Azure DevOps Connection
Azent connects to Azure DevOps through a dedicated bot user and a Personal Access Token (PAT). This page covers how to set up both correctly.
Create a bot user
We strongly recommend creating a dedicated user account for Azent rather than using a personal account. This makes it clear which changes were made by the agent and allows you to manage permissions separately.
- Create a new user in Microsoft Entra ID (Azure AD) for the bot (e.g. "Azent Bot")
- Add the bot user to your Azure DevOps organization with Basic access level
- Add the bot user to the Project Administrators group in each project where it should operate
Why Project Administrator: Azent registers webhook subscriptions in each enabled project so it can react to @mentions and pull request events. Creating service hook subscriptions in Azure DevOps requires Project Administrator membership — a regular Contributor cannot register them.
Create a Personal Access Token
Sign in to Azure DevOps as the bot user and open User settings → Personal access tokens → New Token. Give it a name, pick an expiry, and select the scopes below.
| Scope | Why it's needed |
|---|---|
| Code (Read & Write) | Clone repositories, create branches, push commits, manage pull requests |
| Pull request threads (Read & Write) | Read and write pull request discussion threads when reviewing PRs and addressing feedback |
| Work Items (Read & Write) | Read work item details, add comments, update fields, create child items |
| Build (Read & Execute) | Trigger and monitor validation pipelines |
| Graph (Read) | Resolve group memberships to enforce the allowed group policy |
| Project and Team (Read) | List available projects and repositories |
| Wiki (Read & Write) | Create and edit wiki pages (if using the wiki editing feature) |
Tip: For simplicity, you can grant Full access to the PAT. If your security policy requires scoped tokens, use the list above as a minimum.
Webhooks
When you enable a project in the Dashboard, Azent automatically registers the necessary service hook subscriptions in Azure DevOps. No manual configuration is needed.
Allowed group
By default, only users in the Azure DevOps Contributors group can trigger Azent. This prevents unauthorized users from consuming agent hours. You can change this group in the workspace configuration settings.