Security and permissions
BranchDeploy is designed to make an existing Azure DevOps deployment workflow easier to trigger, not to bypass your existing controls. The free Azure DevOps extension workflow queues your configured Azure Pipeline as the current Azure DevOps user. If a user cannot queue the pipeline manually, BranchDeploy cannot queue it for them.
Summary
| Area | Free extension workflow | Pro cloud / Teams / MCP |
|---|---|---|
| Account required | No BranchDeploy account required | BranchDeploy account / licence required |
| Pipeline queueing | Current Azure DevOps user | Depends on configured Pro / Teams connection |
| Secrets | None for core workflow | Teams PAT encrypted at rest; MCP API keys generated per account |
| Audit log | Not included | 90-day deployment audit log |
| Environments | 1 | Unlimited |
| Projects | 1 | Unlimited |
Free extension workflow
The core BranchDeploy feature is a Visual Studio Marketplace extension that adds a deploy action to Azure Boards work items. This workflow:
- Requires no BranchDeploy account.
- Does not require a BranchDeploy-hosted backend to function.
- Queues your configured Azure Pipeline as the currently authenticated Azure DevOps user.
- Does not store credentials, tokens, or pipeline outputs.
- Reads Development links from the work item (linked Azure Repos branches and pull requests).
A project admin must configure BranchDeploy in Project Settings → BranchDeploy before any deployments can be queued. Unconfigured projects cannot deploy.
Pro cloud, Teams, and MCP features
Pro features extend BranchDeploy beyond the core extension and involve a BranchDeploy-hosted backend, account, and licence. Pro features include:
- Unlimited projects and environments.
- Multi-candidate branch picker.
- 90-day deployment audit log stored in the BranchDeploy backend.
- Microsoft Teams bot (requires a BranchDeploy account and Azure DevOps connection).
- AI assistant integration via MCP (requires a BranchDeploy account and generated API key).
Azure DevOps permissions
BranchDeploy does not grant, elevate, or bypass Azure DevOps permissions. It queues pipelines as the authenticated user in the context of the extension.
For a user to deploy with BranchDeploy, they need:
- Queue builds permission on the target pipeline.
- Access to the Azure DevOps project.
- A work item with a linked Azure Repos branch or pull request in the Development section.
Pipeline-level branch filters configured in your YAML or pipeline settings are respected when BranchDeploy queues a run. BranchDeploy cannot override those filters.
Pipeline queueing
BranchDeploy queues your configured Azure Pipeline by calling the Azure DevOps API on behalf of the current user. The pipeline run is created with the resolved branch as the source branch. BranchDeploy passes optional parameters (environment name, work item ID) with configurable parameter names.
BranchDeploy does not modify your pipeline definition, YAML, or repository. It only triggers a run of an existing pipeline.
Branch allowlists
BranchDeploy supports branch allowlists using glob patterns. Allowlists restrict which branches can be deployed to a given environment before the pipeline is queued.
If the resolved branch does not match the configured allowlist patterns, BranchDeploy blocks the deployment and shows an error — the pipeline is never called.
Example patterns:
feature/*
bugfix/*
hotfix/*
release/*
users/*/*The free tier supports one branch allowlist for the single configured environment. Pro adds per-environment allowlists.
Confirmation step
Every deployment through BranchDeploy requires an explicit confirmation step. The user sees:
- The resolved Azure Repos branch or PR source branch.
- The target environment name.
- The work item title and ID.
There is no way to skip or auto-approve the confirmation step. The pipeline is only queued after the user clicks Deploy.
Data handling
Free extension workflow
The free extension reads work item data via the Azure DevOps extension SDK within the browser session. No work item data, branch names, or pipeline information is sent to a BranchDeploy-hosted backend during the core deploy action. The extension operates entirely within your Azure DevOps session.
Pro account and cloud features
When you create a BranchDeploy account to access Pro features, your account data (email address, Azure DevOps organisation name, billing status) is stored in the BranchDeploy backend. The deployment audit log stores a record of each queued pipeline run (work item ID, branch, environment, timestamp, and outcome) for 90 days.
Teams bot credentials
Pro Teams setup may require a personal access token (PAT) to connect BranchDeploy to your Azure DevOps organisation for bot-triggered deployments. PATs are encrypted at rest. You can revoke and replace a PAT from your account settings at any time.
MCP API keys
MCP API keys are generated in your BranchDeploy account and used to authenticate requests from AI assistants (Claude, Cursor, or any MCP-compatible client). Keys are hashed before storage. You can revoke an MCP key from your account at any time.
Audit log
BranchDeploy Pro stores a 90-day deployment audit log in the BranchDeploy backend. Each log entry records:
- The Azure DevOps organisation and project.
- The work item ID.
- The resolved branch.
- The target environment.
- The pipeline run ID returned by Azure DevOps.
- The timestamp of the deployment.
The free tier does not include an audit log.
Frequently asked questions
What permissions does a user need?
The user must have permission to queue the configured pipeline. BranchDeploy queues the pipeline as the current Azure DevOps user and cannot bypass permissions the user does not already have.
Does BranchDeploy bypass Azure DevOps permissions?
No. BranchDeploy queues your existing Azure Pipeline as the current Azure DevOps user and respects existing Azure DevOps permissions. If a user cannot queue the pipeline manually, BranchDeploy cannot queue it for them.
What happens if the pipeline blocks a branch?
Pipeline branch filters are respected by Azure Pipelines when the run is queued. BranchDeploy also supports branch allowlists that block deploys before the pipeline is called if the resolved branch does not match the expected pattern.
What data does the free workflow use?
The free extension workflow reads work item development links, queues the configured pipeline, and returns the run ID. No work item data is sent to a BranchDeploy backend for the core deploy action. No BranchDeploy account is required.
What changes in Pro?
Pro adds cloud features (audit log, Teams bot, MCP) that require a BranchDeploy account and backend. Deployment records are stored in the audit log. Teams bot and MCP use credentials stored by BranchDeploy (PAT encrypted at rest, MCP key hashed).
How are Teams credentials handled?
Pro Teams setup may require a personal access token (PAT) to connect BranchDeploy to your Azure DevOps organisation. PATs are encrypted at rest. You can revoke and replace a PAT from your account settings at any time.
How are MCP API keys handled?
MCP API keys are generated in your BranchDeploy account and used to authenticate AI assistant requests. Keys are hashed before storage. You can revoke an MCP key from your account at any time.
Can an admin restrict allowed branches?
Yes. BranchDeploy supports branch allowlists using glob patterns. The free tier allows one allowlist for the single configured environment. Pro adds per-environment allowlists.
