Sonar Cloud Azure DevOps Authentication with Service Principal

I am interested to know whether there are initiatives to integrate azure service principal/managed identity authentication mechanism instead of PAT token for sonar cloud projects.

The same question was asked around 2022, but Azure DevOps had no support for this back then.

Just recently, [Microsoft announced that this feature has been implemented and is the recommended way of authentication]( Use service principals & managed identities - Azure DevOps | Microsoft Learn)

2 Likes

Hello Mehrdad,

Thank you for your insight.

We are aware of the Microsoft recommendation to use Azure Service Principals instead of Azure Personal Access Tokens. It is something we would like to implement not only for Azure but also for the other devOps if the functionality is available. However, this is not yet part of the roadmap. We will update our roadmap page accordingly once this is planned. Thank you.

1 Like

Is there any update on this functionality and the roadmap??? As a customer waiting for this, it is hard to understand that this seems to have such a low priority on your roadmap. :zipper_mouth_face:

1 Like

It’s a bit unfortunate that such an important feature doesn’t get the attention needed. PATs are not the safest options and tied to personal accounts. A big security risk.

1 Like

Exactly. That’s why we are working hard to change all our connections from PAT’s to modern and safe ways of authentication like SPN’s and MI’s. And preparing for the big MFA changes.

It’s been a while since this issue is still pending to be implemented. Is there any progress on this?
@Ilham

All - Please vote here https://portal.productboard.com/sonarsource/1-sonarqube-cloud/tabs/1-under-consideration

Under “Integration” there is a feature associated with this. We should keep voting for this to get enough attention and hopefully implemented soon.

Hello,

We understand your need to have the most up-to-date secure features in the product. Therefore, this change is being considered as part of our roadmap for next year.

However, we cannot commit to an exact timeline yet due to the large number of overlapping priorities. We receive daily a large number of requests.

If you can vote for this portal card, it would be great.

Thank you.

As Microsoft announced that they will enforce MFA to all Entra ID accounts early 2025 PATs will no longer work as authentication method for those whose Azure DevOps is connected to a Entra ID directory service. It is important to switch to another supported authentication method than PATs.

https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/

@Ilham : Please note that starting early 2025 , PATs will no longer work for azure devops instances connected to microsoft Entra (almost all instances) since new security measures are going to be in effect. So, I assume as the result of this, our sonar cloud integration will not even work anymore
https://azure.microsoft.com/en-us/blog/announcing-mandatory-multi-factor-authentication-for-azure-sign-in/

Hey @tohebmt and @msoltani

No doubt that we should eventually move to a better authentication mechanism for for the integration. It should be noted that it’s not a small undertaking.

That being said, reading this article, (linked in the blog post you shared) I don’t think that Azure DevOps PATs are going to be affected. Am I missing something? It’s not in the listed applications.

Considering Azure DevOps just revamped PATs in July 2024, I have a hard time thinking they’re going away.

@Colin : I don’t see any particular direct connection in this - but I am not sure If I generate a PAT token , I still need to use MFA to authenticate after Microsoft applies their enhanced security measures, since our Azure DevOps users are sourced from Entra ID. Not sure, if this has an indirect implication.