From dee58c87125b190761119342b095a3f85e3e37ba Mon Sep 17 00:00:00 2001
From: plalleman <plalleman@users.noreply.github.com>
Date: Wed, 4 Feb 2026 10:40:51 -0800
Subject: [PATCH] docs(azure-devops): Clarify OAuth permissions for sync vs
 provisioning

Update Step 9 in OAuth setup to distinguish between sync-only and
provisioning permission requirements, following principle of least
privilege.

Closes CXH-1082

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 baton/azure-devops.mdx | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/baton/azure-devops.mdx b/baton/azure-devops.mdx
index 77f9af1..06ec39d 100644
--- a/baton/azure-devops.mdx
+++ b/baton/azure-devops.mdx
@@ -58,11 +58,18 @@ You can authenticate the Azure DevOps connector by registering a web app and sig
   Finally, click **API permissions** and select **Azure DevOps**.
   </Step>
   <Step>
-  Give the app the following permissions:
-    - user\_impersonation (Azure DevOps only allows delegated permissions)
+  Give the app the following permissions based on your needs:
+
+    **For sync-only (read) access:**
+    - user\_impersonation (required - Azure DevOps only allows delegated permissions)
+    - vso.profile
+    - vso.graph
+
+    **For full provisioning (read/write) access:**
+    - user\_impersonation (required - Azure DevOps only allows delegated permissions)
+    - vso.profile
     - vso.graph\_manage
     - vso.memberentitlementmanagement\_write
-    - vso.profile
   </Step>
   <Step>
   Click **Add permissions**.