MicrosoftDocs
diff --git a/‎articles/sre-agent/ado-connector.md‎
Lines changed: 117 additions & 0 deletions b/‎articles/sre-agent/ado-connector.md‎
Lines changed: 117 additions & 0 deletions
diff --git a/‎articles/sre-agent/agent-hooks.md‎
Lines changed: 40 additions & 32 deletions b/‎articles/sre-agent/agent-hooks.md‎
Lines changed: 40 additions & 32 deletions
@@ -0,0 +1,117 @@
+---
+title: Azure DevOps connector in Azure SRE Agent
+description: Connect Azure DevOps for source code analysis, work item management, and wiki knowledge with OAuth or managed identity authentication.
+ms.topic: conceptual
+ms.service: azure-sre-agent
+ms.date: 03/16/2026
+author: craigshoemaker
+ms.author: cshoe
+ms.ai-usage: ai-assisted
+#customer intent: As an SRE, I want to understand Azure DevOps connector capabilities so that I can decide which connector type and authentication method to use for my team's needs.
+---
+
+# Azure DevOps connector in Azure SRE Agent
+
+Connect Azure DevOps so your agent can search your code, create work items, and index your wiki as a knowledge source.
+
+> [!TIP]
+> **Quick overview**
+>
+> - Two connector types: **Azure DevOps OAuth** for live code and work items, **Documentation connector** for wiki knowledge.
+> - OAuth supports **User account** (Microsoft Entra ID) and **Managed identity** authentication.
+> - A single connector covers your entire Azure DevOps organization, including all projects and repos.
+> - Wiki content is indexed for semantic search and autosyncs every 24 hours.
+
+## Two connector types
+
+Azure DevOps has two connector types because they serve different purposes.
+
+| Connector | What it does | Auth options |
+|---|---|---|
+| **Azure DevOps OAuth** | Live source code access, work items, pipelines, semantic code search | User account (OAuth) or Managed identity |
+| **Documentation connector** | Indexes wiki pages and docs into a searchable knowledge base | Managed identity or PAT |
+
+You can use both together. Use the OAuth connector for live code investigations and the documentation connector for wiki-based knowledge.
+
+## Azure DevOps OAuth connector
+
+The OAuth connector gives your agent live access to source code, work items, and pipelines across your entire Azure DevOps organization.
+
+### Authentication types
+
+Choose the authentication method that fits your team's needs.
+
+| Method | How it works | Best for |
+|---|---|---|
+| **User account** | Sign in with your Microsoft Entra ID account. The agent accesses Azure DevOps through your permissions. Tokens refresh automatically. | The interactive setup is recommended for most users |
+| **Managed identity** | Use the agent's managed identity to authenticate. Supports Federated Identity Credentials (FIC) for cross-tenant access. | Automated setup, service accounts, cross-tenant access |
+
+> [!TIP]
+> **OAuth tokens refresh automatically**
+>
+> Azure DevOps OAuth tokens expire after approximately one hour, but your agent refreshes them automatically before expiration using a 5-minute buffer. Each refresh generates a new refresh token, creating a self-sustaining renewal chain. Your connector stays connected through multihour investigations with no manual reauthentication required.
+>
+> **When you need to reauthenticate:** if the refresh token expires (lifetime varies by Microsoft Entra ID policy), if an admin revokes the app authorization, or if you set up your connector before version 26.2.247.0 (one reauthentication enables autorefresh going forward).
+
+### What the agent can do
+
+The OAuth connector gives your agent the following capabilities.
+
+**Source code analysis:**
+
+- Search code across all repos in your organization by using the Azure DevOps Search API.
+- Read file contents by path and branch.
+- Correlate Azure resource errors with source code locations (with confidence scoring).
+- Perform semantic code searches to find code related to an incident by using natural language.
+
+**Work item management:**
+
+- Create work items (Task, Bug, Epic, Feature) with area path, iteration, priority, and severity.
+- Link work items to Azure resources for traceability.
+
+**Repository mapping:**
+
+- Find and link Azure Repos to Azure resources.
+- Identify infrastructure-as-code files (Bicep, Terraform, ARM templates) in linked repos.
+
+## Documentation connector (wiki knowledge)
+
+Index your Azure DevOps wiki pages so your agent can search them during investigations. When your agent encounters an issue, it searches your indexed wiki for relevant troubleshooting guides, architecture docs, and runbooks.
+
+### How it works
+
+The documentation connector processes your wiki content through the following steps:
+
+1. **Crawls** all pages from your specified Azure DevOps wiki URL (or a specific subsection).
+1. **Chunks and embeds** document content into a vector search index.
+1. **Semantic search** - during investigations, your agent finds relevant passages and cites the original wiki page.
+1. **Auto-syncs every 24 hours** to pick up wiki updates.
+
+### Supported content
+
+The documentation connector supports the following content types:
+
+- Wiki pages (Azure DevOps Wiki format)
+- Git repository files including 15 supported formats: `.md`, `.txt`, `.rst`, `.adoc`, `.asciidoc`, `.wiki`, `.textile`, `.org`, `.htm`, `.html`, `.json`, `.yaml`, `.yml`, `.xml`, `.csv`
+- Scoped indexing that points to a subpage to index only a specific section of your wiki
+
+## Get started
+
+Use the following resources to set up your Azure DevOps connector.
+
+| Resource | What you learn |
+|---|---|
+| [Connect source code](connect-source-code.md) | Step-by-step guide for connecting GitHub and Azure DevOps repositories |
+| [Set up an Azure DevOps connector](azure-devops-connector.md) | Detailed Azure DevOps connector tutorial |
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Set up an Azure DevOps connector](azure-devops-connector.md)
+
+## Related content
+
+- [Root cause analysis](root-cause-analysis.md): How source code context improves investigation accuracy.
+- [Memory and knowledge](memory.md): How indexed knowledge integrates with your agent's persistent memory.
+- [Upload knowledge documents](upload-knowledge-document.md): Upload documents directly instead of connecting a wiki.
+- [Connectors](connectors.md): Overview of all connector types.
@@ -3,7 +3,7 @@ title: Agent Hooks in Azure SRE Agent
 description: Intercept and control agent behavior with custom scripts or LLM-based validation that runs before or after specific agent actions.
 ms.topic: concept-article
 ms.service: azure-sre-agent
-ms.date: 03/09/2026
+ms.date: 03/18/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.ai-usage: ai-assisted
@@ -13,7 +13,7 @@ ms.custom: hooks, agent hooks, stop hook, post tool use, validation, audit, poli
 
