Azure DevOps Blog
DevOps, Git, and Agile updates from the team building Azure DevOps
Latest posts
Axios npm Supply Chain Compromise – Guidance for Azure Pipelines Customers
On March 31, 2026, malicious versions of the widely used JavaScript HTTP client library Axios were briefly published to the npm registry as part of a supply chain attack. The affected versions — 1.14.1 and 0.30.4 — included a hidden malicious dependency that executed during installation and connected to attacker-controlled command-and-control (C2) infrastructure to retrieve a second-stage payload. Because modern development workflows frequently rely on automated dependency resolution during CI/CD builds, environments such as developer workstations and build agents—including those used in Azure Pipelines...
Optimizing Git policy management at scale
With just a single improvement in the REST API of Azure DevOps, we achieved a massive reduction in CPU usage and execution time when managing Git policies: 2x less CPU and 10-15x faster execution! This change is already available to all users of Azure DevOps, and it's time to share a bit more detail: the background, what the change is, and how it helped us improve the performance. You may find this article useful if you maintain automation that manages Git policy configurations in Azure Repos using REST API. Git policy governance at a big enterprise Git policies are crucial for maintaining high quality of cod...
Public Preview: Actual Result for Manual Tests in Azure Test Plans
We're excited to announce the public preview of the highly anticipated Actual Result (AR) feature for manual testing in Azure Test Plans! This feature has been one of the top requests of the community, and we're thrilled to make it available for you. Why use the Actual Result feature? Manual testing is a critical part of many teams' processes. The new feature via the Actual Result field enables you to record precise outcomes for each test step, improving traceability, audit readiness, and collaboration across your teams. Key Functionalities Getting Started To try out the Actual Result field: ...
Azure DevOps MCP Server April Update
This update brings a set of improvements and changes across both local and remote Azure DevOps MCP Servers. Here’s a summary of what’s changed. Query work items with WIQL We’ve introduced a new tool that enables users to construct and run work item WIQL queries. For our remote MCP, to ensure reliability and performance, access to this tool is currently limited to users with the Insiders feature enabled. Learn more. As we gather usage telemetry and validate query performance, we plan to make it broadly available. Remote MCP Server Annotations MCP Annotations are metadata tags that help LLMs understand how ...
One-click security scanning and org-wide alert triage come to Advanced Security
We're shipping two major capabilities that change how security teams enable and act on application security in Azure DevOps: CodeQL default setup makes it possible to enable code scanning across your organization without configuring a single pipeline, and a new combined alerts experience in Security Overview gives security administrators a single place to search, filter, and coordinate remediation across every repository. In tandem with dependency scanning default setup and automatic secret scanning, scanning is now the default, and delegating work is built-in to the product with security campaigns powered by th...
April Patches for Azure DevOps Server
We are releasing patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers remain on the latest, most secure version to ensure optimal protection and reliability. The latest release of Azure DevOps Server is available from the download page. This patch applies to the most recent version, Azure DevOps Server, and includes the following updates: ⬇️Azure DevOps Server Patch Download ✅Verifying Installation To verify that the patch is installed, run the following command on the Azure DevOps Server machine using the patch installer you downloaded: Replace with t...
Improving the Markdown Editor for Work Items
We introduced the Markdown editor in July 2025 to bring Markdown support to large text fields in work items. Since then, we’ve received valuable customer feedback highlighting challenges with the editing experience, particularly when switching in and out of edit mode. Many users found the current interaction model confusing and, at times, disruptive. For example, entering edit mode through actions like double clicking could feel unexpected and interrupt the flow when simply trying to read or review content. What’s changing To address this, we’ve improved the usability of the Markdown editor by introducing a cl...
Remote MCP Server preview in Microsoft Foundry
Earlier this week we release the public preview for our Azure DevOps MCP Server. Today we are excited to let you know that the Azure DevOps MCP Server is now available to use in Microsoft Foundry. For those who are new to Foundry, Microsoft Foundry is a unified platform for building and managing AI powered applications and agents at scale. It brings together model access, orchestration, evaluation, and deployment into a single environment. It is used to develop intelligent solutions such as copilots and automated workflows, connect AI to real world tools and services, and move projects from experimentation to s...
Authentication Tokens Are Not a Data Contract
Authentication tokens exist to answer one question: is this caller authorized to do this? They are not intended to be a stable data interface, a schema you can depend on, or an input into application logic. If your application decodes tokens and reads claims from them, this is an important heads-up. Token Claims Were Never Guaranteed Although tokens may appear readable today, that was never a promise. We have never publicly documented token contents, and as a result, we have always reserved the right to change token claims at any point, for any reason. Claims may change, become optional, be renamed, be remov...
