Azure DevOps PAT scopes for DevOps

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Azure DevOps PAT scopes for DevOps

    This guidance explains the required scope access levels when using a Personal Access Token (PAT) to connect ServiceNow DevOps with Azure DevOps. Properly configuring these scopes ensures seamless integration capabilities such as discovering boards, repositories, pipelines, and managing service connections without manual webhook or service connection setup by Azure DevOps administrators.

    Show full answer Show less

    Note that to onboard a project or organization, the PAT owner must belong to specific administrative groups in Azure DevOps: Project Administrators group for projects and Project Collection Administrators group for organizations.

    Scope Access Levels and Their Practical Use

    Each Azure DevOps capability requires specific PAT scopes and access levels to function correctly within ServiceNow DevOps:

    • Boards (Work items): Read access is needed to discover boards and receive work items through import, polling, or webhooks.
    • Repos (Code): Read access allows discovering repositories and receiving branches, commits, and tags.
    • Build pipelines: Read & Execute access is required. Read enables discovery and retrieval of build details; Execute enables controlling pipeline states such as pause/resume.
    • Release pipelines and gates: Read, Write & Execute access is necessary. Read access supports pipeline discovery and details retrieval. Write and Execute allow controlling pipeline execution during change control steps.
    • Test management (build and release pipelines): Read access enables receipt of test results.
    • Service Connections: Read, Query, and Manage access permits automatic creation and management of service connections that configure ServiceNow tasks like change acceleration and artifact registration.
    • Packaging: Read access allows discovery of artifact repositories and feeds, supporting package management.

    Important: To ensure pipeline features work seamlessly, the user must have the "Update build information" permission on their Azure DevOps pipeline. Customers should contact their Azure DevOps Project Administrator if this permission is missing.

    Key Considerations and Limitations

    • If a tool is created with a custom-defined access level and later reconfigured due to integration user credential changes, existing service hooks for releases are not updated but duplicated. To prevent duplicate service hooks, it is recommended to create the tool with full access level.

    Scope access levels are required when using a personal access token (PAT) to access Azure DevOps during setup.

    Scope access level settings are based on the capability you have configured. Set the corresponding access level for seamless functionality. For information on creating a PAT, see Personal access token (PAT).

    Important:
    With the access level permissions specified in the following table in Azure DevOps, and the ServiceNow DevOps extension, you can connect to Azure DevOps from ServiceNow. Your Azure DevOps admin does not have to manually configure webhooks and service connections in Azure DevOps.
    Important:
    • When onboarding a Project, the Project Administrators privilege requires the owner of the PAT to be a member of the project's Project Administrators group.
    • When onboarding an Organization, the Project Administrators privilege requires the owner of the PAT to be a member of the organization's Project Collection Administrators group.
    Table 1. Scope access level settings per capability and their impact
    Capability Scope Access level Impact
    Boards Work item Read Required to discover the boards and receive the work items either through import/polling or real time with a configured webhook.
    Repos Code Read Required to discover repositories and receive branches, commits, and tags either through import/polling or real time with a configured webhook.
    Build pipelines Build Read & Execute
    • Read: Required to discover the build pipelines and receive pipeline execution details like stages, artifacts, test results, code security results, etc., either through import/polling or real time with a configured webhook.
    • Execute: Required to pause/resume the pipelines based on the change control step.
    Release pipelines and gates Release Read, write and execute
    • Read: Required to discover the release pipelines and receive pipeline execution details like stages, artifacts, test results, code security results, etc, either through import/polling or real time with a configured webhook.
    • Write and Execute: Required to pause/resume the pipelines based on change control step.
    Test build and release pipelines Test management Read Required to receive test results for pipeline execution.
    Service Connections Service connection Read, query, and manage Required to create Service connection automatically which is used to configure ServiceNow tasks like change acceleration, artifact and package registration, etc.
    Packaging Packaging Read Required to discover the artifact repositories and receive the feeds and packages either through import/polling or real-time with a configured webhook.
    Note:
    You must have the Update build information permission on your pipeline for all pipeline features to work seamlessly. Contact your ADO Project Administrator if you don't have this permission.

    Limitation of Azure DevOps

    If you create an Azure tool with custom defined access level, and you reconfigure such a tool because of change in your Integration user credentials, then the existing service hooks for release created and release deployment are not updated. Instead, two new service hooks are created with new configuration details. To avoid the duplication of these service hooks, you must create the tool with full access level.