 # Agent hooks in Azure SRE Agent
 
-Hooks are custom checkpoints that intercept and control agent behavior at key moments. Use hooks to enforce quality gates on agent responses, audit and control tool usage, block dangerous operations with policy enforcement, and prevent early task completion by validating agent output.
+Hooks are custom checkpoints that intercept and control agent behavior at key moments. Use hooks to enforce quality gates on agent responses, audit and control tool usage, block dangerous operations by enforcing policies, and prevent early task completion by validating agent output.
 
 <!-- > [!VIDEO https://www.youtube.com/embed/VIDEO_ID]
 >
@@ -44,7 +44,18 @@ Two hook events are currently supported:
 | Event | Triggers when | What you can do |
 |---|---|---|
 | **Stop** | Agent is about to return a final response | Validate completeness, reject and force the agent to continue |
-| **PostToolUse** | A tool finishes executing successfully | Audit usage, block results, inject additional context |
+| **PostToolUse** | A tool finishes executing successfully | Audit usage, block results, inject extra context |
+
+### Two levels of hooks
+
+Hooks operate at two levels:
+
+| Level | Where to configure | Scope |
+|-------|--------------------|-------|
+| **Agent level** | **Builder → Hooks** in the portal | Applies to the entire agent including all threads and all custom agents |
+| **Custom agent level** | **Agent Canvas → Custom agent → Manage Hooks**, or via the REST API v2 | Applies only when that specific custom agent runs |
+
+Both levels can coexist. If an agent-level hook and a custom-agent-level hook both match the same event, **both run**. The agent-level hooks fire first.
 
 ### Execution types
 
@@ -55,11 +66,11 @@ You can implement hooks by using either an LLM or a shell script:
 | **Prompt** | An LLM evaluates your prompt and returns a JSON decision | Nuanced validation ("Is this response complete?") |
 | **Command** | A bash or Python script runs in a sandboxed environment | Deterministic checks, policy enforcement, auditing |
 
-**Prompt hooks** are powerful for subjective evaluation, such as checking if a response addresses all user concerns or verifying that an investigation was thorough enough. They use the `$ARGUMENTS` placeholder to receive the full hook context. If `$ARGUMENTS` isn't present in the prompt, the context is appended automatically. Prompt hooks also receive `ReadFile` and `GrepSearch` tools when a conversation transcript is available, which lets the LLM reason about the full conversation history.
+**Prompt hooks** are powerful for subjective evaluation, such as checking if a response addresses all user concerns or verifying that an investigation was thorough enough. They use the `$ARGUMENTS` placeholder to receive the full hook context. If `$ARGUMENTS` isn't present in the prompt, the context is appended automatically. When a conversation transcript is available, prompt hooks also receive `ReadFile` and `GrepSearch` tools, which let the LLM reason about the full conversation history.
 
 **Command hooks** are better for deterministic checks, such as validating that a response contains required markers, blocking dangerous commands, or logging tool usage to an external system.
 
-## What makes this different
+## What makes this approach different
 
 The following table compares agent behavior with and without hooks.
 
