Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Settings
Integrations
Integrating Azure De...
Integrating Azure DevOps with Cranium

This guide explains how to connect your Azure DevOps repositories to Cranium for Detect AI and CodeSensor scans. For general information about VCS integrations, see Accessing a Private VCS.

About Azure DevOps Integration

Azure DevOps is Microsoft's cloud-based platform for version control, project management, and CI/CD. All Azure DevOps organizations are hosted on Microsoft's infrastructure and accessed through dev.azure.com with organization-specific URLs. Unlike some other VCS platforms, Azure DevOps uses a standardized structure where organizations are identified by their name in the URL path rather than by custom domains.

Requirements

To integrate Azure DevOps with Cranium, you need:

  • Your Azure DevOps organization name
  • A Personal Access Token with the following permissions:
    • Code (Read) - vso.code
    • Project and Team (Read) - vso.project

Integration Steps

  1. Navigate to Settings > Integrations in the Cranium navigation drawer
  2. Click the blue Add New VCS Integration button
  3. In the integration dialog, provide:
    1. Name: A descriptive name for this integration (e.g., "Production Azure DevOps")
    2. Description: Optional notes about this integration's purpose
    3. Service: Select "Azure DevOps" from the dropdown
    4. Base URL: Enter your Azure DevOps organization URL in the format https://dev.azure.com/{organization} where {organization} is your organization name
  5. Paste your Personal Access Token into the Personal Access Token field
  6. Click Save

Creating an Azure DevOps Personal Access Token

  1. Log in to Azure DevOps at dev.azure.com
  2. Click your profile icon in the top right corner
  3. Select Personal access tokens
  4. Click + New Token
  5. In the Create a new personal access token dialog:
    1. Name: Enter a descriptive name (e.g., "Cranium Integration")
    2. Organization: Select the organization you want to connect to Cranium
    3. Expiration: Set an appropriate expiration date (custom expiration recommended)
    4. Scopes: Select Custom defined
  7. Expand the scopes and select:
    1. Code: Read
    2. Project and Team: Read
  9. Click Create
  10. Copy the generated token immediately (you won't be able to see it again)

Understanding Azure DevOps Organization URLs

Azure DevOps uses a specific URL structure: https://dev.azure.com/{organization}

The organization name is a unique identifier for your Azure DevOps organization. You can find it by:

  1. Logging in to Azure DevOps
  2. Looking at your browser's address bar
  3. The organization name appears after dev.azure.com/ in the URL

Example: If your URL is https://dev.azure.com/contoso, your organization name is contoso, and your Base URL would be https://dev.azure.com/contoso.

The Base URL must include the organization name because Azure DevOps API endpoints are organization-specific. Unlike platforms with custom domains (like GitHub Enterprise Server), Azure DevOps standardizes all organizations under dev.azure.com, using the organization name as part of the path to route requests correctly.

Project Filtering

You can optionally filter the integration to specific Azure DevOps projects. This is useful when you want to limit Cranium's access to particular projects within your organization.

To add project filters:

  1. In the integration form, look for the Projects section
  2. Click Add Project
  3. Enter the project name exactly as it appears in Azure DevOps

Permissions Explained

Code (Read) - vso.code: This permission allows Cranium to read source code repositories, browse files, and access repository metadata. It's essential for scanning your code for AI components and vulnerabilities.

Project and Team (Read) - vso.project: This permission allows Cranium to list projects within your organization and read project metadata. Without this permission, Cranium cannot discover which projects exist or navigate your organizational structure.

Troubleshooting

  • Integration fails to save
    • Verify your Base URL follows the format https://dev.azure.com/{organization} with your actual organization name. Ensure your Personal Access Token has both required permissions.
  • Detect AI cannot access repositories
    • Ensure your Personal Access Token has the Code (Read) permission and that the token's organization matches the organization in your Base URL. For project-filtered integrations, verify project names are entered exactly as they appear in Azure DevOps (names are case-sensitive).
  • Token expired
    • Personal Access Tokens expire based on the expiration date you set during creation. Generate a new token and update the integration by editing it through the three-dot menu on the integration record.
  • Cannot find projects
    • Ensure your Personal Access Token has the Project and Team (Read) permission. Verify that the organization specified in your Base URL is correct and matches the organization selected when you created the token.
  • Wrong organization URL
    • Azure DevOps URLs must use the dev.azure.com/{organization} format. If your organization uses Azure DevOps Server (on-premises), contact your Customer Success Manager as this requires different configuration.
Did this answer your question?
Related Articles
Accessing a Private VCS
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
VCS Service Rate Limits