​

Service Account for Azure DevOps

​

What is a Service Account?

• Post automated comments on pull requests
• Create and manage code review threads
• Access repository code for analysis
• Fetch build and work item data for metrics

• CodeAnt AI operations continue even when team members leave
• Clear audit trail of automated actions
• Separation between human and bot activities
• Better security and access control

​

Creating the Service Account

​

1. Add User to Azure DevOps

• Navigate to Organization Settings
  • Go to dev.azure.com
  • Select your organization
  • Click Organization Settings (bottom left) > Users
• Add New User
  • Click + Add users
  • Enter a dedicated email address (e.g., codeantai-bot@yourcompany.com or svc-codeantai@yourcompany.com)
  • Access level: Select Basic (required for code access and PR comments)
  • Click Add to send invitation

Note: If you don’t have a separate email, you can create an Azure AD user account first, then add that account to Azure DevOps.

​

2. Create Personal Access Token (PAT)

• Sign in as the Service Account
  • Log in to Azure DevOps using the service account credentials
  • Click on User Settings (top right corner) > Personal Access Tokens
  • 
• Generate New Token
  • Click + New Token
  • Configuration:
    • Name: CodeAnt AI
    • Organization: All accessible organizations (or select specific organization)
    • Expiration: Custom defined - Select maximum duration (365 days recommended)
    • Scopes:
      • Code: Read & Write - For repository scanning and code analysis
      • Pull Request Threads: Read & Write - For posting PR comments and reviews
      • Build: Read - For DORA metrics (optional)
      • Work Items: Read - For DORA metrics (optional)
• Save the Token
  • Click Create
  • Important: Copy the generated token immediately - it won’t be shown again
  • Store it securely (you’ll need it for CodeAnt AI configuration)

​

3. Grant Repository Access

• Navigate to Project Settings
  • Go to your project > Project Settings > Repositories
  • Select the repository (or click Security for all repositories)
• Add Service Account Permissions
  • Find the service account user in the list
  • Grant the following permissions:
    • Read: Allow
    • Contribute: Allow (needed for posting comments)
    • Contribute to pull requests: Allow
    • Create and manage threads: Allow

These permissions allow CodeAnt AI to read code and post review comments on pull requests.

​

Best Practices

​

Security Recommendations

• Use a Descriptive Name
  • Name the account clearly (e.g., CodeAnt AI Bot, codeantai-service)
  • This makes it easy to identify automated actions in audit logs
• Limit Permissions
  • Only grant the minimum required scopes in the PAT
  • Avoid using “Full Access” tokens
  • Don’t grant permissions the service doesn’t need
• Token Management
  • Store the PAT securely (never commit to code or share publicly)
  • Set calendar reminders to rotate tokens before expiration
  • When rotating tokens, create and test the new token before revoking the old one

​

Maintenance

• Token Rotation
  • Rotate tokens at least annually
  • Update the token in CodeAnt AI settings after rotation
  • Test the integration after token updates
• Access Reviews
  • Periodically review the service account’s permissions
  • Remove access to archived or unused projects
  • Ensure only necessary repositories are accessible

​

Next Steps

• Use the PAT in Control Center Configuration
• Set up Pull Request Review with service hooks
• Monitor the service account’s activity in the first few PRs to ensure proper operation