Disables the policy that automatically grants all enterprise members access to every project in the organization.
Prevents users from requesting access to the organization, eliminating an unmanaged onboarding channel.
Restricts user invitations to organization administrators only, preventing project or team admins from adding external users without governance.
Restricts Azure DevOps access to a defined set of trusted IP ranges via Microsoft Entra Conditional Access, preventing sign-ins from arbitrary networks.
Verifies that membership in Project Collection Administrators and other privileged groups is limited to users with a current, documented business need.
Verifies the Project Collection Administrators group has no more than 6 members, applying least-privilege to the most powerful role in the organization.
Verifies the Project Collection Administrators group has at least 2 members so there is a backup (break-glass) administrator.
Flags non-person / service accounts in PCA so they can be replaced with workload identities (managed identity, service principal, workload identity federation) scoped to least privilege.
Confirms that privileged actions are performed from dedicated ALT / SC-ALT administrator accounts rather than from day-to-day user accounts.
Reviews membership of the Project Collection Service Accounts group, which carries PCA-equivalent permissions and should be tightly controlled.
Self-hosted agent hosts must be enrolled in a patch-management program so OS and runtime CVEs are remediated on a defined cadence.
Self-hosted agent VMs should be based on a CIS-benchmarked or otherwise hardened image, with unused services disabled and EDR / host firewall in place.
Disables automatic provisioning of agent pools into every project so pools are intentionally granted only to projects that need them.
Confirms protected resources (service connections, environments, variable groups, secure files, agent pools) are not granted blanket access to every YAML pipeline.
Confirms self-hosted agents are configured to auto-update so security patches and protocol changes are picked up promptly.
Detects user-defined agent capability values that look like secrets (tokens, passwords) and would be exposed in plain text to every job that runs on the agent.
Azure DevOps retains audit events for only 90 days. Streaming them to external storage (Log Analytics, Splunk, Event Grid) preserves the evidence required for incident response and compliance.
Confirms audit log streaming to a SIEM (Splunk, Azure Monitor, Event Grid, etc.) is configured so security events are retained beyond the 90-day in-product window.
Alert rules should fire on sensitive audit events (PCA changes, policy changes, new service connections, broad-scope PAT creation, extension installs) and route to an on-call channel.
Confirms the organization is backed by Microsoft Entra ID (Azure AD) so user identities and policies are centrally governed and lifecycle-managed.
Detects users from external (non-AAD) identity providers, such as personal Microsoft accounts, that may not be subject to organizational identity controls.
Detects projects with Public visibility, which makes work items and source code accessible without authentication.
Flags Microsoft Entra B2B guest users (identified by #EXT# in the email) for review to confirm each one has a documented business justification.
Confirms that Microsoft Entra Conditional Access policy validation is enabled so MFA, location, and device controls are enforced on Azure DevOps sign-ins.
Disables the organization-wide setting that allows pipeline status badges to be retrieved without authentication, hiding pipeline names and run outcomes from anonymous users.
Detects sensitive values (passwords, keys, tokens, connection strings) stored as regular pipeline variables instead of secret variables or Key Vault references.
Every build pipeline should run a SAST tool (CodeQL / GHAzDO, SonarQube, Checkmarx, Semgrep, etc.) and fail on new high/critical findings.
Certificates, keystores and signing keys belong in the pipeline Secure Files library with pipeline-scoped permissions, not in the repo or in plain pipeline variables.
Identifies build pipelines that have not run in 90+ days and should be removed or archived to reduce maintenance and attack surface.
Prevents pipeline variables from being overridden at queue time unless explicitly allowed, reducing the risk of parameter-injection attacks via run parameters.
Flags pipeline variables that accept URL values and are marked settable-at-queue-time — a common SSRF and exfiltration vector.
Flags pipelines that build from external repositories (GitHub, Bitbucket, etc.) so the connections can be reviewed for least-privilege.
Per-pipeline check ensuring the job authorization scope is set to "current project" rather than the whole project collection.
Confirms PR validation does not expose pipeline secrets to forked pull-request builds — a common supply-chain attack vector.
