# Setting up Azure DevOps integration at global level

For the integration of an Azure DevOps Services organization or an Azure DevOps Server collection with SonarQube Community Build, you must:

* Create a configuration record in SonarQube Community Build. This record stores the Personal Access Token (PAT) of the technical account used by SonarQube Community Build to connect to Azure DevOps. This is necessary for importing Azure DevOps repositories and reporting the quality gate status.
* Install an Azure DevOps Extension for SonarQube Community Build on the CI/CD host to integrate with Azure Pipelines.

<figure><img src="broken-reference" alt="Installing Azure DevOps Extension for SonarQube Server on the CI/CD host"><figcaption></figcaption></figure>

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

See [sonarqube-extension-for-azure-devops](https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops "mention") for more information.

The SonarQube Community Build base URL must be properly set, otherwise, integration features will not work correctly. See [server-base-url](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/server-base-url "mention") for more information.

## Preparing the integration <a href="#preparing" id="preparing"></a>

SonarQube Community Build uses an Azure DevOps user account to import Azure DevOps repositories to SonarQube Community Build and report the quality gate status to Azure DevOps. You must provide a [Personal Access Token](https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=tfs-2017\&tabs=preview-page) (PAT) from this account.

{% hint style="warning" %}
Be aware of the following PAT failure points:

* Azure PATs require an expiration date. Check the [Microsoft documentation](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\&tabs=Windows#create-a-pat) for details when creating your PAT.
* Azure requires that a user log in every 30 days, or it automatically stops a PAT; this action may cause your related pipeline to fail. Here is [an Azure Q\&A](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\&tabs=Windows#q-why-did-my-pat-stop-working) on this topic.
  {% endhint %}

<details>

<summary>Creating a technical user account</summary>

We highly recommend that you use a dedicated technical user account in Azure DevOps to manage the integration with SonarQube.

* Do not set the technical user’s account with a **Stakeholder** access type. Use the **Basic** access type instead. (Users with the **Stakeholder** access type can have problems finding their repos when trying to Analyze projects.)
* We recommend that you add the account to the **Contributors** security group.

See the Azure documentation for more information [about access levels](https://learn.microsoft.com/en-us/azure/devops/organizations/security/access-levels?view=azure-devops).

</details>

<details>

<summary>Generating your Azure PAT</summary>

1\. Log in to Azure DevOps with the technical user account created before.

2\. Go to your Azure DevOps organization **User settings** > **Personal access tokens** and select **+ New token**.

<div align="left"><figure><img src="https://1580440648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbqrfLGeD0Y9vE5l9Le42%2Fuploads%2FuVO4bmDM90wBeWKHQXpG%2Fazure-devops-create-new-personal-access-token-for-sonarqube.png?alt=media&#x26;token=5ca745c3-3274-42bc-9fe6-825f22dc4337" alt="The Personal access tokens page found in Azure DevOps." width="563"><figcaption></figcaption></figure></div>

3\. On the next page, under **Scopes**, make sure that you specify at least the scope **Code** > **Read & write**.

<div align="left"><figure><img src="https://1580440648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbqrfLGeD0Y9vE5l9Le42%2Fuploads%2Fgit-blob-89adf765eb08e213279ffab36cf0706c8862740d%2Fazure-devops-scope-of-global-personal-access-token-for-sonarqube.png?alt=media" alt="The Create a new personal access token modal found in Azure DevOps." width="375"><figcaption></figcaption></figure></div>

4\. Click **Create** to generate the token.

5\. When the personal access token is displayed, copy it (you will have to paste it to SonarQube’s configuration record as described below).

6\. If necessary, encrypt this token, see [encrypting-settings](https://docs.sonarsource.com/sonarqube-community-build/instance-administration/security/encrypting-settings "mention") for more details.

</details>

## Creating the global configuration record in SonarQube Community Build <a href="#creating-config-record" id="creating-config-record"></a>

You need the global System Administration permission to perform this procedure.

In SonarQube Community Build, a global configuration record stores the parameters necessary to connect to your Azure DevOps Server collection or Azure DevOps Services organization\*.\*

To create the Azure DevOps configuration record in SonarQube:

1. Go to **Administration** > **Configuration** > **General Settings** > **DevOps Platform Integrations**.
2. Select the **Azure DevOps** tab.
3. Select the **Create configuration** button. The **Create a configuration** dialog opens.
4. Specify the settings as described below.

| **Field**             | **Description**                                                                                                                                                                                                                                                                                     |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Azure DevOps URL      | <p>• If you are using Azure DevOps Server: the full Azure DevOps collection URL. For example, <https://ado.your-company.com/DefaultCollection>.</p><p>• If you are using Azure DevOps Services: the full Azure DevOps organization URL. For example, <https://dev.azure.com/your_organization>.</p> |
| Personal Access Token | Personal access token generated in **Generating your Azure PAT** above (or its encrypted value).                                                                                                                                                                                                    |

## Installing the Azure DevOps Extension for SonarQube <a href="#installing-extension" id="installing-extension"></a>

See the [sonarqube-extension-for-azure-devops](https://docs.sonarsource.com/sonarqube-community-build/analyzing-source-code/scanners/sonarqube-extension-for-azure-devops "mention") page.

## Related pages <a href="#related-pages" id="related-pages"></a>

* [azure-pipelines-integration-overview](https://docs.sonarsource.com/sonarqube-community-build/devops-platform-integration/azure-devops-integration/azure-pipelines-integration-overview "mention")
* [creating-your-project](https://docs.sonarsource.com/sonarqube-community-build/devops-platform-integration/azure-devops-integration/creating-your-project "mention")
* [project-integation](https://docs.sonarsource.com/sonarqube-community-build/devops-platform-integration/azure-devops-integration/project-integation "mention") at the project level
* [introduction](https://docs.sonarsource.com/sonarqube-community-build/devops-platform-integration/azure-devops-integration/adding-analysis-to-pipeline/introduction "mention") to adding analysis to your Azure build pipeline
* [troubleshooting-analysis](https://docs.sonarsource.com/sonarqube-community-build/devops-platform-integration/azure-devops-integration/troubleshooting-analysis "mention")