Azure DevOps Remote MCP Server (public preview)
When we released the local Azure DevOps MCP Server, it gave customers a way to connect Azure DevOps data with tools like Visual Studio and Visual Studio Code through GitHub Copilot Chat. The next step was to make this experience easier to get started with and to enable it for services that support only remote MCP servers. The Remote MCP Server is a hosted version of the Azure DevOps MCP Server that uses streamable HTTP transport. It supports the same core scenarios as the local server but removes the need for additional setup and installation. The Remote Azure DevOps MCP Server preview is available now. We are ...
March Patches for Azure DevOps Server
We are releasing patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers stay on the latest, most secure version of Azure DevOps Server. The latest release, Azure DevOps Server, is available from the download page. This patch addresses an issue introduced in the original Azure DevOps Server release that, under certain conditions, could cause group memberships to become deactivated. Who should install this patch This patch applies to customers who installed Azure DevOps Server prior to the March 13, 2026 re‑published release. If you previously applied the mitigation de...
Temporary rollback: build identities can access Advanced Security: read alerts again
If you use build service identities like to call Advanced Security APIs, the Advanced Security permission changes in Sprint 269 broke that. We restricted API access for build identities as a security improvement but failed to provide an early notice for customers that relied upon this for various automations. We're rolling it back temporarily. The restriction will be re-enforced on May 15, 2026. What you should do Action is required. The recommended path is a service principal with Advanced Security: Read alerts permissions for your Advanced Security-enabled repositories. Scope it narrowly, and if the service...
Updates to Team Calendar extension
We are excited to release a new update to the Team Calendar extension. This update includes a series of visual refinements across the extension, introducing a more consistent design language, smoother transitions when expanding and collapsing sections, improved contrast for better readability, an updated color palette aligned with Azure DevOps, and clearer, more consistent icons throughout the experience. Side Panel UI Improvements The side panel has received a complete visual overhaul with a modern, clean design that better integrates with Azure DevOps. Enhanced Summary View The Calendar Summary panel has...
TFVC Remove Existing Obsolete Policies ASAP
In April 2025, we announced the deprecation schedule for legacy TFVC check-in policies. This change was required due to limitations in how those policies were previously implemented and stored. The old policies have been marked as obsolete, and you can replace them by selecting the equivalent updated policy. We are currently in Phase II of this transition. During this phase, you can still replace obsolete policies through Team Explorer. When attempting to check in, you’ll also see a notification indicating that your configuration is out of compliance and still using obsolete policies. The final phase of this ...
Condensed views on Kanban and Sprint boards
One of the challenges teams face when working with large boards or displaying multiple fields on work item cards is limited screen space. This became even more noticeable with the rollout of the New Boards hub, which introduced additional spacing and padding for improved readability. While this enhances clarity, it can also reduce the number of cards visible at once. For example, if a work item contains a dozen or more tags and several custom fields, a single card can easily consume a significant portion of your vertical space. In Delivery Plans, we addressed this challenge with the condensed view option, where ...
February Patches for Azure DevOps Server
We are releasing patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers stay on the latest, most secure version of Azure DevOps Server. The latest release, Azure DevOps Server, is available from the download page. To make it easier to find and apply the latest patches, we are sharing patch details in the table below. Each entry includes the Azure DevOps Server version, a direct download link for the patch, and a link to the corresponding release notes with additional details. ⬇️Azure DevOps Server Patch Download ✅Verifying Installation To verify that the patch is ...
Azure Boards integration with GitHub Copilot includes custom agent support
We recently released the GitHub Copilot Coding Agent for Azure Boards to all customers. If you’re not already familiar with it, we recommend taking a few minutes to read this blog post for an overview and details. One of the top requests from customers using the GitHub Copilot Coding Agent for Azure Boards has been the ability to select and use custom agents defined at the GitHub repository or organization level. In this update, we’re excited to share that support for custom agents is on the way. 🤷♀️ What are custom agents? Custom agents in GitHub Copilot are tailored versions of the Copilot coding agent that...
Azure Boards additional field filters (private preview)
We’re introducing a limited private preview that allows you to add additional fields as filters on backlog and Kanban boards. This long-requested feature helps teams tailor their views, focus on the work that matters most, and provide feedback as we iterate toward general availability.
What’s new with Azure Repos?
We thought it was a good time to check in and highlight some of the work happening in Azure Repos. In this post, we’ve covered several recent improvements, along with a preview of features that are coming soon. To stay up to date, be sure to visit the Azure DevOps Roadmap. These changes have either already been released or are currently rolling out. Be sure to check the sprint release notes for full details. Breaking Change: Disabling Obsolete TFVC Check-In Policies Back in April 2025, we shared changes to how TFVC check-in policies are stored. These updates affect TFVC projects using policies such as Build (r...
The New Test Run Hub is Going Generally Available!