Any Copilot-related extension must be from an approved publisher (e.g. GitHub) and aligned with the organization's AI / data-handling policy.
Ensures multi-stage YAML environments labelled production have an approvals check configured so deployments cannot proceed unattended.
Confirms each production environment requires at least two distinct approvers (or a group), preventing a single account from rubber-stamping a deployment.
Confirms each production environment has a Branch control check that restricts deployments to a protected production branch, preventing unintended deployments from feature branches.
Reviews installed Marketplace extensions to confirm each comes from a trusted or verified publisher and is still needed.
All shared and installed non-built-in extensions should come from trusted publishers and be subject to a documented intake/approval workflow.
The Manage Extensions permission should be limited to a small, trusted group (typically Project Collection Administrators).
Reviews pending Marketplace extension install requests so unknown or risky extensions are not approved by default.
Ensures broad groups (Contributors, Readers, Project Valid Users) only have Reader access on Azure Artifacts feeds so packages cannot be modified by anyone.
Verifies that package upload (Contributor/Collaborator) permissions on feeds are restricted to specific service accounts or build identities.
Restricts who can create Azure Artifacts feeds to a small, named group so feed sprawl and unmanaged package sources are avoided.
Advisory: flags feeds with active upstream sources. Upstreams are usually required; the real mitigation against dependency-confusion is to publish every internal package name to the feed at least once (save-to-feed) so the local copy always wins over public registries.
@your-scope/...).Disables third-party application access via OAuth so unsanctioned apps cannot obtain delegated access to Azure DevOps on a user's behalf.
Disables SSH authentication for Git so users authenticate with managed credentials over HTTPS rather than long-lived SSH keys.
Flags individual PATs that hold all-scopes / full-access permissions instead of the minimum scopes needed for the task.
Flags Personal Access Tokens with expirations longer than the recommended 90 days.
Identifies PATs that will expire within 7 days so they can be rotated proactively before automation breaks.
Flags PATs granted highly sensitive scopes (security_manage, entitlements, project_manage) that should be performed by a service principal or managed identity instead.
Enforces a maximum lifespan on Personal Access Tokens at the organization level, limiting the value of a leaked token.
Requires Personal Access Tokens to be created with specific scopes rather than full access, enforcing least privilege.
Blocks creation of full-scope (global) Personal Access Tokens at the organization level so tokens must target specific scopes.
The "Create repository" permission should be granted only to trusted groups (e.g. Project Administrators) so repos are created through a governed intake process.
No broader group (Contributors, Project Valid Users, Project Collection Build Service Accounts, etc.) should hold elevated allow bits at the project-default Build ACL. The scanner reads the Build security namespace and FAILs the control when any broad group has Edit, Delete, Administer, Override check-in, or other mutating permission allowed at the project root.
No broader group should hold elevated allow bits at the project-default Release ACL. The scanner reads the ReleaseManagement security namespace and FAILs when any broad group has Edit, Delete, Manage approvers, or Administer allowed at the project root.
Service connections carry credentials to cloud subscriptions, container registries, and other sensitive systems. Broader groups (Contributors, Project Collection Build Service) should not hold User, Creator, or Administrator at the project-default. The scanner reads the ServiceEndpoints namespace at endpoints/{projectId}.
Agent pools execute pipeline tasks with whatever credentials the agent process holds. Broader groups should not hold Use, Manage, or Administer on a pool. This control currently surfaces as NOT CHECKED — per-pool ACL enumeration against the DistributedTask namespace is tracked for Phase 2b.
Variable groups frequently hold secrets (or are linked to Key Vault). Broader groups should not hold Administrator or User at the project-default Library ACL. The scanner reads the Library namespace at Library/{projectId}.
No broader group should hold elevated allow bits at the project-default Git ACL. The scanner reads the Git Repositories namespace at repoV2/{projectId} and flags any broad group granted Administer, Manage permissions, Force push, Remove others' locks, Edit policies, or Manage notes.