@@ -83,21 +94,15 @@ Hooks don't replace run mode safety controls - they complement them. Run modes c
 
 ## Configure hooks
 
-Hooks require the **v2 YAML format** (`api_version: azuresre.ai/v2`, `kind: ExtendedAgent`). Define hooks under `spec.hooks` in the agent configuration.
+The easiest way to create hooks is through the portal UI:
 
-> [!WARNING]
-> The portal's Subagent builder YAML tab displays agent configuration in **v1 format only**. It doesn't show or support editing hooks. To configure hooks, use the **REST API v2** endpoint:
->
-> ```
-> PUT /api/v2/extendedAgent/agents/{agentName}
-> Content-Type: application/json
-> ```
->
-> Hooks configured through the API are active even though they don't appear in the portal YAML view. You can verify hooks are working by testing the agent in the portal's **Test playground**.
->
-> :::image type="content" source="media/agent-hooks/hooks-portal-v1-limitation.png" alt-text="Screenshot of the portal YAML tab showing v1 format without hooks." lightbox="media/agent-hooks/hooks-portal-v1-limitation.png":::
+1. **Agent-level hooks:** Go to **Builder** → **Hooks** → select **Create hook**.
+2. **Custom-agent-level hooks:** Go to **Agent Canvas** → select a custom agent → **Manage Hooks**.
+
+> [!TIP]
+> You can also configure hooks through **REST API v2** by using `PUT /api/v2/extendedAgent/agents/{agentName}`. The YAML format in the following section shows the full configuration schema. To learn more, see the [API tutorial](tutorial-agent-hooks.md).
 >
-> The portal YAML tab displays v1 format. Hooks aren't visible here but are active on the server.
+> The **Agent Canvas YAML** tab displays v1 format and doesn't show hooks. Use the **Hooks** page under **Builder** to view and manage hooks.
 
 The following example shows a complete hook configuration:
 
@@ -168,7 +173,7 @@ Command hooks can also use exit codes instead of JSON output:
 |---|---|
 | `0` with no output | Allow (no objection) |
 | `0` with JSON | Parse JSON for decision |
-| `2` | Always block — stderr becomes the reason |
+| `2` | Always block. stderr becomes the reason |
 | Other | Uses `failMode` setting (`allow` or `block`) |
 
 > [!CAUTION]
@@ -252,7 +257,7 @@ The following limits apply to agent hooks.
 
 ## Example: Audit all tool usage
 
-The following PostToolUse hook logs every tool call and injects an audit context message:
+The following PostToolUse hook logs every tool call and adds an audit context message:
 
 ```yaml
 hooks:
@@ -279,7 +284,7 @@ hooks:
         print(json.dumps(output))
 ```
 
-The `additionalContext` field is injected as a user message into the conversation, giving the agent visibility into the audit trail.
+The `additionalContext` field is added as a user message into the conversation, giving the agent visibility into the audit trail.
 
 ## Example: Require a completion marker
 
@@ -308,25 +313,28 @@ hooks:
 
 Follow these guidelines when you configure agent hooks:
 
-1. **Always provide a reason when rejecting** — Rejections without reasons are treated as approvals.
-1. **Use appropriate timeouts** — Long-running hooks slow down agent execution.
-1. **Handle errors gracefully** — Use `failMode: allow` unless strict enforcement is required.
-1. **Be specific with matchers** — Overly broad PostToolUse matchers can cause performance problems.
-1. **Test hooks thoroughly** — Hooks that always reject can cause loops (mitigated by `maxRejections`).
-1. **Log to stderr** — Use stderr for debugging output. Stdout is parsed as the hook result.
+1. **Always provide a reason when rejecting**.  Treat rejections without reasons as approvals.
+1. **Use appropriate timeouts**: Long-running hooks slow down agent execution.
+1. **Handle errors gracefully**: Use `failMode: allow` unless strict enforcement is required.
+1. **Be specific with matchers**: Overly broad PostToolUse matchers can cause performance problems.
+1. **Test hooks thoroughly**: Hooks that always reject can cause loops (mitigated by `maxRejections`).
+1. **Log to stderr**: Use stderr for debugging output. The system parses stdout as the hook result.
 
 ## Try it yourself
 
 The following screenshot shows a Stop hook in action. The agent initially responds with just "4", but the hook rejects the response because the completion marker is missing. The agent then continues and adds the marker.
 
 :::image type="content" source="media/agent-hooks/hooks-stop-hook-working.png" alt-text="Screenshot showing a Stop hook in action where the agent response is decorated with a completion marker after hook rejection." lightbox="media/agent-hooks/hooks-stop-hook-working.png":::
 
-## Next step
+## Get started
 
-> [!div class="nextstepaction"]
-> [Tutorial: Configure agent hooks](./tutorial-agent-hooks.md)
+| Resource | What you'll learn |
+|----------|-------------------|
+| [Configure agent hooks (API)](tutorial-agent-hooks.md) | Set up hooks by using REST API v2 and YAML |
 
 ## Related content
 
-- [Run modes](./run-modes.md)
-- [Python code execution](python-code-execution.md)
+| Capability | How it relates |
+|------------|----------------|
+| [Run modes](run-modes.md) | Hooks complement run mode safety controls. Modes control *what* runs, hooks control *how well* it runs. |
+| [Python tools](python-code-execution.md) | Create custom tools that hooks can audit and validate. |