Required permissions for Azure DevOps user, OAuth app and token

User

The user we use to integrate organizations in Xopero ONE must have the following permissions:

Create new projects: Allow
View instance-level information: Allow
Create process: Allow
Create a workspace: Allow
View build resources: Allow

If you encounter the "Need admin approval" alert during organization integration, it means that the permissions of the user you are using are insufficient for the configuration of your organization/Microsoft Entra tenant.

If the "Do not allow user consent" option in Identity Settings -> Applications -> Enterprise applications is enabled, you have to use a user with "Application Administrator" permissions in the "Identity" section.

OAuth app

The user you use to integrate Azure DevOps with Xopero ONE via OAuth must have an administrator role. Otherwise, you will receive a message about lack of permissions or you will not be able to approve the required permissions (the button will be inactive).

During integration Azure DevOps process via OAuth app (default method), you will be asked to grant the appropriate permissions to the Xopero ONE application:

Wiki (read and write)
Variable Groups (read and create)
Work items (read and write)
Project and team (read, write and manage)
Code (read, write and manage)
Build (read and execute)
Environment (read and manage)
Login and read the profile

We only support accounts that are in organizations (Microsoft Entra ID). Personal accounts are not supported. If you have a private account, use PAT.

Token

You need:

Username (not email address)
Personal Access Token - when generating PAT it is necessary to indicate the value “All accessible organizations” in the Organization field,

If you have more Azure DevOps organizations and you don't want to add all of them to GitProtect. And only assign a specific organization, then use a "service account" (any account created for integration with the GitProtect application). Such a user must have permissions and access only to the organizations and projects that you want to protected.

Permissions:

Build: Read & execute
Code: Read, write, & manage
Environment: Read & manage
Project and Team: Read, write, & manage
Variable Groups: Read & create
Wiki: Read & write
Work Items: Read & create

With minimal privileges, some metadata may not be included during the backup process. Choose the list of necessary permissions, depending on what data you need to protect. Remember that if you grant only read permissions, it will be possible to perform a backup, but to restore them, you will have to generate a new token/password with write permissions.

PreviousProtected Azure DevOps resources / elements / metadata NextAzure DevOps API limitations

Last updated 5 months ago