I am interested to know whether there are initiatives to integrate azure service principal/managed identity authentication mechanism instead of PAT token for sonar cloud projects.
The same question was asked around 2022, but Azure DevOps had no support for this back then.
We are aware of the Microsoft recommendation to use Azure Service Principals instead of Azure Personal Access Tokens. It is something we would like to implement not only for Azure but also for the other devOps if the functionality is available. However, this is not yet part of the roadmap. We will update our roadmap page accordingly once this is planned. Thank you.
Is there any update on this functionality and the roadmap??? As a customer waiting for this, it is hard to understand that this seems to have such a low priority on your roadmap.
It’s a bit unfortunate that such an important feature doesn’t get the attention needed. PATs are not the safest options and tied to personal accounts. A big security risk.
Exactly. That’s why we are working hard to change all our connections from PAT’s to modern and safe ways of authentication like SPN’s and MI’s. And preparing for the big MFA changes.
Under “Integration” there is a feature associated with this. We should keep voting for this to get enough attention and hopefully implemented soon.
We understand your need to have the most up-to-date secure features in the product. Therefore, this change is being considered as part of our roadmap for next year.
However, we cannot commit to an exact timeline yet due to the large number of overlapping priorities. We receive daily a large number of requests.
As Microsoft announced that they will enforce MFA to all Entra ID accounts early 2025 PATs will no longer work as authentication method for those whose Azure DevOps is connected to a Entra ID directory service. It is important to switch to another supported authentication method than PATs.
No doubt that we should eventually move to a better authentication mechanism for for the integration. It should be noted that it’s not a small undertaking.
That being said, reading this article, (linked in the blog post you shared) I don’t think that Azure DevOps PATs are going to be affected. Am I missing something? It’s not in the listed applications.
Considering Azure DevOps just revamped PATs in July 2024, I have a hard time thinking they’re going away.
@Colin : I don’t see any particular direct connection in this - but I am not sure If I generate a PAT token , I still need to use MFA to authenticate after Microsoft applies their enhanced security measures, since our Azure DevOps users are sourced from Entra ID. Not sure, if this has an indirect implication.