Documentation 9 min read Updated July 10, 2026

How to create Azure DevOps work items for expiring Azure App Registration credentials

Every team running apps on Microsoft Entra ID knows the story. A client secret or certificate quietly reaches its expiry date, the app stops authenticating, and suddenly it's an incident — even though a warning email went out weeks earlier. The email wasn't wrong. It was just an email: unowned, unscheduled, easy to archive, invisible in the place where your team actually plans its work.

Monitoring tells you something needs to happen. It doesn't make anyone own it. Token Watch's Azure DevOps integration closes that gap: instead of only telling you about an expiring credential, it creates a work item for it in your Azure DevOps project — on your board, in your backlog, with your tags and an assignee if you want one. Credential rotation stops being an inbox item and becomes a planned, visible, owned piece of work like everything else your team ships.

Each work item names the app registration and the credential, shows the expiry date and status, and deep-links straight to the app's Certificates & secrets blade in the Azure portal — the exact place where the rotation happens. No secret values are ever sent: work items carry only metadata.

Integration overview

Microsoft Entra ID / Azure AD App Registrations
  -> Token Watch (nightly sync)
  -> Azure DevOps project
  -> Work item on your board (one per expiring credential)

Token Watch reads credential metadata through Microsoft Graph after admin consent. Every night, when a tracked secret or certificate crosses your expiring threshold (or is already expired) and doesn't have a work item yet, Token Watch creates one in the Azure DevOps project you chose. Quiet nights create nothing.

The lifecycle of a credential work item

  1. Created. Exactly one work item per credential — never one per night, never duplicates.
  2. Worked. The item lives on your board like any other. Your team rotates the credential on its own schedule, in its own workflow.
  3. Resolved — automatically. Rotation isn't finished until the old credential is deleted in Microsoft Entra. When Token Watch sees the credential gone, it posts a resolution comment on the work item and closes it. Deleting the credential is closing the ticket.
  4. Kept honest. If someone closes the work item while the credential still exists and is still expiring, Token Watch posts a one-time comment recommending the credential be deleted in Entra once the rotation is verified. Closed tickets shouldn't hide live risk — this is the difference between inbox-zero and actually rotated.
The integration never touches work items it didn't create. If you delete one of its work items in Azure DevOps, that's respected — it won't be recreated.

How access works — no tokens, no stored secrets

Token Watch doesn't ask for a personal access token, and there is no secret to paste or rotate on our side. It signs in to Azure DevOps as the Token Watch enterprise application that already exists in your Microsoft Entra tenant from the admin consent you granted at sign-up — the same identity it uses to read your app registrations.

You grant it access the same way you'd add any teammate: add it as a user of your Azure DevOps organization and give it access to one project. You can see it, scope it, and revoke it at any time from Azure DevOps — entirely on your side. Connecting and disconnecting the integration is recorded in the Token Watch audit log.

Prerequisites

  • A Token Watch account on the Team plan, signed in as a user with monitoring management access.
  • An Azure DevOps organization connected to the same Microsoft Entra tenant you use with Token Watch.
  • Permission to add users to that Azure DevOps organization (or an admin who can do it for you).
  • The Azure DevOps project where the work items should live.

Setup takes about five minutes, and nothing is saved until the final step succeeds — you can abandon the wizard at any point with no residue.

Step-by-step setup

  1. In Token Watch, go to Monitoring and press Connect on the Azure DevOps row.
  2. Paste the URL of the target project, e.g. https://dev.azure.com/myorg/MyProject. Token Watch reads the organization and project out of the URL and confirms what it parsed.
  3. Grant access in Azure DevOps — the only step on the Azure DevOps side. In your organization's Users settings (the wizard links you straight there):
    • Choose Add users and search for Token Watch — the enterprise application from your Entra tenant appears like a regular user.
    • Give it at least Basic access.
    • Add it to the target project's Contributors group.
  4. Back in the wizard, press Test connection. Token Watch verifies it can reach the project and loads the project's work item types.
  5. Choose how work items look:
    • Work item type — pick from the project's own types (Issue, Task, Bug, User Story…).
    • Tags — optional, comma-separated, up to 10; handy for board filters and queries (e.g. token-watch, security).
    • Assignee — optional email of an organization member, validated live; leave empty for unassigned work items.
  6. Press Create a test work item. Token Watch creates one real work item using exactly the settings you chose — so a mistyped assignee or an unsuitable type surfaces right now, not silently at night. Only when this succeeds is the connection saved. The test item is safe to delete.
If the Token Watch application isn't findable in the Add users dialog, your Azure DevOps organization isn't connected to your Entra tenant. Connect it first: Azure DevOps → Organization settings → Microsoft Entra.

What happens next

  • First real work items appear overnight. The sync runs nightly, shortly after midnight UTC — connecting in the afternoon and seeing nothing until the next morning is expected.
  • You control when items appear. The expiring threshold on the Monitoring page — the same one that drives email and webhook reports — decides how many days before expiry a credential becomes a work item.
  • One item per credential. However long a credential stays expiring, it keeps its single work item until it's resolved.
  • The Azure DevOps settings page re-checks the connection every time you open it and flags it as Unreachable if the project can no longer be reached.

Managing the connection later

  • Change type, tags or assignee any time — applies to work items created from that night on; existing items are untouched.
  • Reconfigure to point at a different project. The current connection keeps working until the new setup is finalized. Items in the old project keep their history but are no longer updated; credentials that are still expiring get fresh work items in the new project.
  • Disconnect to stop the integration. Existing work items stay in Azure DevOps. If you reconnect later, only credentials that are still expiring get new work items.

Troubleshooting

  • Test connection fails: almost always the access step — Token Watch wasn't added to the organization, the access level is below Basic, it isn't in the project's Contributors group, or the organization is tied to a different Entra tenant.
  • Assignee not accepted: the email doesn't match a member of the Azure DevOps organization.
  • Settings page shows Unreachable: access was revoked or the project was removed — re-grant access or reconfigure.
  • No work items the first day: expected — the first sync runs the following night. Also check that the relevant credentials are tracked and within your expiring threshold.

Where it fits

The integration is a delivery channel alongside Token Watch's email reports and webhooks — use any combination. Keep Slack or Teams for visibility, and let the board carry the ownership. It's available on the Team plan.

FAQ

Not on its own — Azure DevOps has no view into Microsoft Entra credential expiry. Token Watch bridges the two: it monitors your App Registrations and creates a work item in your Azure DevOps project for each expiring or expired credential.

No. Token Watch signs in as its enterprise application in your Entra tenant — the identity you already consented to. You add it to your Azure DevOps organization like a regular user and can scope or revoke its access at any time. There is no token to create, store, or rotate.

No — exactly one work item per credential. However long the credential stays expiring, it keeps its single work item until the credential is deleted in Entra, at which point Token Watch closes the item automatically.

Token Watch posts a one-time comment on the closed item recommending the old credential be deleted in Entra once the rotation is verified. It never reopens or edits your items beyond that — but it won't let a closed ticket silently hide a live risk.

Any regular type your project defines — Issue, Task, Bug, User Story, and so on. The wizard loads the list from your project; special-purpose types like Test Case aren't offered. You can also add up to 10 tags and an assignee.

Never — and it can't. Microsoft Graph does not return secret values or certificate private keys, so work items carry only metadata: credential names, expiry dates, status, and a deep link to the app's Certificates & secrets blade in the Azure portal.

Back to all guides

Top