Skip to main content

Set up the Azure DevOps MCP server

The Azure DevOps MCP server gives AI agents access to work items, boards, repositories, pull requests, pipelines, wikis, test plans, search, and advanced security across your Azure DevOps organization. This guide covers configuring either Microsoft Entra OAuth or a personal access token, then adding the server from the MintMCP store.

Prerequisites

Set up Azure DevOps

Azure DevOps is pre-listed as a recommended server in the MintMCP MCP store. Pick an authentication method below — each path first sets up credentials in Azure DevOps, then installs and configures the connector in MintMCP.

Each domain maps to a group of Azure DevOps tools, enabled through the optional ADO_DOMAINS variable:

DomainWhat it covers
coreProjects, teams, and members
workBoards and sprints
work-itemsWork item creation and management
searchCode and work item search
test-plansTest plans and suites
repositoriesRepositories and branches
wikiWikis and pages
pipelinesBuilds and releases
advanced-securitySecurity alerts and advisories

Per-user OAuth authenticates each team member with their own Microsoft Entra identity. The Azure DevOps organization must be connected to the same Entra tenant — verify this under Azure DevOps > Organization settings > Microsoft Entra.

Register a Microsoft Entra app

  1. Go to portal.azure.com > Microsoft Entra ID > App registrations.

    Azure portal Default Directory blade with Microsoft Entra ID highlighted in the left sidebar and App registrations selected under Manage
  2. Click New registration.

    Azure portal App registrations page with the New registration button highlighted in the top toolbar
  3. Enter a name — for example, MintMCP Azure DevOps.

  4. Under Redirect URI, select Web and enter https://app.mintmcp.com/oauth/callback.

    Register an application form with Name set to MintMCP Azure DevOps, Single tenant account type, and a Web redirect URI of https://app.mintmcp.com/oauth/callback
  5. Click Register.

  6. Go to API permissions > Add a permission.

    MintMCP Azure DevOps API permissions page with API permissions selected in the sidebar and the Add a permission button below Configured permissions
  7. Select Azure DevOps, then Delegated permissions, then user_impersonation.

  8. Click Add permissions.

    Request API permissions panel for Azure DevOps with Delegated permissions selected, user_impersonation checked, and the Add permissions button at the bottom
  9. Back on the API permissions page, click Grant admin consent for [your organization] and confirm.

    API permissions page with the Grant admin consent for Default Directory button and the grant admin consent confirmation dialog showing Yes and No
  10. Copy the Application (client) ID and Directory (tenant) ID from the Overview tab.

    App registration Overview tab showing the Essentials panel with Application (client) ID and Directory (tenant) ID
  11. Go to Certificates & secrets > Client secrets > New client secret.

    Certificates & secrets page with the Client secrets tab selected and the New client secret button
  12. Enter a description and expiry, then click Add.

    Add a client secret panel with a Description and Expires field and the Add button
  13. Copy the Value immediately — it is not shown again.

    Client secrets table showing a secret with its Value column and copy button

Add and configure the connector in MintMCP

  1. In MintMCP, go to MCP store > Manage store.

  2. Find Azure DevOps in the recommended servers list and click Install.

  3. On the connector's configuration screen, set its environment variables:

    • ADO_ORGANIZATION — your Azure DevOps organization name.
    • ADO_DOMAINS (optional) — a space-separated list of the tool domains above. Omit it to enable all domains.
  4. Go to MCP store > Your registry and click the Azure DevOps connector.

  5. Click Hosted Connector > Edit.

  6. Scroll to Authentication, select Hosted OAuth and enter:

    FieldValue
    Authorization URLhttps://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
    Token URLhttps://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
    Client IDApplication (client) ID from the app registration
    Client SecretClient secret Value from the app registration
    Scopes499b84ac-1321-427f-aa17-267ca6975798/.default offline_access
    Token response to env mappingsAdd row and map access_token to ADO_MCP_AUTH_TOKEN

    Replace <tenant-id> in both URLs with the Directory (tenant) ID you copied when registering the Entra app.

  7. Click Save.

When users first connect to the Azure DevOps MCP server through MintMCP, they are redirected to Microsoft to sign in with their Entra account.

Troubleshooting

  • AADSTS90013 — The <tenant-id> placeholder was not replaced in the Authorization URL or Token URL. Paste the real Directory (tenant) ID GUID into both fields.
  • AADSTS650052 — The Azure DevOps service principal is missing from your Entra tenant. Run az ad sp create --id 499b84ac-1321-427f-aa17-267ca6975798 in the Azure CLI, then reconnect your Azure DevOps organization to the tenant under Organization settings > Microsoft Entra.
  • 401 after a successful token — The Azure DevOps organization is not Entra-backed. A working PAT does not mean the org is connected to Entra. Check under Organization settings > Microsoft Entra and link the org to your tenant.

Security considerations

  • ADO_ORGANIZATION is shared across all users on this connector. Credentials are per-user, so each team member acts under their own Azure DevOps identity.
  • OAuth ties each call to an individual Entra identity, giving you a clearer audit trail than a shared PAT.
  • Keep PAT scopes minimal — grant only what the tool domains you enabled actually require.

Next steps