MicrosoftDocs
diff --git a/‎articles/sre-agent/azure-devops-connector.md‎
Lines changed: 59 additions & 37 deletions b/‎articles/sre-agent/azure-devops-connector.md‎
Lines changed: 59 additions & 37 deletions
diff --git a/‎articles/sre-agent/connectors.md‎
Lines changed: 18 additions & 18 deletions b/‎articles/sre-agent/connectors.md‎
Lines changed: 18 additions & 18 deletions
@@ -1,18 +1,18 @@
 ---
 title: "Tutorial: Set Up an Azure DevOps Connector in Azure SRE Agent"
-description: Connect your agent to Azure DevOps for repository access, work item management, and wiki documentation.
+description: Connect your agent to Azure DevOps for repository access, work item management, and wiki documentation using OAuth or PAT authentication.
 ms.topic: tutorial
 ms.service: azure-sre-agent
-ms.date: 03/09/2026
+ms.date: 03/18/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.ai-usage: ai-assisted
-ms.custom: azure devops, connector, repositories, work items, setup, tutorial
+ms.custom: azure devops, connector, repositories, work items, setup, tutorial, oauth, pat
 #customer intent: As an SRE, I want to connect my agent to Azure DevOps so that it can access repositories, wikis, and documentation during investigations.
 ---
 
 # Tutorial: Set up an Azure DevOps connector in Azure SRE Agent
-In this tutorial, you connect your agent to Azure DevOps so it can access repositories, wikis, and documentation across your organization. When you finish this tutorial, your agent has authenticated access to an Azure DevOps organization and can read repositories, create work items, and correlate code changes with incidents.
+In this tutorial, you connect your agent to Azure DevOps so it can access repositories, wikis, and documentation during investigations. Choose OAuth for automatic token management or PAT for service account scenarios. When you finish this tutorial, your agent has authenticated access to an Azure DevOps organization and can read repositories, create work items, and correlate code changes with incidents.
 
 **Estimated time**: 5 minutes
 
@@ -49,7 +49,7 @@ The connectors list shows any existing connectors for your agent.
 Select the Azure DevOps OAuth connector type from the wizard.
 
 1. Select **Add connector** in the toolbar.
-1. In the **Add a connector** wizard, select **Azure DevOps OAuth connector**.
+1. In **Add a connector**, select **Azure DevOps OAuth connector**.
 1. Select **Next**.
 
 :::image type="content" source="media/azure-devops-connector/oauth-connector-picker-all.png" alt-text="Screenshot of the connector picker showing Azure DevOps OAuth connector option." lightbox="media/azure-devops-connector/oauth-connector-picker-all.png":::
@@ -91,34 +91,31 @@ The organization name must:
 
 Choose how your agent authenticates to Azure DevOps:
 
-| Method | When to use |
-|--------|-------------|
-| **User account** | Quick setup for individual users. Sign in with your Microsoft Entra ID account. |
-| **Managed identity** | Production agents that need persistent, unattended access. |
+| Method | Best for | Token lifecycle |
+|--------|----------|----------------|
+| **User account** | Quick setup with your Microsoft Entra ID identity | Auto refreshes with no manual renewal |
+| **Managed identity** | Unattended production agents | Managed by Azure. There is no expiration. |
 
 > [!TIP]
-> Use PAT authentication through the **Documentation connector** (Azure DevOps). For more information, see the [alternative PAT path](#alternative-set-up-with-pat-authentication) section later in this article, or [learn more about connectors](connectors.md).
+> OAuth uses your Microsoft Entra ID session so you never manage tokens manually. Tokens refresh automatically in the background. Choose PAT only when you need a service account connection or CI/CD pipeline integration. See the [alternative PAT path](#alternative-set-up-with-pat-authentication) section later in this article.
 
 ## Sign in with user account (OAuth)
 
 If you select **User account**, complete OAuth authentication by using your Microsoft Entra ID credentials.
 
 1. Select **Sign in to Azure DevOps**.
-1. Complete the Microsoft Entra ID authentication in the dialog.
+1. An **Authorize Azure DevOps** consent dialog appears, listing the permissions your agent needs:
+   - Read and write access to repositories and projects
+   - Act on behalf of the signed-in user
+1. Select **Authorize** to grant access.
 1. On success, you see **Connected to Azure DevOps** with a green checkmark.
 
-> [!WARNING]
-> If the authentication dialog doesn't appear, check that your browser isn't blocking popups from `sre.azure.com`.
-
-If authentication fails, a dialog shows **Authentication Failed** with details. Check that:
-
-- Your Microsoft Entra ID account has access to the specified organization.
-- Your account has the `vso.code` (Code.Read) scope.
+**Checkpoint:** The **Connected to Azure DevOps** card appears with a green checkmark. If you see an error instead, check that your Microsoft Entra ID account has access to the specified organization.
 
 > [!TIP]
-> Select **Sign in with different account** to re-authenticate by using a different Microsoft Entra ID identity.
+> Select **Sign in with different account** to reauthenticate by using a different Microsoft Entra ID identity.
 
-## Use Managed identity (alternative)
+## Use managed identity (alternative)
 
 If you select **Managed identity**, configure the identity your agent uses for unattended authentication.
 
@@ -140,7 +137,7 @@ Confirm the connector details and create the connector.
    - **Name**: your chosen name
    - **Organization**: your Azure DevOps organization
    - **Type**: Azure DevOps OAuth
-1. Select **Add** to create the connector.
+1. Select **Add connector** to create the connector.
 
 Your connector now appears in the connectors list with a **Connected** status indicator.
 
@@ -161,7 +158,7 @@ Show me recent commits in the payment-service repository.
 ```
 
 > [!NOTE]
-> If your agent returns repository information, your connector is working. If you see a "Token lacks Code.Read permission" error, re-authenticate and ensure your account has the `vso.code` scope.
+> If your agent returns repository information, your connector is working. If you see a "Token lacks `Code.Read` permission" error, reauthenticate and ensure your account has the `vso.code` scope.
 
 ## Alternative: Set up with PAT authentication
 
@@ -172,9 +169,9 @@ If your team uses Personal Access Tokens (PATs) instead of OAuth, use the **Docu
 1. Enter a **Name** and your **Azure DevOps URL** (repository or wiki URL).
 1. Under **Authentication method**, select **Personal Access Token (PAT)**.
 1. Enter your Azure DevOps PAT in the secure input field.
-1. Select **Next** to review, then select **Add**.
+1. Select **Next** to review, and then select **Add**.
 
-Your PAT is stored securely and can't be retrieved after saving. The connector tests connectivity before saving. If the PAT lacks the required `vso.code` scope, the connector creation fails with a clear error message.
+Your PAT is stored securely and you can't retrieve it after saving. The connector tests connectivity before saving. If the PAT lacks the required `vso.code` scope, the connector creation fails with a clear error message.
 
 The following URL formats are accepted:
 
@@ -183,31 +180,56 @@ The following URL formats are accepted:
 - Wiki URLs: `https://dev.azure.com/{org}/{project}/_wiki/wikis/{wiki}`
 
 > [!TIP]
-> Use PAT authentication when your organization already manages Azure DevOps PATs, when you need a service account connection without user-specific OAuth, or when integrating with CI/CD pipelines.
+> Use PAT authentication when your organization already manages Azure DevOps PATs, when you need a service account connection without user-specific OAuth, or when you're integrating with CI/CD pipelines.
 
-## Troubleshooting
+## Edit or remove a connector
 
-Use the following information to resolve common errors when setting up an Azure DevOps connector.
+You can modify or delete existing connectors from the connectors list.
 
-### "Azure DevOps access token not configured. Please authenticate."
+### Edit
 
-No OAuth token exists for this connector. Edit the connector and sign in again.
+1. In the connectors list, select the **⋮** (more actions) menu on the connector row.
+1. Select **Edit connector**.
+1. The edit dialog opens with your current settings. Modify the organization, reauthenticate, or change the managed identity.
+1. Select **Save**.
 
-### "Token lacks Code.Read permission"
+### Delete
 
-Your token doesn't have the `vso.code` scope required to access repositories. Sign in again by using an account that has Code.Read permissions in the organization.
+To remove a single connector:
 
-### "Organization not configured for this connector"
+1. Select **⋮** on the connector row, and then select **Delete connector**.
+1. Confirm the deletion.
 
-The organization name is missing from the connector configuration. Delete and re-create the connector with the correct organization name.
+To remove multiple connectors at once:
 
-### "A connector for this organization already exists"
+1. Select connectors by using the checkboxes in the grid.
+1. Select **Remove** in the toolbar.
+1. Confirm in the deletion dialog.
 
-You already have an Azure DevOps OAuth connector for this organization. Each organization can only have one connector. Edit the existing connector or delete it first.
+## Troubleshooting
 
-### "A connector with this name already exists"
+Use the following information to resolve common errors when setting up an Azure DevOps connector.
 
-Another connector (of any type) already uses this name. Choose a different name for your Azure DevOps connector.
+| Issue | Solution |
+|-------|----------|
+| "Authorize Azure DevOps" dialog doesn't appear | Refresh the page and try again. If your Microsoft Entra ID session expired, sign in again at the portal. |
+| "Invalid or expired token" | Your Microsoft Entra ID session expired. Refresh the portal page to get a new session, then try signing in again. |
+| "Azure DevOps access token not configured. Please authenticate." | No OAuth token exists for this connector. Edit the connector and sign in again. |
+| "Token lacks `Code.Read` permission" | Re-authenticate with an account that has `Code.Read` permissions in the organization. |
+| "Organization not configured for this connector" | Organization name is missing. Delete and re-create the connector with the correct organization name. |
+| "A connector for this organization already exists" | Each organization can only have one connector. Edit the existing one or delete it first. |
+| "A connector with this name already exists" | Another connector already uses this name. Choose a different name. |
+| Sign-in button is disabled | Enter your organization name first. The button enables once the **Organization** field is filled. |
+
+## Summary
+
+In this tutorial, you learned how to:
+
+- Add an Azure DevOps connector by using OAuth or managed identity authentication
+- Understand the difference between OAuth (autorefreshing) and PAT (manually managed) authentication
+- Verify that your agent can access your Azure DevOps repositories
+- Set up PAT authentication through the documentation connector
+- Set up multiple connectors for different organizations
 
