Jump to: Prerequisites | Permissions | Setup | Repository Permissions | Connect App | Verification
Prerequisites
| Requirement | Details |
|---|---|
| Azure DevOps Organization | An active ADO Services organization (dev.azure.com/{org}) |
| Microsoft Entra ID Tenant | Your ADO organization must be connected to an Entra ID tenant |
| Admin Permissions | Project Collection Administrator or Organization Owner role in ADO, plus User Administrator or Global Administrator in Entra ID |
| Target Repositories | A list of the specific repositories (and branches) you intend to expose to Blitzy |
| Basic Access License | At least one available Basic license seat for the service user |
Permissions
Blitzy requires the following Azure DevOps permissions, scoped to the minimum level needed.| Permission | Access Level | Purpose |
|---|---|---|
| Code (Read) | Read | Analyze your repositories and read source files |
| Code (Write) | Read & Write | Create branches and push generated code |
| Pull Request Threads | Read & Write | Create and manage pull requests |
| Project and Team | Read | List available projects and repositories |
| Work Items | Read | Reference work items in pull requests and branches |
| Build | Read | Monitor CI pipeline status on pull requests |
The Blitzy Azure AD app requests broad permission scopes during installation. However, actual access is controlled entirely by the “Blitzy Service Access” custom security group you configure in ADO. The app can only perform actions that this group explicitly allows - regardless of what the OAuth consent screen lists.
Permission mapping reference
Permission mapping reference
| Operation | Required Permission | ADO Security Namespace |
|---|---|---|
| Clone repository | Git Repositories: Read | GitRepositories |
| Create branch | Git Repositories: CreateBranch | GitRepositories |
| Push commits | Git Repositories: Contribute | GitRepositories |
| Create pull request | Git Repositories: PullRequestContribute | GitRepositories |
| Read work items | Work Items: Read | WorkItemTracking |
| View build results | Build: Read | Build |
Permission quick reference by level
Permission quick reference by level
| Level | Scope | Permission | Setting |
|---|---|---|---|
| Organization | User Access | Access Level | Basic |
| Project | Security Group | Group | Blitzy Service Access (custom) |
| All Repos (default) | Git repositories | All permissions | Deny |
| Specific Repos | Individual repo | Read, Contribute | Allow |
| Protected Branches | e.g., main | Contribute | Deny |
| Working Branches | e.g., develop | Contribute | Allow |
Create the Service Identity User
Create a dedicated user account in Microsoft Entra ID for the Blitzy integration. This is a non-interactive account - it does not represent a real person.Navigate to Entra ID User Management
Sign in to the Microsoft Entra admin center at
https://entra.microsoft.com. Expand Identity, then select Users > All users. Click + New user > Create new user.Configure the service user properties
In the Basics tab, fill in the following fields:
Under Properties (optional), set the Department to “Service Accounts” and the Job title to “Third-Party Integration - Blitzy” for easy identification.
| Field | Value |
|---|---|
| User principal name | [email protected] (use your organization’s domain) |
| Display name | Blitzy Service Account |
| Password | Auto-generate or set a strong password. Store securely. |
| Account enabled | Yes (checked) |
Ensure that this service account password does not expire (or is updated regularly before expiry per your organizational policy).
Add the Service User to Azure DevOps
Open organization user settings
Sign in to your Azure DevOps organization at
https://dev.azure.com/{YourOrganization}. Click Organization settings (gear icon at the bottom-left), then Users under General.Add the service user
Click Add users. In the Users or Service Principals field, enter
[email protected] and select the account when it appears.Set access level
Set Access level to Basic. Basic is required for Code/Repos access - Stakeholder access does not include source control permissions for private projects.
Select projects
Under Add to projects, select only the project(s) that contain the repositories Blitzy needs to access. Do not select all projects.
Create a Custom Security Group
To enforce the principle of least privilege, create a custom security group that grants Blitzy only the specific permissions needed.Create the group
Navigate to Project settings > Permissions. Click + New Group. Set the name to
Blitzy Service Access and description to Custom security group for Blitzy third-party vendor. Add [email protected] as a member. Click Create.Remove the service user from Contributors
On the Permissions page, click the Contributors group, then the Members tab. Locate
[email protected] and click Remove.After this step, the service user’s only project-level membership is the custom “Blitzy Service Access” group. All repository and branch permissions are configured through this group.
Configure Repository-Level Permissions
Restrict Blitzy to specific repositories by denying access at the top level, then explicitly allowing access on individual repos.Deny Access to All Repositories (Default)
- Navigate to Project settings > Repos > Repositories.
- Click the top-level Git repositories node.
- Click the Security tab.
- Click + Add and find the “Blitzy Service Access” group.
- Set all permissions to Deny. Click Save changes.
Allow Access on Specific Repositories
For each repository Blitzy should access, explicitly override the Deny with Allow.- Click the specific repository (e.g., “frontend-app”).
- Click the Security tab, then find or add the “Blitzy Service Access” group.
- Set permissions:
| Permission | Setting |
|---|---|
| Read | Allow |
| Contribute | Allow |
| Force push | Deny |
- Click Save changes. Repeat for each additional repository.
