Use Terraform for Azure DevOps to collect evidence from your Azure DevOps organization, including repository configurations, pipeline definitions, user access, project settings, and team memberships.

With our Terraform for Azure DevOps integration, you can collect evidence of your development environment controls directly from Azure DevOps. Terraform integrations are a flexible, low-code solution that allow you to customize what evidence is collected from your cloud systems. Read more about our Terraform integrations.

Important note: You do not need to use Terraform in your existing tech stack in order to use Terraform for Azure DevOps to collect evidence.

There are many different types of evidence that you can collect from Azure DevOps. The flexibility of this integration is limited only by what is available from Terraform in terms of data sources supported by the Azure DevOps provider.

Here is a short, non-exhaustive list of some of the possible evidence you may collect from this integration:

Follow the instructions on this page to get started collecting evidence from Azure DevOps using Terraform.

This integration authenticates using a Microsoft Entra service principal. To configure it, you (or someone in your organization) will need sufficient Azure and Azure DevOps permissions to create an app registration and grant it access to your Azure DevOps organization.

Navigate to the Azure Portal and go to Microsoft Entra ID, then select App registrations and click New registration:

Note the Application (client) ID and Directory (tenant) ID — you'll need both when configuring the integration in Strike Graph.

In your newly created app registration:

The app registration needs to be authorized against your Azure DevOps organization. Navigate to your Azure DevOps organization and go to Organization Settings → Users:

Note: The service principal needs sufficient read permissions within Azure DevOps for the data sources you intend to use. For most evidence collection, read-only project access is sufficient.

Navigate to the Integration Manager in Strike Graph and open the Terraform - Azure DevOps integration.

Note: If you do not see this integration listed, it may not be available for your organization or role yet — reach out to support or your Customer Success Manager to request access.

You can create multiple Azure DevOps connections as needed to manage different organizations or permission scopes. Everyone with access to your Strike Graph organization will be able to use any configured connections during evidence collection.

Once you have configured a Terraform for Azure DevOps integration, you can begin using it to collect evidence of your Azure DevOps resources.

Start by navigating in Strike Graph to the item that you want to collect evidence for. You can choose to attach evidence directly for one-time evidence collection, or configure automated collection (recommended).

Click on either Attach Directly or Automated Collection, and then select the desired Terraform for Azure DevOps integration from the list of available integrations. If you have configured multiple connections, make sure you select the one with the right permissions for the evidence you plan to collect.

Terraform integrations allow you to use a few lines of code to define what data you would like to collect as evidence. These are called "data blocks" and more information about data blocks and local values can be found on the Terraform overview page.

With Terraform for Azure DevOps, you can collect evidence of development environment controls from supported data sources. A list of supported data sources is at the bottom of this page, as well as on the Terraform Azure DevOps provider page.

Step 1: Define the data block. Data blocks are extensible, but follow a typical pattern:

Step 2: Define the local values used for the execution. This follows a typical pattern derived from the data block: data.data_source.temp_name (sometimes followed by a key if a filter argument is desirable).

After you have defined the data block and local values, click Attach to execute the data collection. This may take a few minutes as we set up the data pipeline to collect the attachment.

Once the collection is finished, the attachment modal will close and you can see the collected data has been added to the evidence. You can confirm what was collected by clicking on the attachment to view the data.

It is highly recommended that you configure your evidence collection with automated collection. With Automated Collection, Strike Graph can recollect evidence attachments from Azure DevOps a few days before expiration so that your evidence remains in an effective audit-ready state.

To configure your evidence with Automated Collection, follow the steps above after clicking on the Automated Collection button found on the evidence item detail pages. Additional information about Automated Collection is available here.

You can remove the integration at any time. Please note that removing an integration does not delete any files that were attached using that integration. Removing an integration will also disrupt automated collection.

To remove:

Note: You may have access to remove integrations for other users on your team.

If you are fully removing access between Strike Graph and your Azure DevOps organization, you may also wish to:

Before making these changes, verify that you are not using the same credentials for other purposes.

For additional Terraform integration troubleshooting tips, click here.

Terraform integrations will return an error if we were unable to execute the collection request. The errors returned will differ depending on which step of the collection failed.

This error indicates that Strike Graph could not authenticate using the credentials provided. Check the following:

This error means authentication succeeded but the subsequent call to your Azure DevOps organization was rejected. Check the following: