Official Microsoft Azure DevOps MCP server for querying work items, pull requests, repositories, pipelines, wikis, test plans, and project metadata through remote HTTP or local stdio transports.
Start with read-only mode for investigation. The remote server supports the `X-MCP-Readonly: true` header, and the local server supports domain filtering so agents only load the Azure DevOps areas they need., Azure DevOps write-capable tools can create or update work items, pull requests, pull request comments, branches, wiki pages, test plans, test suites, test cases, and pipeline runs. Keep manual approval on any operation that changes project state., Treat Azure DevOps PATs, Microsoft Entra tokens, Azure CLI sessions, and MCP configuration as sensitive credentials. Do not paste tokens into prompts, commit them to repositories, or share them in issue/PR threads., Use toolsets, domains, project defaults, and team defaults to keep the MCP surface narrow. Loading every repo, work item, wiki, pipeline, and test plan tool can confuse the model and expose more context than the task needs., The remote MCP server is in public preview. Preview behavior, available tools, supported clients, and authentication requirements can change before general availability.
Privacy notes
Tool results can expose organization names, project names, teams, iteration data, capacity information, work item titles and fields, comments, attachments, pull request discussions, repository file content, branch names, commit metadata, pipeline logs, build artifacts, wiki pages, test plans, and search results., Work item comments, PR threads, pipeline logs, wiki pages, and attachments often contain customer data, production incident details, credentials, internal URLs, unreleased roadmap information, employee names, or security findings., MCP client logs, AI transcripts, generated code comments, local terminal history, and downstream ticket summaries can retain Azure DevOps content outside the original Azure DevOps audit, permission, and retention model., Microsoft Entra authentication exposes the user's organizational identity to the MCP client and constrains access to the authenticated user's Azure DevOps permissions.
Author
Microsoft
Submitted by
oktofeesh1
Claim status
unclaimed
Last verified
2026-06-03
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
5 safety and 4 privacy notes across 4 risk areas. Review closely: credentials & tokens, permissions & scopes, network access.
4 areas
SafetyNetwork accessStart with read-only mode for investigation. The remote server supports the `X-MCP-Readonly: true` header, and the local server supports domain filtering so agents only load the Azure DevOps areas they need.
SafetyNetwork accessAzure DevOps write-capable tools can create or update work items, pull requests, pull request comments, branches, wiki pages, test plans, test suites, test cases, and pipeline runs. Keep manual approval on any operation that changes project state.
SafetyCredentials & tokensTreat Azure DevOps PATs, Microsoft Entra tokens, Azure CLI sessions, and MCP configuration as sensitive credentials. Do not paste tokens into prompts, commit them to repositories, or share them in issue/PR threads.
SafetyGeneralUse toolsets, domains, project defaults, and team defaults to keep the MCP surface narrow. Loading every repo, work item, wiki, pipeline, and test plan tool can confuse the model and expose more context than the task needs.
SafetyNetwork accessThe remote MCP server is in public preview. Preview behavior, available tools, supported clients, and authentication requirements can change before general availability.
PrivacyNetwork accessTool results can expose organization names, project names, teams, iteration data, capacity information, work item titles and fields, comments, attachments, pull request discussions, repository file content, branch names, commit metadata, pipeline logs, build artifacts, wiki pages, test plans, and search results.
PrivacyCredentials & tokensWork item comments, PR threads, pipeline logs, wiki pages, and attachments often contain customer data, production incident details, credentials, internal URLs, unreleased roadmap information, employee names, or security findings.
PrivacyPermissions & scopesMCP client logs, AI transcripts, generated code comments, local terminal history, and downstream ticket summaries can retain Azure DevOps content outside the original Azure DevOps audit, permission, and retention model.
PrivacyPermissions & scopesMicrosoft Entra authentication exposes the user's organizational identity to the MCP client and constrains access to the authenticated user's Azure DevOps permissions.
Safety notes
Start with read-only mode for investigation. The remote server supports the `X-MCP-Readonly: true` header, and the local server supports domain filtering so agents only load the Azure DevOps areas they need.
Azure DevOps write-capable tools can create or update work items, pull requests, pull request comments, branches, wiki pages, test plans, test suites, test cases, and pipeline runs. Keep manual approval on any operation that changes project state.
Treat Azure DevOps PATs, Microsoft Entra tokens, Azure CLI sessions, and MCP configuration as sensitive credentials. Do not paste tokens into prompts, commit them to repositories, or share them in issue/PR threads.
Use toolsets, domains, project defaults, and team defaults to keep the MCP surface narrow. Loading every repo, work item, wiki, pipeline, and test plan tool can confuse the model and expose more context than the task needs.
The remote MCP server is in public preview. Preview behavior, available tools, supported clients, and authentication requirements can change before general availability.
Privacy notes
Tool results can expose organization names, project names, teams, iteration data, capacity information, work item titles and fields, comments, attachments, pull request discussions, repository file content, branch names, commit metadata, pipeline logs, build artifacts, wiki pages, test plans, and search results.
Work item comments, PR threads, pipeline logs, wiki pages, and attachments often contain customer data, production incident details, credentials, internal URLs, unreleased roadmap information, employee names, or security findings.
MCP client logs, AI transcripts, generated code comments, local terminal history, and downstream ticket summaries can retain Azure DevOps content outside the original Azure DevOps audit, permission, and retention model.
Microsoft Entra authentication exposes the user's organizational identity to the MCP client and constrains access to the authenticated user's Azure DevOps permissions.
Prerequisites
Azure DevOps organization and project membership for the resources Claude should access
Microsoft Entra ID connected Azure DevOps organization for the remote MCP server
Visual Studio Code or Visual Studio for the Microsoft-supported remote MCP preview path
Node.js 20 or later and npx for the optional local `@azure-devops/mcp` stdio server
Azure DevOps permissions, PAT, Microsoft Entra authentication, or Azure CLI authentication appropriate to the chosen transport
Team policy for which work items, repositories, pipelines, wikis, and test plans may be exposed to AI-assisted workflows
The Azure DevOps MCP Server brings Azure DevOps context into AI-assisted
development workflows. It gives agents structured access to project metadata,
work items, repositories, pull requests, branches, files, pipeline runs, build
logs, artifacts, wikis, test plans, and search results so a task can start from
the actual Azure DevOps source of truth rather than a copied ticket or stale
summary.
Microsoft now recommends the Azure DevOps-hosted remote MCP server for
supported clients. The remote server uses streamable HTTP at
https://mcp.dev.azure.com/{organization}, authenticates with Microsoft Entra
ID, and can be narrowed with toolset and read-only headers. The local
@azure-devops/mcp package remains useful for Claude Code, Cursor, Codex, and
other stdio-oriented clients while remote OAuth client support continues to
roll out.
Features
Remote HTTP endpoint at https://mcp.dev.azure.com/{organization} for the
public preview hosted server.
Local stdio server through npx -y @azure-devops/mcp.
Core organization, project, and team discovery.
Work item lookup, batch retrieval, comments, revisions, backlog data, saved
query results, and full-text work item search.
List my Azure DevOps work items in PROJECT_NAME and group them by priority, blocked status, and next action.
Inspect a pull request
Find pull requests in PROJECT_NAME that require my review, summarize the active comment threads, and do not post any comments.
Debug a failed pipeline
Get the latest failed pipeline run for PROJECT_NAME, summarize the failed stage and relevant logs, and link related commits or work items.
Read a wiki runbook
Search Azure DevOps wiki pages for the deployment rollback runbook and summarize the exact steps without changing the wiki.
Source notes
Microsoft Learn documents the remote Azure DevOps MCP Server as a public
preview hosted service using streamable HTTP transport at
https://mcp.dev.azure.com/{organization}.
The remote setup guide says the hosted server avoids local installation,
authenticates with Microsoft Entra ID, and provides access to work items,
pull requests, pipelines, and more.
Microsoft documents toolset filtering with X-MCP-Toolsets, read-only
filtering with X-MCP-Readonly, individual tool selection with
X-MCP-Tools, and insiders features with X-MCP-Insiders.
The available remote toolsets include repos, wit, pipelines, wiki,
work, and testplan, with read-only and write-capable tools called out in
the Microsoft Learn reference.
The official GitHub repository recommends the remote MCP server going forward
while continuing to support the local @azure-devops/mcp stdio package for
clients and scenarios that need it.
npm metadata identifies @azure-devops/mcp as Microsoft's MCP server for
interacting with Azure DevOps and points to the microsoft/azure-devops-mcp
repository under the MIT license.
Duplicate check
Checked current content/mcp/, content/tools/, guides, skills, agents, open
pull requests, and repository-wide content for Azure DevOps,
azure-devops-mcp, microsoft/azure-devops-mcp, @azure-devops/mcp,
mcp.dev.azure.com, ado-remote-mcp, work item, pull request tools,
Microsoft Entra, pipelines, and issue tracker MCP. Existing Jira MCP
content covers Atlassian Jira and Confluence, while this entry covers
Microsoft Azure DevOps work items, repos, PRs, pipelines, wiki, and test plans.
Existing Microsoft AutoGen content is an agent framework entry, not an Azure
DevOps MCP server. No dedicated Azure DevOps MCP entry, Azure DevOps source URL
duplicate, or open duplicate PR was found.
