Connect an ADO Repository with Managed Identity
An Azure DevOps repository connection authenticated with managed identity - no PATs to create or rotate. Your agent uses its own Azure identity to access ADO repos for code-aware investigations. Includes optional FIC setup for cross-tenant access.
Prerequisites
- An agent created in the Azure SRE Agent portal in Running state
- A managed identity enabled on your agent (system-assigned or user-assigned)
- An Azure DevOps organization with at least one repository
- SRE Agent Administrator role on the agent
- For cross-tenant (FIC): A multi-tenant app registration in the agent's tenant with a federated identity credential trusting the agent's managed identity
Step 1: Grant the managed identity access to your ADO organization
Before connecting from the agent portal, your managed identity must have access to the Azure DevOps organization.
- Go to your Azure DevOps organization settings and select your organization
- Navigate to Organization settings -> Users
- Click Add users
- Search for your agent's managed identity by its service principal name or object ID
- Set the access level to Basic (or higher)
- Add the identity to projects with Code (Read) permissions on the target repositories
Without project-level read permission, the agent will not be able to detect repositories in the Knowledge tab. Ensure you grant both project-level AND repository-level access.
Checkpoint: The managed identity appears in the ADO Users list with a Basic access level.
Step 2: Navigate to Knowledge sources
- Open your agent in the Azure SRE Agent portal
- In the left sidebar, expand Builder
- Select Knowledge sources
Checkpoint: The Knowledge Sources page loads showing any existing repository connections.
Step 3: Open the Add Repository dialog
- Click Add repository
Checkpoint: The Add repositories dialog opens showing platform selection cards (GitHub, Azure DevOps).
Step 4: Select Azure DevOps with Managed Identity
- Click the Azure DevOps platform card
- Under Choose sign in methods, select Managed Identity
Checkpoint: The managed identity configuration form appears with an organization field and identity dropdown.
Step 5: Configure the managed identity connection
- Enter your Azure DevOps Organization name - the part after
dev.azure.com/in your ADO URL - From the managed identity dropdown, select your identity:
- System assigned - uses the agent's built-in identity
- User assigned - select a specific identity attached to the agent
- Click Connect
Checkpoint: The button changes to Connected with a checkmark, confirming the managed identity is configured.
If the dropdown is empty, your agent may not have a managed identity enabled. Click the Add identity link below the dropdown to open the Azure portal Identity blade for your agent resource.
Step 6 (optional): Enable Federated Identity Credentials for cross-tenant access
FIC is the recommended pattern when the agent's tenant differs from the ADO organization's tenant. See the Cross-Tenant ADO Access tutorial for the end-to-end multi-tenant app + service principal + FIC walkthrough.
If your ADO organization is in a different Azure AD tenant than your agent:
- Check Use managed identity as federated identity credential
- Enter the Federated Client ID - the application (client) ID of the multi-tenant app registration (created in the agent's tenant)
- Enter the Federated Tenant ID - the directory (tenant) ID where that app registration lives (the agent's tenant)
- Click Connect
Prerequisites for FIC (complete these before Step 6):
- Create a multi-tenant app registration in the agent's tenant
- Add a federated identity credential on that app registration:
- Issuer: Your agent's managed identity issuer URL (
https://login.microsoftonline.com/<AGENT_TENANT_ID>/v2.0) - Subject identifier: Your MI's Object (principal) ID
- Audience:
api://AzureADTokenExchange
- Issuer: Your agent's managed identity issuer URL (
- Materialize a service principal for that app in the target (ADO) tenant (
az ad sp create --id <app-client-id>afteraz login --tenant <ADO-tenant-id>) - Grant that service principal access to the ADO organization, project, and repo (see Cross-Tenant ADO Access tutorial for detailed steps)
Checkpoint: The FIC configuration saves successfully and the button shows Connected.
Step 7: Advance to repository selection
- Click Next to proceed to the repository selection step
Checkpoint: The dialog advances to show a project picker and repository grid.
Step 8: Select a project and add repositories
- From the Azure DevOps Project dropdown, select the project containing your repositories
- Click Add to add a repository row
- From the Repository dropdown, select a repository from the project (repositories are sorted alphabetically)
- Enter a Display name for the repository
- Optionally enter a Description
- Repeat for additional repositories
- Click Save
Checkpoint: Selected repositories appear in the Knowledge Sources page.
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| Identity dropdown is empty | Agent has no managed identity enabled | Enable a system-assigned identity or attach a user-assigned identity in the Azure portal |
| Connect button fails | Organization name is missing | Enter the ADO organization name before connecting |
| Repos don't load after connecting | MI doesn't have access to the ADO organization | Add the MI service principal as a user in ADO Organization Settings -> Users |
| No repositories found in project picker | MI has org-level access but missing project-level genericRead | Grant project-level read permissions to the service principal |
| FIC connection fails | FederatedClientId and FederatedTenantId not both provided | Both fields are required when using FIC - provide both or neither |
| FIC token exchange fails | Federated credential not configured on the agent-tenant app registration | Verify the multi-tenant app registration in the agent's tenant has a federated identity credential with the correct issuer and subject |
What you learned
- How to grant a managed identity access to an Azure DevOps organization
- How to connect ADO repositories using managed identity instead of PATs
- The difference between system assigned and user assigned identities
- How to configure FIC for cross-tenant repository access
Related
- Cross-Tenant ADO Access - Full FIC tutorial for cross-tenant connector setup
- ADO Connector - When to use MI vs OAuth vs PAT
- Connect knowledge sources - How connected repositories power investigations
- Set up Azure DevOps connector - Connect ADO work items and wikis
Next steps
- Set up another connector
- Create a scheduled task to automate recurring queries
- Run your first investigation using connected data