diff --git a/baton/azure-devops.mdx b/baton/azure-devops.mdx
index 77f9af1..06ec39d 100644
--- a/baton/azure-devops.mdx
+++ b/baton/azure-devops.mdx
@@ -58,11 +58,18 @@ You can authenticate the Azure DevOps connector by registering a web app and sig
   Finally, click **API permissions** and select **Azure DevOps**.
   </Step>
   <Step>
-  Give the app the following permissions:
-    - user\_impersonation (Azure DevOps only allows delegated permissions)
+  Give the app the following permissions based on your needs:
+
+    **For sync-only (read) access:**
+    - user\_impersonation (required - Azure DevOps only allows delegated permissions)
+    - vso.profile
+    - vso.graph
+
+    **For full provisioning (read/write) access:**
+    - user\_impersonation (required - Azure DevOps only allows delegated permissions)
+    - vso.profile
     - vso.graph\_manage
     - vso.memberentitlementmanagement\_write
-    - vso.profile
   </Step>
   <Step>
   Click **Add permissions**.