Delivering high-quality software requires clarity, speed, and collaboration. That’s why we introduced the New Test Run Hub in Azure Test Plans. A modern, streamlined experience designed to make test execution and analysis fast and intuitive. And we’re excited to announce that this experience is moving to General Availability (GA) for the Azure DevOps Services throughout January 2026. Why the New Test Run Hub? The new hub centralizes test execution for both manual and automated runs, giving teams: Your Feedback Matters Based on your feedback, we’ve made several improvements ahead of General Availabi...
Work item linking for Advanced Security alerts now available
Security vulnerabilities don't fix themselves. Someone needs to track them, prioritize them, and actually ship the fix. If you've ever tried to manage security alerts alongside your regular sprint work, though, you know the friction: you're looking at an alert in one tab, switching to your backlog in another, trying to remember which vulnerability you were supposed to file a bug for. We shipped work item linking for GitHub Advanced Security for Azure DevOps alerts to fix this. It's now generally available and it does exactly what it sounds like: you can link work items in Boards directly to security alerts. Note...
Azure Boards integration with GitHub Copilot
A few months ago we introduced the Azure Boards integration with GitHub Copilot in private preview. The goal was simple: allow teams to take a work item from Azure Boards and send it directly to GitHub Copilot so the coding agent could begin working on it, track progress, and generate a pull request. We are happy to announce that this integration is now being rolled out as generally available 🎉. Customers who participated in the preview helped us validate the experience, find issues, and shape improvements. GA includes the same workflow introduced in preview, along with new capabilities based on customer feedbac...
Retirement of Global Personal Access Tokens in Azure DevOps
In the new year, we’ll be retiring the Global Personal Access Token (PAT) type in the Azure DevOps Services product. No changes will be made to global PATs in the Azure DevOps Server product. Global PATs allow users to authenticate across all accessible organizations. While this can feel convenient, a single credential with broad reach creates a concentrated security risk — especially as a user’s access footprint grows. This level of privilege becomes an attractive target for bad actors, making global tokens unsuitable for today’s security‑conscious environments. Setting clear boundaries around high‑impact cr...
Updated: Announcing Azure DevOps Server General Availability
Update March 13, 2026: We have released a patch that resolves the issue introduced in the original Azure DevOps Server release that, under certain conditions, could cause group memberships to become deactivated. Who should install Azure DevOps Server Patch 2 Who does not need this patch Update March 13, 2026: Azure DevOps Server Issue Resolved and Release Re‑Published We’re happy to share that the previously identified issue affecting Azure DevOps Server has been resolved, and the corrected release is now available. You can now proceed with new installations or upgrades using the previously published ...
Azure DevOps and GitHub Repositories — Next Steps in the Path to Agentic AI
In May, we talked about the evolution of GitHub Copilot from a coding assistant into an AI powered peer programmer. Since then, GitHub has taken a major step forward - becoming an open platform for agentic development, where Agent HQ enables developers to orchestrate any agent, anytime, anywhere. Agent HQ provides observability, governance, and security controls for agents, so organizations can manage access, audit usage, and enforce policies. Meanwhile, the new GitHub Code Quality (in public preview) provides in-context findings, maintainability scores, and one-click fixes—helping teams ensure their code is heal...
November Patches for Azure DevOps Server
Today we are releasing patches that impact our self-hosted product, Azure DevOps Server. We strongly encourage and recommend that all customers use the latest, most secure release of Azure DevOps Server. You can download the latest version of the product, Azure DevOps Server 2022.2 from the Azure DevOps Server download page. Azure DevOps Server 2022.2 Patch 7 Release notes If you have Azure DevOps Server 2022.2, you should install Azure DevOps Server 2022.2 Patch 7 to have the most secure and updated product experience. With this patch we are fixing the following: Verifying Installation Run , is the...
Azure Developer CLI: Azure Container Apps Dev-to-Prod Deployment with Layered Infrastructure
This post walks through how to implement "build once, deploy everywhere" patterns using Azure Container Apps with the new and layered infrastructure features in Azure Developer CLI v1.20.0. You'll learn how to deploy the same containerized application across multiple environments with proper separation of concerns. This is the third installment in our Azure Developer CLI series, building on our previous explorations: - Azure App Service and GitHub Actions - Azure DevOps Pipelines Build once, deploy everywhere The challenge we're solving If you've worked with containers in production, you've probably run into...
Upcoming Updates for Azure Pipelines Agents Images
To ensure our hosted agents in Azure Pipelines are operating in the most secure and up-to-date environments, we continuously update the supported images and phase out older ones. In October 2024, we announced support for Ubuntu-24.04. Soon, we plan to update the ubuntu-latest image to map to Ubuntu-24.04. Additionally, MacOS 15 Sequoia and Windows 2025 images will be generally available later this year. Alongside these new releases, we will deprecate older images like Ubuntu-20.04 and Windows Server 2019. Please refer to the following subsections for detailed updates on individual images. Ubuntu Ubuntu 24.04 ...
