To integrate Microsoft Defender for Cloud with Azure DevOps (AzDO1) for detecting secrets exposed in pipelines , you must connect the two platforms using Microsoft’s built-in integration flow that enables Defender for Cloud to scan repositories and pipelines for vulnerabilities and sensitive data exposure.
Here’s the correct configuration process:
Step 1: In Defender for Cloud – Add an environment In the Defender for Cloud portal, you first need to add an environment that represents your Azure DevOps organization.
This step connects Defender for Cloud to the DevOps service, allowing it to monitor repositories, build pipelines, and artifacts.
You’ll then authenticate your Azure DevOps organization (AzDO1) to allow Defender for Cloud to scan your pipelines.
This setup enables Defender for DevOps , a capability within Defender for Cloud, to detect exposed secrets, insecure dependencies, and misconfigurations directly from pipeline activities.
Step 2: In AzDO1 – Install an extension Next, within Azure DevOps (AzDO1) , install the Microsoft Defender for DevOps Security Scanner extension from the Azure DevOps Marketplace .
This extension integrates the Defender for Cloud scanning engine into the Azure DevOps pipeline process and enables automatic scanning for:
Hardcoded secrets in YAML pipelines,
Vulnerability findings in open-source dependencies, and
Infrastructure-as-code misconfigurations (for example, ARM, Terraform).
Once installed, the extension automatically works with Defender for Cloud, and any detected secret exposure or security issue is surfaced in Defender for Cloud’s “DevOps Security” dashboard.
Configure workflow automation: Applies to automated incident responses, not DevOps integration.
Enable a plan: Refers to enabling Defender plans for specific Azure resource types, not connecting DevOps.
Configure OAuth / Configure security policies: Required for custom integration scenarios, but not for standard Defender–DevOps onboarding.
Why Other Options Are Incorrect:
✅ Final Correct Answer:
