Prerequisites Registering Azure DevOps via Admin Consent Registering Azure DevOps via App Registration Granting access in Azure DevOps Associating a project with an Agent Space Managing Azure DevOps connections

Connecting Azure DevOps

Azure DevOps integration enables AWS DevOps Agent to access repositories and pipeline execution history in your Azure DevOps organization. The agent can correlate code changes and deployments with operational incidents to help identify potential root causes.

This integration follows a two-step process: register Azure DevOps at the AWS account level, then associate specific projects with individual Agent Spaces.

Prerequisites

Before connecting Azure DevOps, ensure you have:

Access to the AWS DevOps Agent console
An Azure DevOps organization with at least one project containing a repository and pipeline history
Permissions to add users to your Azure DevOps organization
For Admin Consent method: an account with permission to perform admin consent in Microsoft Entra ID
For App Registration method: an Entra application with permissions to configure federated identity credentials, and Outbound Identity Federation enabled in your AWS account

The Admin Consent method uses a consent-based flow with the AWS DevOps Agent managed application.

Step 1: Start the registration

Sign in to the AWS Management Console and navigate to the AWS DevOps Agent console
Go to the Capability Providers page
Locate the Azure DevOps section and click Register
Enter your Azure DevOps organization name when prompted

Click to proceed - you are redirected to the Microsoft Entra admin consent page
Sign in with a user principal account that has permission to perform admin consent
Review and grant consent for the AWS DevOps Agent application

Step 3: Complete user authorization

After admin consent, you are prompted for user authorization to verify your identity as a member of the authorized tenant
Sign in with an account belonging to the same Azure tenant
After authorization, you are redirected back to the AWS DevOps Agent console with a success status

Step 4: Grant access in Azure DevOps

See Granting access in Azure DevOps below. Search for AWS DevOps Agent when adding users.

Registering Azure DevOps via App Registration

App Registration is shared between Azure Resources and Azure DevOps. If you have already completed App Registration for Azure Resources, you can skip to Granting access in Azure DevOps.

Step 1: Start the ADO App Registration

In the AWS DevOps Agent console, go to the Capability Providers page
Locate the Azure Cloud section and click Register
Select the App Registration method

Step 2: Create and configure your Entra application

Follow the instructions displayed in the console to:

Enable Outbound Identity Federation in your AWS account (in the IAM console, go to Account settings → Outbound Identity Federation)
Create an Entra application in your Microsoft Entra ID, or use an existing one
Configure federated identity credentials on the application

Step 3: Provide registration details

Fill in the registration form with:

Tenant ID – Your Azure tenant identifier
Tenant Name – A display name for the tenant
Client ID – The application (client) ID of the Entra application
Audience – The audience identifier for the federated credential

Step 4: Create the IAM role

An IAM role will be automatically created when you submit the registration through the console. It permits AWS DevOps Agent to assume credentials and invoke sts:GetWebIdentityToken.

Step 5: Complete the registration

Confirm the configuration in the AWS DevOps Agent console
Click Submit to complete the registration

Step 6: Grant access in Azure DevOps

See Granting access in Azure DevOps below. Search for the Entra application you created during App Registration when adding users.

Granting access in Azure DevOps

After registration, grant the application access to your Azure DevOps organization. This step is the same for both the Admin Consent and App Registration methods.

In Azure DevOps, go to Organization Settings > Users > Add Users
Search for the application (either AWS DevOps Agent for Admin Consent, or your own Entra application for App Registration)
Set the access level to Basic
Under Add to projects, select the projects you want the agent to access
Under Azure DevOps Groups, select Project Readers
Click Add to complete

Associating a project with an Agent Space

After registering Azure DevOps at the account level, associate specific projects with your Agent Spaces:

In the AWS DevOps Agent console, select your Agent Space
Go to the Capabilities tab
In the Pipelines section, click Add
Select Azure DevOps from the list of available providers
Select the project from the dropdown of available projects
Click Add to complete the association

Managing Azure DevOps connections

Viewing connected projects – In the Capabilities tab, the Pipelines section lists all connected Azure DevOps projects.
Removing a project – To disconnect a project from an Agent Space, select it in the Pipelines section and click Remove.
Removing the registration – To remove the Azure DevOps registration entirely, go to the Capability Providers page and delete the registration. All Agent Space associations must be removed first.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Connecting Azure Resources

Connecting to CI/CD pipelines