Modernizing Authentication for Legacy Visual Studio Clients
As part of our ongoing commitment to security and modernization, we’re updating outdated authentication mechanisms used by older versions of clients reliant on our older Visual Studio client libraries. For full details on all known impacted clients, refer to the official announcement we made in April 2024: End of Support for Microsoft products reliant on older Azure DevOps and Visual Studio authentication. In order to minimize disruption due to removing these legacy tokens, over the past few months, we’ve worked on seamlessly transitioning these legacy tokens to Entra-backed authentication when possible. This c...
Azure DevOps local MCP Server is generally available
Today we are excited to take our local MCP Server for Azure DevOps out of preview 🥳. Since the initial preview announcement, we've worked closely with early adopters and the community to incorporate feature suggestions and feedback. We’ve improved login and authorization, added and refined tooling, and introduced domains so users can scope active tools to stay under client limits. 🤷♂️ What is an MCP Server? A local MCP Server (Model Context Provider) is a tool that sits between your AI assistant (like GitHub Copilot) and your Azure DevOps organization. Its job is to inject rich, real-time context such as work ...
Announcing the new Azure DevOps Server RC Release
We’re excited to announce the release candidate (RC) of Azure DevOps Server, bringing new features previously available in our hosted version. You can download Azure DevOps Server RC today. A direct upgrade to Azure DevOps Server RC is supported from any version of Team Foundation Server, including Team Foundation Server 2015 and newer. Note: October 14, 2025, is the date for the end of Extended Support for Team Foundation Server 2015. This means that it will no longer receive security updates or technical support. We strongly recommend that customers upgrade to the latest versions of Azure DevOps as they ar...
Azure Boards integration with GitHub Copilot (Private Preview)
As of October 16, 2025, we are no longer accepting organization signups for the private preview. Our focus is now on completing the feature and preparing it for general availability in the coming weeks. Several months ago, GitHub introduced the public preview of its Copilot coding agent, a powerful new capability that allows you to assign GitHub Issues directly to Copilot. From there, the agent works independently in the background, much like a human developer, to complete the task. Copilot evaluates the request based on the information you provide, whether from the issue description or a chat message, then ...
New Test Run Hub in Azure Test Plans
Delivering high-quality software is a necessity and that’s why Azure Test Plans has introduced the all-new Test Run Hub, an enabler for teams who want to take control of their testing process and drive continuous improvement. What Makes the Test Run Hub a Must-Have? The Test Run Hub is designed to help teams track test progress, analyze results, and maintain quality across every development cycle. Whether you’re running manual or automated tests, the new test run hub brings clarity and efficiency to your quality assurance workflow. Key Benefits Real-Time Visibility: Instantly monitor test progress and quali...
Azure Developer CLI: From Dev to Prod with Azure DevOps Pipelines
Building on our previous post about implementing dev-to-prod promotion with GitHub Actions, this follow-up demonstrates the same "build once, deploy everywhere" pattern using Azure DevOps Pipelines. You'll learn how to leverage Azure DevOps YAML pipelines with Azure Developer CLI (azd). This approach ensures consistent, reliable deployments across environments. Environment-Specific Infrastructure The infrastructure approach is identical to our previous GitHub Actions implementation. It uses conditional Bicep deployment with a single parameter. This drives environment-specific resource configuration. The same B...
Azure DevOps OAuth Client Secrets Now Shown Only Once
We’re making an important change to how Azure DevOps displays OAuth client secrets to align with industry best practices and improve our overall security posture. Starting September, newly generated client secrets will be shown only once at the time of creation. After that, they will no longer be retrievable via the UI or API. This update helps reduce the risk of accidental exposure and encourages secure storage practices, such as saving secrets in Azure Key Vault or other secure vaults. These changes will go into effect for all apps by September 2, 2025. We will also be retiring the Get Registration Secret ...
Hunting Living Secrets: Secret Validity Checks Arrive in GitHub Advanced Security for Azure DevOps
If you’ve ever waded through a swamp of secret scanning alerts wondering, “Which of these are actually dangerous right now?” — this enhancement is for you. Secret validity checks in GitHub Advanced Security for Azure DevOps (and the standalone Secret Protection experience) add a high‑signal field to each alert: (still usable), or (couldn’t be verified). Instead of treating every alert like a five‑alarm fire, you can now fast‑path the truly risky stuff and spend less time chasing ghosts. TL;DR Why This Matters Traditional secret scanning: Found something → raise alert → you investigate → sometimes...
