> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Service Account

> Setup service account for CodeAnt AI integration with Azure DevOps

# Service Account for Azure DevOps

## What is a Service Account?

A service account is a dedicated user account (not tied to a specific person) used by CodeAnt AI to interact with your Azure DevOps organization. CodeAnt AI will use this account to:

* Post automated comments on pull requests
* Create and manage code review threads
* Access repository code for analysis
* Fetch build and work item data for metrics

Using a service account instead of a personal account ensures:

* CodeAnt AI operations continue even when team members leave
* Clear audit trail of automated actions
* Separation between human and bot activities
* Better security and access control

## Creating the Service Account

Follow these steps to create and configure a service account for CodeAnt AI:

### 1. Add User to Azure DevOps

* **Navigate to Organization Settings**
  * Go to [dev.azure.com](https://dev.azure.com)
  * Select your organization
  * Click **Organization Settings** (bottom left) > **Users**

* **Add New User**
  * Click **+ Add users**
  * Enter a dedicated email address (e.g., `codeantai-bot@yourcompany.com` or `svc-codeantai@yourcompany.com`)
  * **Access level:** Select **Basic** (required for code access and PR comments)
  * Click **Add** to send invitation

> **Note:** If you don't have a separate email, you can create an Azure AD user account first, then add that account to Azure DevOps.

### 2. Create Personal Access Token (PAT)

* **Sign in as the Service Account**
  * Log in to Azure DevOps using the service account credentials
  * Click on **User Settings** (top right corner) > **Personal Access Tokens**
  * <img src="https://mintcdn.com/codeantai/cPAPWnajTUNzakyT/images/pull_request/azure_devops/pat_menu.png?fit=max&auto=format&n=cPAPWnajTUNzakyT&q=85&s=eb17c5372d4ba689a9da3ee3f66c88e9" alt="PAT Menu" width="3420" height="2040" data-path="images/pull_request/azure_devops/pat_menu.png" />

* **Generate New Token**
  * Click **+ New Token**
  * **Configuration:**
    * **Name:** CodeAnt AI
    * **Organization:** All accessible organizations (or select specific organization)
    * **Expiration:** Custom defined - Select maximum duration (365 days recommended)
    * **Scopes:**
      * **Code:** Read & Write - For repository scanning and code analysis
      * **Pull Request Threads:** Read & Write - For posting PR comments and reviews
      * **Build:** Read - For DORA metrics (optional)
      * **Work Items:** Read - For DORA metrics (optional)

* **Save the Token**
  * Click **Create**
  * **Important:** Copy the generated token immediately - it won't be shown again
  * Store it securely (you'll need it for CodeAnt AI configuration)

### 3. Grant Repository Access

* **Navigate to Project Settings**
  * Go to your project > **Project Settings** > **Repositories**
  * Select the repository (or click **Security** for all repositories)

* **Add Service Account Permissions**
  * Find the service account user in the list
  * Grant the following permissions:
    * **Read:** Allow
    * **Contribute:** Allow (needed for posting comments)
    * **Contribute to pull requests:** Allow
    * **Create and manage threads:** Allow

> These permissions allow CodeAnt AI to read code and post review comments on pull requests.

## Best Practices

### Security Recommendations

* **Use a Descriptive Name**
  * Name the account clearly (e.g., `CodeAnt AI Bot`, `codeantai-service`)
  * This makes it easy to identify automated actions in audit logs

* **Limit Permissions**
  * Only grant the minimum required scopes in the PAT
  * Avoid using "Full Access" tokens
  * Don't grant permissions the service doesn't need

* **Token Management**
  * Store the PAT securely (never commit to code or share publicly)
  * Set calendar reminders to rotate tokens before expiration
  * When rotating tokens, create and test the new token before revoking the old one

### Maintenance

* **Token Rotation**
  * Rotate tokens at least annually
  * Update the token in CodeAnt AI settings after rotation
  * Test the integration after token updates

* **Access Reviews**
  * Periodically review the service account's permissions
  * Remove access to archived or unused projects
  * Ensure only necessary repositories are accessible

## Next Steps

After creating your service account:

* Use the PAT in [Control Center Configuration](control_center.mdx)
* Set up [Pull Request Review](pull_request.mdx) with service hooks
* Monitor the service account's activity in the first few PRs to ensure proper operation