops-and-devops-server/integration/required-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.