Azure DevOps Reconnaissance
for Security Pros
Web-based, token-driven enumeration to uncover misconfigurations, secrets, and privilege escalation paths in Azure DevOps. Built for red teams, auditors, and defenders.
Start Recon
Join our Discord

Why AzDevRecon?

When to use
You have a Personal Access Token (PAT) or Azure DevOps Access Token, but no portal access. AzDevRecon lets you enumerate, audit, and extract data from Azure DevOps just like a red teamer directly from the web.
Why use it
AzDevRecon is built for offensive security professionals, red teamers, and penetration testers. It helps you uncover misconfigurations, exposed secrets, and privilege escalation paths by leveraging token-based authentication for deep reconnaissance and data extraction.
Token-Based Enumeration
Extract insights using Azure DevOps Access Tokens or PATs (including those with aud=499b84ac-1321-427f-aa17-267ca6975798, e.g., Managed Identity).
Project & Repository Discovery
Identify accessible projects and repositories, even without portal access. Map your attack surface fast.
Pipeline & Build Enumeration
Analyze Azure Pipelines and builds for security flaws, misconfigurations, and privilege escalation vectors.
User & Permission Analysis
Map users, roles, permissions, and escalation paths. Uncover hidden risks and excessive privileges.
Secrets & Credential Hunting
Detect hardcoded secrets, exposed tokens, and credentials across repos, pipelines, and variable groups.
Web-Based UI
No installs, no agents. Enumerate and audit Azure DevOps from any browser efficient, fast, and intuitive.

Getting an Azure DevOps Access Token

To use AzDevRecon, you need an Azure DevOps access token for the resource value 499b84ac-1321-427f-aa17-267ca6975798.
Here are several ways to get this token:
PowerShell (Get-AzAccessToken)
If you have the Azure PowerShell module installed and are logged in:
PS> Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798"
This command will return an access token you can use with AzDevRecon.
Azure CLI (az account get-access-token)
If you have the Azure CLI installed and are logged in:
$ az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798
This will output a JSON object containing the access token. Copy the accessToken value for use in AzDevRecon.
Managed Identity (Azure VM)
If you are running on an Azure VM with a managed identity assigned:
$ curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=499b84ac-1321-427f-aa17-267ca6975798' -H 'Metadata: true'
The response will include an access_token you can use with AzDevRecon.
Managed Identity (App Service / Function / Container)
If you are running in Azure App Service, Azure Functions, or a container with managed identity:
Note: IDENTITY_ENDPOINT and IDENTITY_HEADER are available as environment variables in your App Service, Function, or container environment.
Linux/Standard Metadata Endpoint:
curl "$IDENTITY_ENDPOINT?resource=499b84ac-1321-427f-aa17-267ca6975798&api-version=2019-08-01" -H "X-IDENTITY-HEADER: $IDENTITY_HEADER"
App Service/Windows (Environment Variables):
curl "%IDENTITY_ENDPOINT%?resource=499b84ac-1321-427f-aa17-267ca6975798&api-version=2019-08-01" -H X-IDENTITY-HEADER:%IDENTITY_HEADER% > token
The response will include an access_token you can use with AzDevRecon.
For App Service, use the IDENTITY_ENDPOINT and IDENTITY_HEADER environment variables provided by the platform.
Tip: Make sure you are authenticated to the correct Azure account and subscription before running these commands. For managed identities, ensure the identity has the right permissions in Azure DevOps.

Connect with Me

Let's connect for security research, DevOps, and more!

🚀 Early Release – Your Feedback Matters!

This is an early release of AzDevRecon, and I would love to hear your recommendations and feedback.
Let me know what features you’d like to see next, or how I can make this tool more useful for you.
Join my Discord community to chat, discuss ideas, and help shape the future of AzDevRecon!
Join our Discord