Secure files store signing certs, kubeconfigs, and other high-value artifacts. The scanner reads the Library namespace at Library/{projectId} (shared with variable groups) and flags any broad group with Administrator or User at the project-default.
Pipeline environments gate deployments to production targets. Broader groups should not hold User, Creator, or Administrator on any environment. This control currently surfaces as NOT CHECKED — per-environment ACL enumeration is tracked for Phase 2b.
Restricts the build pipeline job authorization token to resources within the current project, preventing lateral movement across the organization if a pipeline is compromised.
Restricts the classic release pipeline job authorization token to the current project, containing the blast radius of a compromised release.
Requires YAML pipelines to explicitly declare the repositories they need, blocking implicit access to other repos in the organization.
Pipeline decorators and other auto-injected tasks run in every pipeline. They must come from a trusted source, be pinned to a known version, and be required by policy.
Ensures the project visibility is set to Private so source code, work items, and pipeline data are not exposed to anonymous internet users.
Verifies that Project Administrators membership is limited to users with a current, documented business need, ideally via a Microsoft Entra group.
Verifies each Project Administrators group has 6 or fewer members, following least-privilege for project-level admin rights.
Verifies each Project Administrators group has at least 2 members so the project has a backup administrator.
Reviews the size of the Build Administrators group to ensure it has not grown unboundedly through historical assignments.
Detects guest (external) identities assigned to administrator groups — a high-risk pattern that should generally be avoided.
Flags members of administrator groups who have not signed in recently — privileged accounts must be actively used and monitored.
Deployments to production environments should pass an artifact-evaluation check (signed artifact, expected build pipeline, etc.) before the gate releases.
Confirms repositories have secret scanning or credential scanning (GHAzDO push protection, CredScan, CodeQL) configured to catch leaked secrets before they are committed.
Enforces a repository policy that requires commits to come from an approved author email domain, blocking spoofed identities in Git history.
Identifies projects with no recent builds or commits (180+ days) that may no longer be needed.
Project-level check that anonymous access to pipeline status badges is disabled.
Identifies classic release pipelines that have not run in 90+ days and may be candidates for retirement.
Ensures classic release pipelines require human approval before deploying to production-like stages, providing a control gate against unauthorized changes.
Production environments should be guarded by a Branch control check that allows deployments only from the protected main branch.
Flags classic release pipeline variables that can be overridden at release creation time, which is a parameter-injection risk.
Per-pipeline check ensuring each classic release pipeline's job authorization scope is set to "Current project" rather than the whole project collection — the release-side equivalent of BUILD-11.
Identifies repositories with no commits in 180+ days that may be candidates for archival.
Per-repo equivalent of PROJ-14. Confirms a credential / secret push-protection policy is actually enabled on each repo's default branch (rather than just existing somewhere in the project).
Per-repo equivalent of PROJ-15. Confirms the "Commit author email validation" branch policy is actually enabled on each repo's default branch.
Verifies Azure service connections authenticate using certificates or Workload Identity Federation rather than long-lived service principal secrets.
Checks that Azure Resource Manager service connections are scoped to a Resource Group rather than an entire Subscription or Management Group.
Service connections must be reviewed on a recurring cadence so unused / stale connections are disabled or removed.
Flags legacy Azure Classic service connections that should be replaced with Azure Resource Manager (ARM) connections using modern authentication.
Promotes Workload Identity Federation (OIDC) or certificates over service principal client secrets on Azure service connections.
Verifies that service connections are not shared across multiple projects, limiting blast radius if one project is compromised.
Identifies user accounts that have not signed in for 90+ days and should be removed to reduce attack surface and license costs.
Detects Azure DevOps users whose underlying Microsoft Entra accounts have been deleted or disabled but who remain provisioned in Azure DevOps.
Identifies guest (B2B) accounts inactive for 90+ days that no longer need access and should be deprovisioned.
Verifies that variable groups containing secrets are scoped to specific pipelines rather than shared with every pipeline in the project.
Recommends linking pipeline variable groups to Azure Key Vault rather than storing secret values directly in Azure DevOps.