No code decoration possible for onprem Azure DevOps

Hi there,

We are also using SonarCloud for our onpremise Azure DevOps instance.
Unfortunately the code decoration and quality gate feedback isn’t working over here.

I know that we got this working 1,5/2 years ago. But now it isn’t.

Do we have to configure something in our firewall to allow SonarCloud to do the decorations?
We have created new Devops security keys, but that does not resolve the issue.

(The same approach works ok for our cloud based Azure DevOps environment)

There error it keeps providing is “Pull request decoration failed because the security token specified in the settings does not have sufficient rights. Please check the permissions of this token”.

The unique ID of our background task is: AXALRMKCw5VZ7qzJ7oaN

Hi @Edwin,

The connection with SonarCloud is ok, so this is defintely not an issue with a firewall / proxy

As the message speak for itself, it sounds like your PAT doesn’t have sufficient privilege.
With which scope did you generated it?
Did you updated it on SonarCloud’s side ?
Have you generated it on the correct Azure DevOps instance ?


Hi @mickaelcaro ,

The working connection is outgoing. I think the firewall may have an issue with the incoming requests from SonarCloud to the onpremise environment.

We have used the read/write scope, as suggested in the configuration panel, but we have also tested full rights. We updated it on the correct instances.

Do you happen to know if the SonarCloud decoration to an on premise Azure devops server instance is supported?


My bad for this side of the communication, you are right.

Sounds like your infrastructure doesn’t accept connection from SonarCloud, here is the error :

HTTP 401 Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

We don’t have public IPs to whitelist, only the domain, can you check what you can do with that ?


Hi @mickaelcaro I think the domain should be enough. What should be the exact domain we have to check on? :wink:

Please note however that we don’t support that kind of scenario, so we cannot guarantee that it’ll still work in the future.