Real-Time Security with Continuous Access Evaluation (CAE) comes to Azure DevOps
Update (April 17, 2026): Continuous Access Evaluation (CAE) rollouts are in progress. It is now available to some customers, and will be rolled out to all customers by May 2026. We’re thrilled to announce that Continuous Access Evaluation (CAE) is now supported on Azure DevOps, bringing a new level of near real-time security enforcement to your development workflows. What Is CAE? Continuous Access Evaluation (CAE) is a feature from Microsoft Entra ID that enables near real-time enforcement of Conditional Access policies. Traditionally, Microsoft Entra access tokens in Azure DevOps are valid for up to an ho...
Automate your open-source dependency scanning with Advanced Security
Any experiences that require additional setup is cumbersome, especially when there are multiple people needed. In GitHub Advanced Security for Azure DevOps, we're working to make it easier to enable features and scale out enablement across your enterprise. You can now automatically inject the dependency scanning task into any pipeline run targeting your default branch. This is a quick way to ensure that your production code (and any code being merged into your production branch) are evaluated for open-source dependency vulnerabilities. Enabling one-click dependency scanning for your repository You'll need to h...
From Manual Testing to AI-Generated Automation: Our Azure DevOps MCP + Playwright Success Story
In today’s fast-paced software development cycles, manual testing often becomes a significant bottleneck. Our team was facing a growing backlog of test cases that required repetitive manual execution—running the entire test suite every sprint. This consumed valuable time that could be better spent on exploratory testing and higher-value tasks. We set out to solve this by leveraging Azure DevOps’ new MCP server integration with GitHub Copilot to automatically generate and run end-to-end tests using Playwright. This powerful combination has transformed our testing process: By automating our testing pipelin...
Azure Developer CLI: From Dev to Prod with One Click
This post walks through how to implement a "build once, deploy everywhere" pattern using Azure Developer CLI (azd) that provisions environment-specific infrastructure and promotes applications from dev to prod with the same build artifacts. You'll learn how to use conditional Bicep deployment, environment variable injection, package preservation across environments, and automated CI/CD promotion from development to production. Environment-Specific Infrastructure When deploying applications across environments, different requirements emerge: Rather than maintaining separate infrastructure templates or complex...
July Patches for Azure DevOps Server
Today we are releasing patches that impact our self-hosted product, Azure DevOps Server. We strongly encourage and recommend that all customers use the latest, most secure release of Azure DevOps Server. You can download the latest version of the product, Azure DevOps Server 2022.2 from the Azure DevOps Server download page. Azure DevOps Server 2020.1.2 Patch 17 Release notes If you have Azure DevOps Server 2020.1.2, you should install Azure DevOps Server 2020.1.2 Patch 17 to have the most secure and updated product experience. With this patch we are fixing a null reference exception in the multi-repo trigge...
Markdown Support Arrives for Work Items
After several months in private preview and many bug fixes along the way, we’re excited to announce that Markdown support in large text fields is now generally available! 🎉 🦄 How it works By default, all existing and new work items will continue using the HTML editor for large text fields. However, you now have the option to opt-in and use the Markdown editor for individual work items and fields. Existing work items Open the work item and click into a large text field (e.g., Description). The field will initially appear as an HTML editor, but you’ll now see an option to convert it to Markdown. We perform a...
Removing Azure Resource Manager reliance on Azure DevOps sign-ins
Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https://management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant administrators had to allow all Azure DevOps users to satisfy ARM-based Conditional Access policies to maintain access to ADO. Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage Azure DevOps access more effectively by creating Azure DevOps-specific Conditional Access policy instead of relying on t...
Azure DevOps MCP Server, Public Preview
A few weeks ago at BUILD, we announced the upcoming Azure DevOps MCP Server: 👉 Azure DevOps with GitHub Repositories – Your path to Agentic AI Today, we’re excited to share that the local Azure DevOps MCP Server is now available in public preview. This lets GitHub Copilot in Visual Studio and Visual Studio Code access and interact with your Azure DevOps environment, including work items, pull requests, test plans, builds, releases, and wiki pages. 🤷♂️ What is an MCP Server? A local MCP Server (Model Context Provider) is a tool that sits between your AI assistant (like GitHub Copilot) and your Azure DevOps or...
June Patches for Azure DevOps Server
Update October 14: These issues we encountered with patching Azure DevOps Server 2022.2 have now been fully resolved. We appreciate your patience and understanding during this time. We will resume our regular patching cycle starting in November. Update July 25: We are currently investigating an issue with Patch 6 for Azure DevOps Server 2022.2. Our team is actively working to identify the root cause and implement a resolution as quickly as possible. We will continue to provide updates and details in this blog as they become available. Thank you for your patience and understanding. Today we are releasing patches...
Restricting PAT Creation in Azure DevOps Is Now in Preview
As organizations continue to strengthen their security posture, restricting usage of personal access tokens (PATs) has become a critical area of focus. With the latest public preview of the Restrict personal access token creation policy in Azure DevOps, Project Collection Administrators (PCAs) now have another powerful tool to reduce unnecessary PAT usage and enforce tighter controls across their organizations. 🗣️ This has been one of our most requested features -- we're excited to finally deliver it. Why This Matters PATs are a convenient way for users to authenticate with Azure DevOps, but they also pose...
