Drata

Connecting Azure Repos (DevOps) to Drata allows for the automated tests and evidence collection to prove to auditors that your company follows its software development lifecycle procedures.

Ensure you are signed into Microsoft 365 already or you will be prompted to do so upon connection from Drata. You must also have an Azure DevOps Admin account with Read access to the organization and projects.

Note that Azure-created Service Accounts may show up in Drata with this integration, if Microsoft 365 is your Identity Provider.

- There are a few service accounts that are generated by Microsoft Repos to support specific operations. These user accounts are added at the organization or collection level.
 - "Agent Pool Service", which is responsible for performing Azure DevOps read/write operations and updating work items when GitHub objects are updated.
 - "PipelinesSDK" which is similar to the build service identities but supports locking down permissions separately.This identity is granted read-only permissions to pipeline resources and the one-time ability to approve policy requests.
 - Read more here: <a href="https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&amp;tabs=preview-page#user-accounts" target="_blank" rel="nofollow noopener noreferrer">Permissions, security groups, and service accounts reference - Azure DevOps</a>

In order for Test 87 - MFA on Version Control System to pass, both of the following must be true:

1. Microsoft 365 must be your connected IdP
2. You must be enforcing MFA on Microsoft 365 via Conditional Access Policies or Security Defaults

- Ensure you are signed into Microsoft 365 already or you will be prompted to do so upon connection from Drata. You must also have an Azure DevOps Admin account with Read access to the organization and projects.
- Note that Azure-created Service Accounts may show up in Drata with this integration, if Microsoft 365 is your Identity Provider.
 - There are a few service accounts that are generated by Microsoft Repos to support specific operations. These user accounts are added at the organization or collection level.
 - "Agent Pool Service", which is responsible for performing Azure DevOps read/write operations and updating work items when GitHub objects are updated.
 - "PipelinesSDK" which is similar to the build service identities but supports locking down permissions separately.This identity is granted read-only permissions to pipeline resources and the one-time ability to approve policy requests.
 - Read more here: <a href="https://docs.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&amp;tabs=preview-page#user-accounts" target="_blank" rel="nofollow noopener noreferrer">Permissions, security groups, and service accounts reference - Azure DevOps</a>
- In order for Test 87 - MFA on Version Control System to pass, both of the following must be true:
 1. Microsoft 365 must be your connected IdP
 2. You must be enforcing MFA on Microsoft 365 via Conditional Access Policies or Security Defaults

Follow these instructions to connect Azure Repos (DevOps) to Drata:

1. Select "Connections'' on the side navigation menu.

2. Select the 'Available connections' tab and then search for 'Azure Repos (DevOps)' to select the connect button for the Azure Repos (DevOps) integration.

The slide-out panel will provide step-by-step instructions (see below).

Upon initial connection, Drata will sync your Azure DevOps Repos users onto the <a href="https://help.drata.com/en/articles/4673981-manage-connected-version-control-accounts">Managed Accounts page</a>. There can be delays from the Microsoft API in syncing all users, so please wait a few minutes before verifying all user accounts have synced. In addition, please ensure you have toggled the setting for "Third-party application access via OAuth" to ON under Organization Settings -&gt; Policies.

BEFORE DIVING IN

HERE'S HOW

MANAGED VERSION CONTROL ACCOUNTS