Disclosure
Editorial listing. No paid placement or affiliate link is used.
Show that Azure DevOps MCP Server for Claude is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/mcp/azure-devops-mcp-server)
How it compares
Azure DevOps MCP Server for Claude side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
Official Microsoft Azure DevOps MCP server for querying work items, pull requests, repositories, pipelines, wikis, test plans, and project metadata through remote HTTP or local stdio transports.
Official Microsoft Azure MCP server that connects Claude and other MCP clients to Azure subscriptions, resource groups, storage, databases, Key Vault, Monitor, App Service, AKS, AI Search, Cosmos DB, RBAC, pricing, and other Azure services through local stdio or self-hosted HTTP transports.
Official Plane MCP server for connecting Claude to Plane projects, work items, cycles, modules, initiatives, comments, links, work logs, pages, and workspace metadata.
Argo Project Labs MCP server for connecting Claude to Argo CD applications, clusters, managed resources, workload logs, events, sync operations, and resource actions through stdio or HTTP stream transports.
✓Start with read-only mode for investigation. The remote server supports the `X-MCP-Readonly: true` header, and the local server supports domain filtering so agents only load the Azure DevOps areas they need.
Azure DevOps write-capable tools can create or update work items, pull requests, pull request comments, branches, wiki pages, test plans, test suites, test cases, and pipeline runs. Keep manual approval on any operation that changes project state.
Treat Azure DevOps PATs, Microsoft Entra tokens, Azure CLI sessions, and MCP configuration as sensitive credentials. Do not paste tokens into prompts, commit them to repositories, or share them in issue/PR threads.
Use toolsets, domains, project defaults, and team defaults to keep the MCP surface narrow. Loading every repo, work item, wiki, pipeline, and test plan tool can confuse the model and expose more context than the task needs.
The remote MCP server is in public preview. Preview behavior, available tools, supported clients, and authentication requirements can change before general availability.
✓Start in read-only mode and narrow the exposed namespaces or individual tools before enabling broader Azure access. Microsoft documents read-only mode, namespace filters, single-tool mode, and learn mode as controls for reducing the active MCP surface.
Azure MCP tools can inspect and manage real cloud resources. Depending on the tool and RBAC role, actions can create, update, delete, deploy, restart, query, or reconfigure resources and can incur cloud spend.
Keep human approval on destructive, cost-bearing, deployment, RBAC, Key Vault, database, storage, messaging, and production-environment actions. Do not disable user confirmation for high-risk or sensitive-data commands unless the automation environment is tightly controlled.
The server authenticates with Azure credentials available to the local machine or hosted environment. Limit the credential chain with `AZURE_TOKEN_CREDENTIALS`, managed identities, service principals, and least-privilege Azure RBAC where practical.
For self-hosted HTTP deployments, configure Entra ID inbound authentication, outbound authentication strategy, network exposure, logging, and per-user versus server-identity audit requirements before sharing the endpoint.
Docker setup uses Azure credential environment variables such as `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET`; protect those values and never commit the env file.
Microsoft documents telemetry environment variables for the server. Review `AZURE_MCP_COLLECT_TELEMETRY` and `AZURE_MCP_COLLECT_TELEMETRY_MICROSOFT` before using the server in sensitive environments.
This is the Azure services MCP server. It is distinct from the Azure DevOps MCP server, which focuses on work items, repositories, pull requests, pipelines, wikis, and test plans.
✓Plane MCP exposes 100+ tools across projects, work items, cycles, modules, initiatives, intake, labels, states, comments, links, work logs, pages, workspaces, and users.
Many tools can create, update, delete, archive, unarchive, transfer, or otherwise change Plane workspace state.
Remote OAuth and PAT transports grant read and write scopes, so configure the narrowest workspace access and review actions before execution.
Stdio transport requires PLANE_API_KEY and PLANE_WORKSPACE_SLUG; protect API keys and rotate them if they are exposed.
The server uses structured logging middleware with payloads enabled in source, so review logging behavior before sending sensitive issue data through the server.
✓Argo CD MCP can inspect clusters, applications, resource trees, managed resources, workload logs, and resource events.
By default all tools are available; setting MCP_READ_ONLY to true disables create_application, update_application, delete_application, sync_application, and run_resource_action.
sync_application can apply changes to Kubernetes resources and may prune resources depending on options.
delete_application can remove Argo CD applications and may cascade deletion to child resources depending on options.
run_resource_action can trigger actions on resources managed by an application.
Disabling TLS certificate validation with NODE_TLS_REJECT_UNAUTHORIZED weakens transport security and should be limited to reviewed development contexts.