Branch-Level Security and Policies
Configure branch-level security (optional)
Configure branch-level security (optional)
Azure DevOps lets you set permissions on individual branches to control which branches Blitzy can push to, create pull requests against, or read.Open branch security settings:Recommended branching strategy:
- Navigate to Repos > Branches within the target project.
- Locate the branch (e.g., main), click … (More actions) > Branch security.
- In the Branch security panel, click + Add.
- Search for and select the “Blitzy Service Access” group.
- For protected branches like main, set Contribute to Deny. For working branches like develop, set Contribute to Allow.
- Click Save.
Branch permissions override repository-level permissions. If Blitzy has “Contribute = Allow” at the repo level but “Contribute = Deny” on
main, it can push to other branches but not main. This is the desired outcome.| Branch | Read | Contribute (Push) | Create Pull Requests |
|---|---|---|---|
main | Allow | Deny | Allow |
develop | Allow | Allow | Allow |
feature/blitzy-* | Allow | Allow | Allow |
release/* | Allow | Deny | Deny |
Set up branch policies (optional)
Set up branch policies (optional)
Branch policies enforce code review and build validation even if Blitzy has Contribute permissions on a branch.
- Navigate to Project settings > Repos > Repositories > select the target repository.
- Click the Policies tab, then select the branch (e.g.,
main). - Enable the following recommended policies:
- Require a minimum number of reviewers - Set to at least 1 reviewer
- Check for linked work items - Optional but recommended for traceability
- Check for comment resolution - Require all comments resolved before merge
- Build validation - Add a build pipeline that must succeed before PR completion
- Automatically included reviewers - Add your team lead as an auto-reviewer for PRs
- Click Save.
Connect the Blitzy ADO Integration App
Blitzy’s Azure AD app uses OAuth to authenticate. Ensure third-party application access is enabled in your ADO organization settings.Verify OAuth settings
Navigate to Organization settings > Policies (under Security). Locate the Third-party application access via OAuth policy and ensure the toggle is set to On.
Install the Blitzy Azure AD application
Follow the guidance in the Blitzy platform to set up the ADO integration. Use the service identity account
[email protected] to connect.Verification and Testing
After completing the configuration, verify that the setup works correctly and that permissions are properly restricted.| Test | Expected Result |
|---|---|
| Clone allowed repo | Should succeed |
| Clone denied repo | Should fail with 403/TF401019 error |
| Push to allowed branch (develop) | Should succeed |
| Push to protected branch (main) | Should fail with TF402455 error |
Pull request and integration tests
Pull request and integration tests
Test pull request creation:
- Create a pull request from a permitted branch to
main. - Confirm the PR is created successfully.
- Verify that branch policies (required reviewers, build validation) are enforced.
- Log in to the Blitzy platform.
- Create a test project.
- Ensure that this project can only see the allowed repos and branches.
Ongoing Maintenance
- Quarterly reviews - Review Blitzy’s access level, repository permissions, and branch permissions every quarter
- Last access date - Check the Users page in Organization settings to see when the service user last accessed ADO
- Audit logs - Review ADO audit logs regularly (Organization settings > Auditing)
Offboarding Blitzy
Revoke ADO access
Remove the service user from all projects. Delete the “Blitzy Service Access” security group.
Disable the identity
Delete or disable the Entra ID user account (
[email protected]).Remove the app
Uninstall the Blitzy Azure AD app. Contact Blitzy support to remove the ADO integration from the Blitzy platform.
Troubleshooting
Service user not found when adding to ADO
Service user not found when adding to ADO
Ensure the Entra ID tenant is connected to the ADO organization (Org settings > Microsoft Entra). The user must exist in the same tenant.
Clone fails with 401 Unauthorized
Clone fails with 401 Unauthorized
Clone fails with 403 Forbidden
Clone fails with 403 Forbidden
The repository permission is set to Deny. Check if the correct repo has Allow set on Read for the Blitzy group.
Push fails on an allowed branch
Push fails on an allowed branch
Check branch-level security. The Blitzy group may have Contribute = Deny or Not set on that branch.
PR cannot be completed
PR cannot be completed
Branch policies may be blocking. Ensure that reviewers have approved, builds pass, and comments are resolved.
Permission changes not taking effect
Permission changes not taking effect
ADO caches permissions. Wait a few minutes, clear browser cache, or sign out and back in.
Security Checklist
Pre-handoff security verification
Pre-handoff security verification
- Dedicated service identity user created in Entra ID (not a personal account)
- Service user added to ADO with Basic access level
- Custom “Blitzy Service Access” security group created
- Service user removed from default Contributors group
- All repositories set to Deny at the top-level for the custom group
- Only authorized repositories have explicit Allow permissions
- Branch-level security configured: protected branches deny push access (optional)
- Branch policies enabled - required reviewers, build validation (optional)
- Third-party OAuth access enabled in Organization policies (if required)
- Clone, push, and PR tests passed for both allowed and denied repos/branches
- Access review schedule established (quarterly)
- Offboarding procedure documented