GitHub Secret Protection and GitHub Code Security for Azure DevOps
Following the changes to GitHub Advanced Security on GitHub, we're launching the standalone security products of GitHub Secret Protection and GitHub Code Security for Azure DevOps today. You can bring the protection of Advanced Security to your enterprise with the flexibility to enable the right level of protection for your repositories. GitHub Secret Protection for Azure DevOps Secret Protection is available for $19 per active committer per month, which provides features including: GitHub Code Security for Azure DevOps Code Security is available for $30 per active committer per month, which provides f...
Azure DevOps with GitHub Repositories – Your path to Agentic AI
GitHub Copilot has evolved beyond a coding assistant in the IDE into an agentic teammate – providing actionable feedback on pull requests, fixing bugs and implementing new features, creating pull requests and responding to feedback, and much more. These new capabilities will transform every aspect of the software development lifecycle, as we are already seeing on our own teams within Microsoft and GitHub. Copilot’s agentic capabilities are most powerful when your code lives in GitHub, and that’s why we’ve been working hard to make the experience of using GitHub, Copilot, and Azure DevOps seamless. Now is the tim...
One Pipeline to Rule Them All: Ensuring CodeQL Scanning Results and Dependency Scanning Results Go to the Intended Repository
"One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them." – J.R.R. Tolkien, The Lord of the Rings In the world of code scanning and dependency scanning, your pipeline is the One Ring—a single definition that can orchestrate scans across multiple repositories. However, much like the One Ring, if misused, it can lead to chaos: publishing results to the unintended repository. Fear not, brave developer! This guide will show you how to wield your pipeline wisely so that CodeQL scanning results and Dependency Scanning results are always published to the inten...
Introducing Azure DevOps ID Token Refresh and Terraform Task Version 5
We are excited to share some recent updates that improve the experience of using Workload identity federation (OpenID Connect) with Azure DevOps and Terraform on Microsoft Azure. Many working parts have come together to make this possible and we'll share those here. We are also very pleased to announce version 5 of the Microsoft DevLabs Terraform Task, which supports ID Token refresh by default. What is ID Token Refresh? Workload identity federation requires an ID Token issued from the identity provider, in our case Azure DevOps. This ID Token has a short lifespan of ~5 minutes by design. It is immediately ex...
Spring Cleaning: A CTA for Azure DevOps OAuth Apps with expired or long-living secrets
Today, we officially closed the doors on any new Azure DevOps OAuth app registrations. As we prepare for the end-of-life for Azure DevOps OAuth apps in 2026, we'll begin outreach to engage existing app owners and support them through the migration process to use the Microsoft Identity platform instead for future app development with Azure DevOps. This platform, used across Microsoft teams, can access the same Azure DevOps REST APIs, with the added benefit of ongoing regular investment and additional security controls available to company admins. We've collected a list of helpful resources from Microsoft Entra do...
Azure Boards + GitHub: Recent Updates
Over the past several months, we’ve delivered a series of improvements to the Azure Boards + GitHub integration. Whether you're tracking code, managing pull requests, or connecting pipelines, these updates aim to simplify and strengthen the link between your work items and your GitHub activity. Here’s a recap of everything we’ve released (or are just about to release): 🔗 Smarter Link Management for Branches, PRs, and Commits We’ve made it easier than ever to keep your work items automatically updated as your development progresses: These changes reduce the need for manual linking and help keep your work...
April Patches for Azure DevOps Server and Team Foundation Server
Today we are releasing patches that impact our self-hosted product, Azure DevOps Server, as well as Team Foundation Server 2018.3.2. We strongly encourage and recommend that all customers use the latest, most secure release of Azure DevOps Server. You can download the latest version of the product, Azure DevOps Server 2022.2 from the Azure DevOps Server download page. Previously, the Azure DevOps Agent used the Edgio CDN with endpoint . As part of Edgio's retirement, the domain is being decommissioned. To ensure continued availability, we have migrated to an Akamai-backed CDN with a new endpoint . This patch in...
Boards Integration with GitHub Enterprise Cloud and Data Residency (Public Preview)
Back in January, we launched a private preview of our Boards integration with GitHub Enterprise Cloud with data residency. If you're unfamiliar with GitHub's data residency option and what it means for your organization, you can learn more in the original announcement. Since the private preview launch, we’ve gathered valuable feedback from early adopters, and today, we’re excited to open up the experience to a wider audience with a public preview. How it works We’ve introduced a new option that allows you to connect an Azure Boards project to your GitHub Enterprise Cloud organization with data residency. Af...