Privacy notes
✓Tool results can expose organization names, project names, teams, iteration data, capacity information, work item titles and fields, comments, attachments, pull request discussions, repository file content, branch names, commit metadata, pipeline logs, build artifacts, wiki pages, test plans, and search results.
Work item comments, PR threads, pipeline logs, wiki pages, and attachments often contain customer data, production incident details, credentials, internal URLs, unreleased roadmap information, employee names, or security findings.
MCP client logs, AI transcripts, generated code comments, local terminal history, and downstream ticket summaries can retain Azure DevOps content outside the original Azure DevOps audit, permission, and retention model.
Microsoft Entra authentication exposes the user's organizational identity to the MCP client and constrains access to the authenticated user's Azure DevOps permissions.
✓Tool results can expose tenant IDs, subscription IDs, resource groups, resource names, tags, deployment outputs, Azure Monitor logs, metrics, pricing data, quotas, RBAC assignments, policy data, app settings, database metadata, storage account and blob metadata, and service-specific configuration.
Key Vault, App Configuration, Storage, database, Service Bus, Event Hubs, Communication Services, and deployment tools may expose secrets, connection strings, keys, certificates, message contents, sample records, or customer data when the authenticated identity has permission.
Microsoft documents user confirmation for tools that handle sensitive data, including Key Vault secrets, connection strings, passwords, certificate private keys, and other confidential values. Treat those prompts as a required guardrail rather than friction.
MCP client logs, AI transcripts, local terminal history, hosted server logs, prompt traces, generated runbooks, and downstream tickets can retain Azure resource inventory and returned data outside Azure's original access and retention boundaries.
Remote HTTP deployments require Entra ID bearer tokens on inbound requests and a configured outbound Azure authentication strategy. Choose On-Behalf-Of when per-user RBAC and audit trails matter, and managed identity only when the shared-server identity model is acceptable.
Read-only mode reduces mutation risk, but it does not make returned Azure metadata or data safe to share with untrusted models, logs, chats, or third-party tools.
✓Plane workspaces can contain roadmap plans, bug reports, customer requests, comments, assignees, estimates, links, work logs, labels, and internal operational metadata.
Tool calls and logs can expose workspace slugs, project identifiers, work item IDs, titles, descriptions, comments, links, activity history, and user details to the MCP client and model provider.
PLANE_API_KEY, PLANE_ACCESS_TOKEN, PAT values, OAuth client secrets, workspace slugs, and self-hosted Plane URLs should stay out of prompts, issues, logs, screenshots, and committed files.
Claude-generated updates may notify teammates or alter shared planning state, so review visible changes before applying them.
✓Argo CD application specs, cluster names, repository URLs, revisions, namespaces, Kubernetes manifests, resource events, and workload logs can reveal secrets, internal topology, deployment history, incident details, or customer data.
ARGOCD_BASE_URL, ARGOCD_API_TOKEN, stateless HTTP request headers, cluster names, namespace names, and application names should stay out of prompts, issues, logs, screenshots, and committed files.
Workload logs and resource events may include credentials, tokens, environment variables, error traces, or production incident context.
HTTP transport should be authenticated and network-restricted so Argo CD tools are not reachable by untrusted clients.
Prerequisites
Azure DevOps organization and project membership for the resources Claude should access
Microsoft Entra ID connected Azure DevOps organization for the remote MCP server
Visual Studio Code or Visual Studio for the Microsoft-supported remote MCP preview path
Node.js 20 or later and npx for the optional local `@azure-devops/mcp` stdio server
Azure subscription, tenant, and RBAC permissions for the resources Claude should inspect or manage.
MCP-capable client that can run local stdio servers or connect to a self-hosted HTTP MCP endpoint.
Azure authentication through Azure CLI, Azure PowerShell, Visual Studio, Visual Studio Code, Azure Developer CLI, browser login, service principal environment variables, workload identity, or managed identity.
Node.js 20 LTS or later and `npx` for the `@azure/mcp` package, or `uvx` for `msmcp-azure`, or .NET 10 Preview 6 or later for `Azure.Mcp`.
Python 3.10 or newer available through uvx for local stdio usage.
Plane workspace slug and API key for stdio transport.
Plane OAuth or Personal Access Token setup when using hosted remote HTTP transport.
Clear project and workspace scope for what Claude may read or modify.
Node.js 18 or newer.
Argo CD instance with API access.
Argo CD API token scoped to the minimum applications, projects, clusters, and actions Claude should use.
Read-only mode enabled unless the workflow explicitly needs application or resource mutations.
Install
claude mcp add azure-devops -- npx -y @azure-devops/mcp YOUR_AZURE_DEVOPS_ORG