Azure DevOps user synchronization

Basic info:

  • ALM used: Azure DevOps
  • CI system used: Azure DevOps

What is the recommended and supported way how to work with SonarCloud and Azure DevOps in terms of users? Is there a way how to synchronize it? If not built in sonarCloud, then somehow via API?

Context: we have about 300 users (with basic licence) in Azure DevOps. We would like to integrate SonarCloud to our pull requests for about 50+ repositories we develop in. It’s OK to have only read access to all projects in SonarCloud and to give consent to access profile etc. when the user is accessing SonarCloud for the first time. But what is not OK is to do some manual action after each of the user wants to see our project, e.g. manually adding him/her only after he/she open the SonarCloud for the first time. In our SonarCloud server this was solved via SAML/oAuth authentication with our AzureAD (via AAD app). I understand SonarCloud have a different setup, but how can we do it in most convenient way, ideally fully automatically…

maybe important to say but we are not looking for only one time import (which would ofc help us a lot too!) but for a continuous, automatic process. That is, in the future, when a user gains access to our Azure DevOps (based on group assignment = fully automatic as well) he/she is imported/can access our SonarCloud project as well when he/she clicks on the PR on some issue.

Anyone? @mickaelcaro can you help pretty please?

Hi @jvilimek and welcome to our community :slight_smile:

manually adding him/her only after he/she open the SonarCloud for the first time.

Unfortunately, I can’t see any workaround for that today.
The topic you bring here is already ongoing internally already. This is something we hope to move forward with during the coming year.

BTW, when you say

In our SonarCloud server this was solved via SAML/oAuth authentication with our AzureAD (via AAD app).

You mean with your SonarQube sever right?

Thanks.
Kind regards,
Christophe

Thanks @Christophe_Havard, Yes indeed, when tlaking about SAML/oAuth I have meant our SonarQube installation.

So currently we are really forced to ask the user to sign in and manually assign them in the project settings? :frowning: thats a big manual overhead…

What happens, in case the user has lost access to the Azure Devops account. Is the account in the SonarCloud preserved? Can he/she somehow gain access to it and be able to see our projects even the Azure DevOps account is disabled? If yes, we would need to also prepare manual process to remove these accounts from SonarCloud…

I guess this is a blocker for us :frowning:

What happens, in case the user has lost access to the Azure Devops account. Is the account in the SonarCloud preserved?

Yes, currently there is no synchronization between Azure DevOps and SonarCloud regarding users.

You use AAD w/ your Azure DevOps right?

Thanks.
Kind regards,
Christophe

Yes. AAD.

does it change anything?

Hello?

@jvilimek hey sorry about the late reply, I missed the notification .
It doesn’t change anything unfortunately. I asked the question out of curiosity only.
The plugin for SonarQube that you talk about is the following one ? GitHub - hkamel/sonar-auth-aad: Azure Active Directory Authentication for SonarQube

The plugin? Not sure, I guess so. But I can not imagine using this in multi-tenant sonarcloud environment :frowning:

One idea I had though: how about at least automatically “bind” users while registration to respective organization account? Let’s say user will be registered with xxx@oriflame.com azure devops account… we would have some setting specified in our administration e.g. “authorize domain: oriflame.com” so the user automatically gain membership in our organization? WDYT?

@jvilimek I think it’s a really good idea :slight_smile:
We have this MMF already registered on our side (that might need some refresh) that is saying something similar. The pain I understand is the necessity to register users one by one and assign them one by one to each project.

Feel free to vote and/or comment the given MMF, your contribution is always useful for us :slight_smile:
You will be able to follow the progress on this. Currently, we have no ETA for that.

Thanks!
Kind regards,
Christophe