 ## Next step
 
 
@@ -3,7 +3,7 @@ title: Connectors in Azure SRE Agent
 description: Extend your agent's capabilities to external data sources, collaboration tools, and custom APIs using connectors.
 ms.topic: conceptual
 ms.service: azure-sre-agent
-ms.date: 03/09/2026
+ms.date: 03/18/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.ai-usage: ai-assisted
@@ -33,12 +33,12 @@ Even with no connectors configured, your agent has built-in capabilities through
 |---|---|
 | **Application Insights** | Query application telemetry, traces, and exceptions |
 | **Log Analytics** | Query Log Analytics workspaces |
-| **Azure Monitor metrics** | List and query metrics, analyze trends and anomalies |
+| **Azure Monitor metrics** | List and query metrics, analyze trends, and anomalies |
 | **Azure Resource Graph** | Discover and query any Azure resource across subscriptions |
 | **Azure Resource Manager / Azure CLI** | Read and modify any Azure resource type |
 | **AKS diagnostics** | Run kubectl commands, diagnose Kubernetes issues |
 
-Azure Resource Graph and ARM operations work with any Azure resource type, including App Services, Container Apps, VMs, networking, storage, and more. If your logs and metrics live in Azure Monitor and Application Insights, your agent can start investigating problems immediately with no connector setup required. Connectors become valuable when you need the agent to reach systems *outside* Azure.
+Azure Resource Graph and Azure Resource Manager operations work with any Azure resource type, including App Services, Container Apps, VMs, networking, storage, and more. If your logs and metrics live in Azure Monitor and Application Insights, your agent can start investigating problems immediately with no connector setup required. Connectors become valuable when you need the agent to reach systems *outside* Azure.
 
 ## What connectors provide
 
@@ -51,7 +51,7 @@ Query logs, metrics, and telemetry stored outside Azure Monitor.
 | Connector | What it provides |
 |---|---|
 | **Database query (Azure Data Explorer)** | Run predefined KQL queries against your Kusto clusters |
-| **Database indexing (Azure Data Explorer)** | Auto-learn your Kusto schema so the agent can generate queries dynamically |
+| **Database indexing (Azure Data Explorer)** | Autolearn your Kusto schema so the agent can generate queries dynamically |
 
 ### Source code and knowledge
 
@@ -79,7 +79,7 @@ Let your agent communicate findings through the channels your team already uses.
 
 By using MCP (Model Context Protocol), you can connect your agent to any system: on-premises databases, cross-cloud applications, proprietary APIs, or third-party platforms like Datadog, Splunk, Grafana, or Jira.
 
-Browse available servers at [Azure MCP Center](https://mcp.azure.com). When adding MCP tools to subagents, you can add all tools from a server at once by using the [wildcard pattern](#add-all-tools-from-an-mcp-server-wildcard).
+Browse available servers at [Azure MCP Center](https://mcp.azure.com). When you add MCP tools to custom agents, use the [wildcard pattern](#add-all-tools-from-an-mcp-server-wildcard) to add all tools from a server at once.
 
 ## MCP connector health monitoring
 
@@ -95,7 +95,7 @@ Your agent continuously monitors the health of every MCP server connection. Each
 | **Initializing** | Connection is being established | Yellow indicator |
 | **Not Available** | No running agent instance is available; status can't be determined | Gray question mark |
 
-Go to **Builder > Connectors** to see all your connectors with their current status.
+Go to **Builder** > **Connectors** to see all your connectors with their current status.
 
 :::image type="content" source="media/connectors/connectors-status-indicators.png" alt-text="Screenshot of connectors list showing status indicators for each MCP server connection.":::
 
@@ -114,9 +114,9 @@ Your agent doesn't just report broken connections. It recovers from them when po
 >
 > If an MCP server goes offline, the connector stays visible in your portal with its error status. It doesn't silently disappear. You can see exactly what went wrong and fix the configuration without re-creating the connector.
 
-### When auto-recovery can't help
+### When autorecovery can't help
 
-The following table describes scenarios where automatic recovery might not resolve the issue.
+The following table describes scenarios where automatic recovery can't resolve the issue.
 
 | Situation | What happens | What to do |
 |---|---|---|
@@ -144,13 +144,13 @@ For connectors that use the agent's **managed identity** (like Azure Data Explor
 
 Once configured, all agent users benefit from connectors automatically. They just ask the agent questions and it uses the available connectors behind the scenes.
 
-## Connectors and subagents
+## Connectors and custom agents
 
-You can assign specific MCP tools to specialized subagents. A database troubleshooting subagent might get Kusto tools, while a deployment subagent gets GitHub access. This approach keeps each subagent focused and prevents overwhelming it with too many tools.
+You can assign specific MCP tools to specialized custom agents. A database troubleshooting custom agent might get Kusto tools, while a deployment custom agent gets GitHub access. This approach keeps each custom agent focused and prevents overwhelming it with too many tools.
 
 ### Add MCP tools individually
 
-In the portal, go to **Builder > Subagent builder**, create or edit a subagent, and select **Choose tools** under Advanced settings. The tool picker displays tools grouped by MCP connection. Select the ones your subagent needs.
+In the portal, go to **Builder** > **Custom agent builder**, create or edit a custom agent, and select **Choose tools** under Advanced settings. The tool picker displays tools grouped by MCP connection. Select the ones your custom agent needs.
 
 In YAML, list each tool by its full name:
 
@@ -165,7 +165,7 @@ mcp_tools:
 
 **Applies to**: version 26.2.9.0 and later
 
-When an MCP server exposes many tools and your subagent needs all of them, use the wildcard pattern instead of listing each tool individually:
+When an MCP server exposes many tools and your custom agent needs all of them, use the wildcard pattern instead of listing each tool individually:
 