CDN Domain URL change for Agents in Pipelines
Introduction We have announced the retirement of Edgio CDN for Azure DevOps and are transitioning to a solution served by Akamai and Azure Front Door CDNs. This change affects Azure DevOps Pipelines customers. This article provides guidance for the Azure DevOps Pipelines customers to check if they are impacted by this change in CDN and the changes required if impacted. Impacted Azure DevOps Service and Azure DevOps Server Customers should complete the suggested changes by May 1, 2025 and May 15, 2025 respectively. As of June 11, 2025, the old domain URL (https://vstsagentpackage.azureedge.net) is inactive. Impa...
TFVC Policies Storage Updates
TFVC Check-In Policies TFVC projects can have check-in policies such as Build (Require last build was successful), Work Item (Require associated work item), Changeset comments policy (Require users to add comment to their check-in), etc. We are changing the way we store these policies on the server. This change will slightly affect TFVC users since they would need to initiate migration process from their side. Phase I – User opt-in (Complete) This is a phase in progress. We provided means for users to start their migration process. Migration from obsolete policies to active ones should be done by the project...
Important Update: Server Name Indication (SNI) Now Mandatory for Azure DevOps Services
Earlier this year, we announced an upgrade to our network infrastructure and the new IP addresses you need to allow list in your firewall - Update to Azure DevOps Allowed IP addresses - Azure DevOps Blog. This is our second blog post to inform you that starting from April 23rd, 2025, we will be requiring Server Name Indication (SNI) on all incoming HTTPS connections to Azure DevOps Services. SNI is an extension to the TLS protocol that allows clients to specify the hostname they are connecting to. All modern browsers and client software support SNI and use it by default, ensuring a seamless transition for most ...
New Overlapping Secrets on Azure DevOps OAuth
As you may have read, Azure DevOps OAuth apps are due for deprecation in 2026. All developers are encouraged to migrate their applications to use Microsoft Entra ID OAuth, which can access all Azure DevOps APIs and has the added benefit of enhanced security features and long-term investment. Although we are nearing Azure DevOps OAuth’s end-of-life, we remain committed to providing very critical security enhancements on Azure DevOps integration methods as they remain available. To this end, we’re introducing a new feature designed to improve security on existing apps and streamline the oft-disruptive secret rotat...
Introducing Java, JS and Python support in Test Plans
Update - December 1, 2025 The feature is Generally Available. Support for additional languages in Test Plans We are excited to announce new capabilities in Azure Test Plans that will enhance your testing workflows. With this latest release, we are introducing the ability to associate automated tests written in Java/JUnit (Maven and Gradle), JS (Jest) and Python (PyTest) with test cases and then run those tests with the new Azure Test Plan task. This is an addition to the ability to associate tests written in the majority of the .NET supported frameworks, which was until now only supported via Visual Studio Co...
Markdown for large text fields (private preview)
📢 As of April 15th, we are no longer accepting private preview requests. We have enough participants signed up to provide feedback. Keep an eye on the Azure DevOps release notes for the general availability announcement. Adding Markdown capabilities to the work item is a long-standing request. We introduced Markdown for comments in early 2024, but due to the rollout of the New Boards Hub, we put the feature on hold. Today, we’re excited to announce a private preview for Markdown support in large text fields! 🎉 🦄 How it works By default, all existing and new work items will continue using the HTML editor f...
March Patches for Azure DevOps Server
Today we are releasing patches that impact our self-hosted product, Azure DevOps Server. We strongly encourage and recommend that all customers use the latest, most secure release of Azure DevOps Server. You can download the latest version of the product, Azure DevOps Server 2022.2 from the Azure DevOps Server download page. The following versions of the product has been patched. Azure DevOps Server 2022.2 Patch 4 If you have Azure DevOps Server 2022.2, you should install Azure DevOps Server 2022.2 Patch 4 to have the most secure product experience. Check out the Release notes for details. Note: Azur...
New Boards Hub Update
We've reached a major milestone in the rollout of New Boards Hub this week by making it the default experience for all organizations and users. While many users can still temporarily switch back if they encounter a blocking issue, our telemetry shows that 97% of users are staying on New Boards without reverting. This is a significant step forward! Maintaining two versions of Boards is not a sustainable long-term solution, and our goal is to transition all customers to New Boards permanently. To that end, we’ve already disabled Old Boards for over 50% of organizations, and we’ll continue this process over the n...
Azure DevOps Basic usage included with GitHub Enterprise
Many customers want to use both GitHub and Azure DevOps together. Until now, unless you purchased Visual Studio subscriptions with GitHub Enterprise, you had to pay separately for both products. With the Sprint 252 release, Azure DevOps Basic usage rights are included with GitHub Enterprise Cloud. Your users access this benefit automatically when they login to Azure DevOps using Microsoft Entra. Their access level will change to “GitHub Enterprise” and just like a Visual Studio subscriber, there are no Azure DevOps charges for these users. We’ll be adding support for GitHub Enterprise Cloud with Data Residenc...
