Azure DevOps Blog
DevOps, Git, and Agile updates from the team building Azure DevOps
Latest posts
Enterprise Live Migrations: Moving from Azure DevOps Repo to GitHub with minimal disruption
Over the last several years, we’ve encouraged customers to move their repositories from Azure Repos to GitHub to take advantage of the latest AI-powered and agentic development experiences. For many enterprise teams, however, migrating at scale comes with real constraints. Traditional approaches can require extended downtime - sometimes days - which isn’t acceptable for teams running critical workloads. To address this, we’re introducing Enterprise Live Migrations (ELM), in limited public preview. Migrations begin without locking the Azure DevOps repository, with changes continuously synchronized to GitHub whi...
How Microsoft is migrating repositories to GitHub
For the past decade, Azure DevOps has powered software development at Microsoft, supporting some of our largest repositories and most complex engineering workflows across Azure Repos, Boards, and Pipelines. Software development is being reshaped by AI, and where code lives now have a direct impact on how much value organizations can capture. For teams that want to take full advantage of AI-native development, repository location is becoming a strategic decision. Azure DevOps and GitHub product teams have spent the past few years building the integration, migration, and enterprise-readiness capabilities needed t...
Azure DevOps and GitHub: Journeying into the AI Era
AI is changing how software gets planned, built, and reviewed. As teams adopt agentic development, the platform underneath those workflows matters more. They need tools that bring planning, coding, security, and collaboration together—and can keep pace with how development is evolving. That’s why we’re delivering the newest agentic capabilities on GitHub across planning, coding, code review, and security. For teams driving active development, that often means moving repositories to GitHub to unlock the latest AI-powered workflows, while continuing to use Azure Boards and Pipelines. For teams that need more time ...
May Patches for Azure DevOps Server
We are releasing new patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers stay up to date with the latest, most secure version of Azure DevOps Server. The most recent release, Azure DevOps Server, is available on the download page. The following versions have been patched. For more details on these updates, see the release notes: ⬇️Azure DevOps Server Patch Download ✅Verifying Installation To verify that the patch is installed, run the following command on the Azure DevOps Server machine using the patch installer you downloaded: Replace with the name of the...
Axios npm Supply Chain Compromise – Guidance for Azure Pipelines Customers
On March 31, 2026, malicious versions of the widely used JavaScript HTTP client library Axios were briefly published to the npm registry as part of a supply chain attack. The affected versions — 1.14.1 and 0.30.4 — included a hidden malicious dependency that executed during installation and connected to attacker-controlled command-and-control (C2) infrastructure to retrieve a second-stage payload. Because modern development workflows frequently rely on automated dependency resolution during CI/CD builds, environments such as developer workstations and build agents—including those used in Azure Pipelines...
Optimizing Git policy management at scale
With just a single improvement in the REST API of Azure DevOps, we achieved a massive reduction in CPU usage and execution time when managing Git policies: 2x less CPU and 10-15x faster execution! This change is already available to all users of Azure DevOps, and it's time to share a bit more detail: the background, what the change is, and how it helped us improve the performance. You may find this article useful if you maintain automation that manages Git policy configurations in Azure Repos using REST API. Git policy governance at a big enterprise Git policies are crucial for maintaining high quality of cod...
Public Preview: Actual Result for Manual Tests in Azure Test Plans
We're excited to announce the public preview of the highly anticipated Actual Result (AR) feature for manual testing in Azure Test Plans! This feature has been one of the top requests of the community, and we're thrilled to make it available for you. Why use the Actual Result feature? Manual testing is a critical part of many teams' processes. The new feature via the Actual Result field enables you to record precise outcomes for each test step, improving traceability, audit readiness, and collaboration across your teams. Key Functionalities Getting Started To try out the Actual Result field: ...
Azure DevOps MCP Server April Update
This update brings a set of improvements and changes across both local and remote Azure DevOps MCP Servers. Here’s a summary of what’s changed. Query work items with WIQL We’ve introduced a new tool that enables users to construct and run work item WIQL queries. For our remote MCP, to ensure reliability and performance, access to this tool is currently limited to users with the Insiders feature enabled. Learn more. As we gather usage telemetry and validate query performance, we plan to make it broadly available. Remote MCP Server Annotations MCP Annotations are metadata tags that help LLMs understand how ...
One-click security scanning and org-wide alert triage come to Advanced Security
We're shipping two major capabilities that change how security teams enable and act on application security in Azure DevOps: CodeQL default setup makes it possible to enable code scanning across your organization without configuring a single pipeline, and a new combined alerts experience in Security Overview gives security administrators a single place to search, filter, and coordinate remediation across every repository. In tandem with dependency scanning default setup and automatic secret scanning, scanning is now the default, and delegating work is built-in to the product with security campaigns powered by th...
