Setting up Azure DevOps integration at the global level
For the integration of an Azure DevOps Services organization or an Azure DevOps Server collection with SonarQube Community Build, you must:
- Create a configuration record in SonarQube Community Build. This record stores the Personal Access Token (PAT) of the technical account used by SonarQube Community Build to connect to Azure DevOps. This is necessary for importing Azure DevOps repositories and reporting the quality gate status.
- Install an Azure DevOps Extension for SonarQube Community Build on the CI/CD host to integrate with Azure Pipelines.
Prerequisites
See Extension installation requirements.
The SonarQube Community Build base URL must be properly set, otherwise, integration features will not work correctly. See Configuring the SonarQube Community Build base URL.
Preparing the integration
SonarQube Community Build uses an Azure DevOps user account to import Azure DevOps repositories to SonarQube Community Build and report the quality gate status to Azure DevOps. You must provide a Personal Access Token (PAT) from this account.
About the Azure PATs
Be aware of the following PAT failure points:
- Azure PATs require an expiration date. Check the Microsoft documentation for details when creating your PAT.
- Azure requires that a user log in every 30 days, or it automatically kills a PAT; this action may cause your related pipeline to fail. Here is an Azure Q&A on this topic.
Creating a technical user account
We highly recommend that you use a dedicated technical user account in Azure DevOps to manage the integration with SonarQube.
- Do not set the technical user’s account with a Stakeholder access type. Use the Basic access type instead. (Users with the Stakeholder access type can have problems finding their repos when trying to Analyze projects.)
- We recommend that you add the account to the Contributors security group.
See the Azure documentation for more information about access levels.
Generating your Azure PAT
1. Log in to Azure DevOps with the technical user account created before.
2. Go to your Azure DevOps organization User settings > Personal access tokens and select + New token.
3. On the next page, under Scopes, make sure that you specify at least the scope Code > Read & write.
4. Click Create to generate the token.
5. When the personal access token is displayed, copy it (you will have to paste it to SonarQube's configuration record as described below).
6. If necessary, encrypt this token: see Encrypting sensitive settings.
Creating the global configuration record in SonarQube Community Build
You need the global System Administration permission to perform this procedure.
In SonarQube Community Build, a global configuration record stores the parameters necessary to connect to your Azure DevOps Server collection or Azure DevOps Services organization.
To create the Azure DevOps configuration record in SonarQube:
- Go to Administration > Configuration > General Settings > DevOps Platform Integrations.
- Select the Azure DevOps tab.
- Select the Create configuration button. The Create a configuration dialog opens.
- Specify the settings as described below.
| Field | Description |
|---|---|
| Configuration Name | Enterprise and Data Center Edition only. The name used to identify your Azure DevOps configuration at the project level. Use something succinct and easily recognizable. |
| Azure DevOps URL |
|
| Personal Access Token | Personal access token generated in Generating your Azure PAT above (or its encrypted value). |
Installing the Azure DevOps Extension for SonarQube
See Azure DevOps Extension for SonarQube Community Build.
Related pages
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
