Platform: AZURE
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | PATs can be generated with specific scopes and expiration dates. | Personal Access Tokens (PATs) need to be managed securely. |
| Authentication & Authorization | IAM Integration | True | Azure DevOps is integrated with Azure Active Directory for identity and access management. | |
| Authentication & Authorization | MFA | True | MFA can be enforced for users through Azure AD Conditional Access policies. | Enforced through Azure AD. |
| Authentication & Authorization | Service Account Support | True | Service principals and Personal Access Tokens (PATs) can be used for programmatic access. | |
| Authentication & Authorization | Standard Protocols | True | Azure DevOps uses OAuth 2.0 for authentication. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Industry Certifications | True | Azure DevOps is compliant with numerous industry standards. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Azure Pipelines automatically masks secrets in logs. | For secrets in logs. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Tools can be integrated into Azure Pipelines to scan for secrets and sensitive data in source code. | Available in Azure Pipelines. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | False | While the primary data location is selected by the customer, some data may be transferred to other regions for operational purposes. | Data may be transferred to other regions for service delivery. |
| Data Residency & Sovereignty | Data Location Transparency | True | The region of the DevOps organization is visible in the organization settings. | |
| Data Residency & Sovereignty | Region Selection | True | Customers can choose the Azure region where their DevOps organization will be hosted. | |
| Encryption | Encryption at Rest | True | Data at rest in Azure DevOps is encrypted by default. | |
| Encryption | Encryption in Transit | True | All traffic to Azure DevOps is encrypted using TLS. | |
| Logging & Monitoring | Access Logging | True | Audit logs include information about user access. | |
| Logging & Monitoring | Audit Logging | True | Auditing is available for Azure DevOps organizations, tracking changes and access. | |
| Logging & Monitoring | Log Retention | True | Log retention policies can be configured for audit logs streamed to a Log Analytics workspace. | Configurable for audit logs. |
| Logging & Monitoring | Monitoring & Alerting | True | Azure DevOps provides service health monitoring and can send notifications for events. | |
| Network Security | API Gateway Integration | False | Azure DevOps is not typically fronted by an API gateway. | Not applicable. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | Firewall Rules | True | IP-based access restrictions can be configured through Azure AD Conditional Access policies. | Through Azure AD Conditional Access. |
| Network Security | Private Access | False | Azure DevOps is accessed over the public internet. There is no private access option. | Azure DevOps is a public cloud service. |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure DevOps REST API follows Microsoft's SDL. | Applies to the Azure DevOps API. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Azure Repos provides features for pull requests and code reviews. Azure Pipelines enables automated testing. | Core feature of the service. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the Azure DevOps service. | Microsoft manages the service. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft performs vulnerability scanning of the Azure platform. | Microsoft manages the service. |