April Patches for Azure DevOps Server
We are releasing patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers remain on the latest, most secure version to ensure optimal protection and reliability. The latest release of Azure DevOps Server is available from the download page. This patch applies to the most recent version, Azure DevOps Server, and includes the following updates: ⬇️Azure DevOps Server Patch Download ✅Verifying Installation To verify that the patch is installed, run the following command on the Azure DevOps Server machine using the patch installer you downloaded: Replace with t...
Improving the Markdown Editor for Work Items
We introduced the Markdown editor in July 2025 to bring Markdown support to large text fields in work items. Since then, we’ve received valuable customer feedback highlighting challenges with the editing experience, particularly when switching in and out of edit mode. Many users found the current interaction model confusing and, at times, disruptive. For example, entering edit mode through actions like double clicking could feel unexpected and interrupt the flow when simply trying to read or review content. What’s changing To address this, we’ve improved the usability of the Markdown editor by introducing a cl...
Remote MCP Server preview in Microsoft Foundry
Earlier this week we release the public preview for our Azure DevOps MCP Server. Today we are excited to let you know that the Azure DevOps MCP Server is now available to use in Microsoft Foundry. For those who are new to Foundry, Microsoft Foundry is a unified platform for building and managing AI powered applications and agents at scale. It brings together model access, orchestration, evaluation, and deployment into a single environment. It is used to develop intelligent solutions such as copilots and automated workflows, connect AI to real world tools and services, and move projects from experimentation to s...
Authentication Tokens Are Not a Data Contract
Authentication tokens exist to answer one question: is this caller authorized to do this? They are not intended to be a stable data interface, a schema you can depend on, or an input into application logic. If your application decodes tokens and reads claims from them, this is an important heads-up. Token Claims Were Never Guaranteed Although tokens may appear readable today, that was never a promise. We have never publicly documented token contents, and as a result, we have always reserved the right to change token claims at any point, for any reason. Claims may change, become optional, be renamed, be remov...
Azure DevOps Remote MCP Server (public preview)
When we released the local Azure DevOps MCP Server, it gave customers a way to connect Azure DevOps data with tools like Visual Studio and Visual Studio Code through GitHub Copilot Chat. The next step was to make this experience easier to get started with and to enable it for services that support only remote MCP servers. The Remote MCP Server is a hosted version of the Azure DevOps MCP Server that uses streamable HTTP transport. It supports the same core scenarios as the local server but removes the need for additional setup and installation. The Remote Azure DevOps MCP Server preview is available now. We are ...
March Patches for Azure DevOps Server
We are releasing patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers stay on the latest, most secure version of Azure DevOps Server. The latest release, Azure DevOps Server, is available from the download page. This patch addresses an issue introduced in the original Azure DevOps Server release that, under certain conditions, could cause group memberships to become deactivated. Who should install this patch This patch applies to customers who installed Azure DevOps Server prior to the March 13, 2026 re‑published release. If you previously applied the mitigation de...
Temporary rollback: build identities can access Advanced Security: read alerts again
If you use build service identities like to call Advanced Security APIs, the Advanced Security permission changes in Sprint 269 broke that. We restricted API access for build identities as a security improvement but failed to provide an early notice for customers that relied upon this for various automations. We're rolling it back temporarily. The restriction will be re-enforced on May 15, 2026. What you should do Action is required. The recommended path is a service principal with Advanced Security: Read alerts permissions for your Advanced Security-enabled repositories. Scope it narrowly, and if the service...
Updates to Team Calendar extension
We are excited to release a new update to the Team Calendar extension. This update includes a series of visual refinements across the extension, introducing a more consistent design language, smoother transitions when expanding and collapsing sections, improved contrast for better readability, an updated color palette aligned with Azure DevOps, and clearer, more consistent icons throughout the experience. Side Panel UI Improvements The side panel has received a complete visual overhaul with a modern, clean design that better integrates with Azure DevOps. Enhanced Summary View The Calendar Summary panel has...
TFVC Remove Existing Obsolete Policies ASAP
In April 2025, we announced the deprecation schedule for legacy TFVC check-in policies. This change was required due to limitations in how those policies were previously implemented and stored. The old policies have been marked as obsolete, and you can replace them by selecting the equivalent updated policy. We are currently in Phase II of this transition. During this phase, you can still replace obsolete policies through Team Explorer. When attempting to check in, you’ll also see a notification indicating that your configuration is out of compliance and still using obsolete policies. The final phase of this ...