Microsoft Azure DevOps Services

Azure DevOps Services supports your security, privacy and compliance needs.

Protect your projects, code, and data in the cloud

Azure DevOps Services is Microsoft’s cloud-hosted set of tools for planning, developing, and managing software projects. Based on the capabilities of Team Foundation Server (TFS) with additional cloud services, Azure DevOps manages your source code, work items, builds, tests, and much more. Behind the scenes, Azure DevOps uses the Microsoft Azure Platform as a Service (PaaS) infrastructure and many Azure services, including Azure SQL databases, to deliver a reliable, globally available service for your development projects.

With Azure DevOps, developing in the cloud doesn’t mean putting your projects at risk. Azure DevOps can use Azure Active Directory to securely authenticate users and control access to your team’s critical resources. You can manage permissions for your Azure DevOpsaccount by adding Azure Active Directory groups to your Azure DevOps, and set access levels to determine the features that your team members can use.

Azure DevOps uses Azure Active Directory or Microsoft accounts for identity management and to authenticate users. Azure AD simplifies authentication by providing identity as a service while giving you control to manage user identities and credentials and ensure that only authorized users access the resources they need.

Azure AD performs authentication, authorization, and access control, and supports industry-standard protocols. It supports multi-factor authentication and single sign-on across cloud services. With Azure Multi-Factor Authentication, you can require users to verify their sign-in via mobile app, phone call, or text message. You can use built-in groups in Azure DevOps, and set up your own groups to control access to team projects and collections. You can grant or restrict access with DevOps permissions, work item tracking permissions, and team admin roles and permissions.

Learn more about controlling access to Azure DevOps with Azure AD

Azure DevOps encrypts data in transit between the user and the service, as well as all connections to Azure Storage and SQL databases, to preserve data integrity. Azure DevOps enables Transparent Data Encryption (TDE) on the SQL databases it uses to protect against the threat of malicious activity by performing real-time encryption of the database, associated backups, and transaction log files at rest.

Azure DevOps uses Azure Storage as the primary repository for service metadata and customer data. It uses Azure Blob (binary large objects) storage and Azure SQL data storage, depending on the type of data and the storage and retrieval needs. Data is encrypted with HTTPS/SSL and TDE. Activities are logged, and real-time alerts detect intrusion. Access to customer data is restricted to level of least privilege. Administrators can manage access to resources by granting or restricting permissions on user identities or groups. Data redundancy and point-in-time backups protect against data loss.

Learn more about how Azure DevOps protects your data

Azure DevOps is hosted in Azure datacenters and uses the Azure PaaS offering for much of its infrastructure. PaaS automatically provides regular updates for known security vulnerabilities. By using Azure AD, your IT department can manage its end-user access policy, including password complexity, refreshes, and expiration, when users leave your organization.

Azure DevOps uses many of the core Azure services, including Compute, Storage, Networking, SQL Database, Identity and Access Management Services, and Service Bus. Azure has a distributed denial-of-service (DDoS) defense system that helps prevent attacks against our service. It uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits. The system is designed to withstand attacks not only from the outside but also from within Azure. When Azure DevOps hosts virtual machines in Azure using its Infrastructure as a Service (IaaS) offering—such as for hosted pipelines in the Build and Release service—those images include the latest security patches available from Windows Update.

Learn more about Azure DevOps and TFS security features

Threat management

To ensure that activities within the service are legitimate, and to detect breaches or attempted breaches, Azure DevOps uses the Azure infrastructure and security mechanisms. Azure DevOps live site management processes focus on service health and customer experience, and minimize the time required to detect, respond to, and mitigate disruptive issues. Microsoft conducts regular security-focused penetration testing of Azure DevOps, using the same techniques and mechanisms as real malicious attackers, to identify real-world vulnerabilities, configurations errors, or other security gaps.

Physical security

Azure DevOps is deployed on Azure in Microsoft datacenters, which are protected by layers of defense-in-depth security that include perimeter fencing, video cameras, security personnel, secure entrances, and real-time communications networks, continuing through every area of the facility to each physical server unit.

Take a virtual datacenter tour