 ```yaml
 mcp_tools:
@@ -191,17 +191,17 @@ The following table compares individual tool selection and the wildcard approach
 
 | Approach | When to use |
 |---|---|
-| **Individual tools** | You want precise control over which tools a subagent can access |
+| **Individual tools** | You want precise control over which tools a custom agent can access |
 | **Wildcard (`connection-id/*`)** | You trust the MCP server and want all its tools, including any added later |
 | **Mixed** | You want all tools from one server, plus specific tools from another |
 
-**Why use the wildcard?** When an MCP server adds new tools, the wildcard picks them up automatically without reconfiguring your subagent. Individual tool selection gives you precise control. The wildcard gives you automatic coverage.
+**Why use the wildcard?** When an MCP server adds new tools, the wildcard picks them up automatically without reconfiguring your custom agent. Individual tool selection gives you precise control. The wildcard gives you automatic coverage.
 
 ### When MCP tools aren't ready yet
 
-If an MCP server isn't ready when your agent starts, the agent can't access tools from that server. Your agent handles this condition gracefully. The agent defers subagents with unresolved wildcards or missing tools and automatically loads them once the agent establishes the MCP connection. You don't need to take any manual action.
+If an MCP server isn't ready when your agent starts, your agent can't access tools from that server. Your agent handles this condition gracefully. It defers custom agents with unresolved wildcards or missing tools and automatically loads them once your agent establishes the MCP connection. You don't need to take any manual action.
 
-For more information, see [Subagents](sub-agents.md).
+For more information, see [Custom Agents](sub-agents.md).
 
 ## Next step
 
@@ -211,6 +211,6 @@ For more information, see [Subagents](sub-agents.md).
 ## Related content
 
 - [Incident platforms](incident-platforms.md): Learn how your agent receives and responds to incidents automatically.
-- [Connect source code](./connect-source-code.md): Set up GitHub or Azure DevOps connectors.
-- [Subagents](sub-agents.md): Create specialized agents with focused connector access.
+- [Connect source code](connect-source-code.md): Set up GitHub or Azure DevOps connectors.
+- [Custom Agents](sub-agents.md): Create specialized agents with focused connector access.
 - [Permissions](permissions.md): Configure Azure resource access for your agent.