Azure Devops and SonarCloud tokens management

SonarQube Cloud
2

Hey there.

Happy to read a thread where someone wants to manage fewer tokens rather than more in the name of security. :smiley:

We have an old Community Guide about Microsoft’s guidance for sharing connections across projects in an organization.

I would hope that almost 2 years on, this is available to all users. I would suggest looking at the Microsoft documentation linked and see what’s available in your context.

In fact, it’s an oddity that you can set this at the project-level at all (this is not how it works for any other DevOps Platform that SonarCloud integrates with). We’d actually rather that users not use this at all and instead have a single token configured under the organization-level Administration > Organization settings > Azure DevOps connectivity management.

I’ll refer to this documentation on Getting Started with Azure DevOps (that I’m actually really thrilled exists, as I’m only seeing it for the first time today).

Location of Personal Access Tokens in SonarCloud

When you set up your connection to Azure DevOps as described here, your Azure DevOps organization is bound to SonarCloud and the PAT from the Azure organization is registered at the SonarCloud organization level (not at the SonarCloud project level). If you later need to update the value of this token you can find it under Your Organization > Administration > Organization Settings > Azure DevOps connectivity management.

If you earlier set up an Azure DevOps project manually (not creating a bound organization) you may have registered the PAT at the SonarCloud project level (not the organization level) by filling the field under Your Organization > Your Project > Administration > General Settings > Integration with Azure DevOps Services.

Entering the PAT at the organization vs the project level in SonarCloud can lead to differing behavior. We recommend that you follow the tutorial to create a bound organization and make sure that the PAT is entered only at the organization level, not at the project level. The project-level field should be left blank.

I hope this helps.