GitHub Copilot for Azure DevOps users
Azure DevOps customers frequently ask us when GitHub Copilot will be available to them. What many don’t realize is that GitHub Copilot for Business is already accessible to all customers, including those using Azure DevOps. Even better, much of its powerful functionality is integrated into tools you already use, like Visual Studio and VS Code. In this post, we’ll share resources to help you get started with GitHub Copilot as an Azure DevOps customer and highlight some of the great features available in your IDE. 👟 Getting Started Getting started with GitHub Copilot is simple and opens the door to a more efficie...
February Patches for Azure DevOps Server
Update 2/24: We re-released Patch 3 for Azure DevOps Server 2022.2. If you have previously installed the earlier versions of this patch, please update it using the provided link. This re-release addresses an issue causing YAML pipelines to fail. Further details on the issue can be found in the Developer Community. Update 2/13: We have re-released Patch 3 for Azure DevOps Server 2022.2 to fix the YAML pipelines failing issue reported in the Developer Community. You can use the link provided in this blog post to download the patch for the first time as well as fixing the issue if you have previously installed Patc...
Full web support for conditional access policies across Azure DevOps and partner web properties
We’re happy to announce that we’ve made significant progress in updating our web authentication stack on Azure DevOps services and partner web properties to utilize Microsoft Entra tokens to handle web sessions. By replacing our previous cookies with Entra tokens, we’ve deepened the integration we have with Microsoft Entra ID on our web experience. This change allows us to continuously evaluate identity compliance with Entra policies on an hourly basis (the duration of an Entra token). Previously, we could only regularly evaluate IP-fencing policies (at a much less frequent cadence than every hour) with our old...
Update to Azure DevOps Allowed IP addresses
We are excited to announce some important upgrades to our networking infrastructure that will enhance the performance and reliability of our service. As part of these infrastructure upgrades, we are introducing new IP addresses that you will need to allow list in your firewall configurations. What’s Changing And Why? We are transitioning from the current set of network edge devices supporting Azure DevOps to new, better-performing network edge devices by May 2025. As part of this transition, we have added new IP addresses to the current published allow list - Allowed address lists and network connections - Azur...
Upcoming support lifecycle milestones for older on-premises products
Multiple versions of our on-premises product will reach the end of support on October 14, 2025. Customers are encouraged to start planning and deploying upgrades now to ensure that installed products remain supported and secure, and to take advantage of new capabilities offered in successor products. The latest version of our on-premises product is Azure DevOps Server 2022.2. October 14, 2025, is the date for the end of Extended Support for Team Foundation Server 2015 - meaning it will no longer receive security updates or technical support. Upon end of support, there will be no new updates, free or paid assiste...
Changes to provisioning Azure DevOps projects using the Azure DevOps Demo Generator
The Azure DevOps Demo Generator is a tool that allows you to create projects in your Azure DevOps organization, complete with pre-filled sample content. This includes source code, work items, iterations, service connections, and build and release pipelines, all based on a template you select. Starting February 28, 2025, we are eliminating the need for us to authenticate on your behalf. This update will give you greater control over creating new projects and ensure a more secure process. Instead of the previous authentication process, you will run the ADOGenerator project as a console application or executable (....
Reducing personal access token (PAT) usage across Azure DevOps
In the new year, we’ll be making moves towards strengthening Microsoft and our customers' security posture in regards to the usage and creation of personal access tokens (PATs). If you’ve been following this blog, you may have noticed we’ve been distancing away from PATs as the recommended authentication method for Azure DevOps APIs by offering more restrictive policies and secure alternatives. PATs can be an enticing vector for unauthorized access, especially when insecurely stored, over-scoped, or set for long durations. There exist scenarios where PATs remain the primary form of authentication within Azure D...
Important: Switching CDN providers
The current content delivery network (CDN) provider Edgio, used by Azure DevOps is retiring. We're urgently transitioning to a solution served by Akamai and Azure Front Door CDNs to maintain the responsiveness of our services. What this means for you For most of you, this transition will be seamless. To ensure that you can continue to access Azure DevOps without any interruptions, use the following Powershell commands to validate that your current firewall settings allow connectivity to the new CDN providers: If your network includes firewalls that could affect access to the new CDNs, we recommend adding ...
New Boards Hub Rollout Expectations
Although the process may seem slow, we are steadily progressing toward rolling out the New Boards Hub to all customers. Our plan is to deprecate the old Boards experience for all Azure DevOps service users by the end Q1 2025. The rollout is advancing on two fronts. First, we are setting the New Boards Hub as the default experience. Second, for customers who already have the New Boards Hub enabled as the default, we are transitioning groups to exclusively use the New Boards Hub. Removing the option to revert to the old Boards experience. Currently, 60% of customers have the New Boards Hub set as their default ex...