Integrating Azure Boards (DevOps) with Drata automates compliance checks and evidence collection, helping auditors verify that your company follows its vulnerability management policies and procedures.
BEFORE DIVING IN
Ensure you are signed in to Microsoft 365. If not, you will be prompted to sign in when connecting Drata to Azure Boards (DevOps).
To establish the connection, your access level in Azure Boards (DevOps) must be Admin.
How to Connect
In Drata, select Connections from the side navigation menu.
Go to the Available Connections tab, search for Azure Boards (DevOps), and select Connect.
Follow the instructions in the connection drawer.
To use "Security" as the security label in Azure Boards (DevOps) to categorize tickets as security issues, enter Security in the Security Label field within the connection drawer.
To create Azure Boards Work Items through Drata, enable Write Access.
Create a Ticket in Azure DevOps Boards
Note: In Azure DevOps Boards, tickets are called Work Items, while in Drata, they are referred to as Tickets.
You can create a ticket from the Controls, Monitoring, or Risk Management pages in Drata.
Steps to Create a Ticket in Azure DevOps Boards from Drata:
Navigate to Ticket Management section in the Controls, Monitor, or Risk Management drawers.
If multiple ticketing providers are connected, select Azure DevOps Boards.
Choose an organization and a project within that organization.
Select a ticket type.
Fill in all required fields and select Create.
Important Notes
Drata does not support custom fields when creating Azure DevOps Boards Work Items.
If a Work Item requires custom fields, a 400 error will occur.
To prevent this error:
Use one of Azure DevOps' default project process flows (Scrum, CMMI, Agile, Basic).
If using a custom process, ensure custom fields remain optional.
View and Manage Tickets in Drata
When a ticket is created for a Control, Test, or Risk, it appears in the corresponding drawer, with the most recent ticket displayed at the top.
Viewing Tickets
A maximum of three ‘In Progress’ tickets appear in the drawer.
To view all the tickets, select View all tasks to open a modal.
Ticket Categories
Tickets are categorized into two standardized statuses:
In Progress: Tickets that are not marked as "complete" in your Azure Boards (DevOps) instance.
Done: Tickets that are in a completed state in Azure Boards (such as Closed, Done).
Only tickets created in Drata for a specific Control, Test, or Risk will appear in Drata. Work Items created directly in Azure Boards (DevOps) will not be pulled into Drata for ticket management.
Ticket Details
Each ticket includes the following details:
Ticket Title and Description
Creation and Updated dates
Name of the person who created the item
Name of the Azure DevOps Tickets assignee.
The assignee does not need to be an Information Security Lead or Admin in Drata.
Tickets Status
This is reported by Azure Board (DevOps).
The status is determined by the "section" where the Tickets is located in Azure DevOps Boards.
Update a Ticket
To update a ticket, select the Manage ticket and you'll be taken to Azure Boards (DevOps).
Download Ticket Information
To download ticket details, select the Download icon. A ZIP file will be generated, containing:
A PDF with ticket details.
Any attachments linked to the Work Item.
Unlink and Remove a Ticket
Note: Once you remove a ticket, it cannot be re-linked.
To unlink a ticket from a Control, Test, or Risk, select the trash icon. This removes the ticket from Drata but does not delete it in Azure DevOps.
What the Connection Tests
Drata scans all tickets in a project except the following:
Excluded Ticket Types:
Code Review Request
Code Review Response
Epic
Feature
Feedback Request
Feedback Response
Shared Step
Test Case
Test Plan
Test Suite
Shared Parameter
Excluded Ticket States:
Closed
Removed
Resolved
This means that we will scan custom tickets you create.
For every ticket that is valid, we will check for the provided security tag.
If there is no tag, we ignore the ticket.
If there is a security tag and someone assigned as an owner, we ignore it.
If there is no one assigned, the ticket will be added to the list of failed items for the Security Issues are Prioritized test.