After Installing the Connector you can connect and create a Data Source for data in Azure DevOps.

Setting Up a Data Source

Complete the following steps to connect to the data:

1. Under Connect | To a Server, click More....
2. Select the data source called Azure DevOps by CData.
3. Enter the information required for the connection.
4. Click Sign In.
5. If necessary, select a Database and Schema to discover what tables and views are available.

Using the Connection Builder

The connector makes the most common connection properties available directly in Tableau. However, it can be difficult to use if you need to use more advanced settings or need to troubleshoot connection issues. The connector includes a separate connection builder that allows you to create and test connections outside of Tableau.

There are two ways to access the connection builder:

• On Windows, use a shortcut called Connection Builder in the Start menu, under the CData Tableau Connector for Azure DevOps folder.
• You can also start the connection builder by going to the driver install directory and running the .jar file in the lib directory.

In the connection builder, you can set values for connection properties and click Test Connection to validate that they work. You can also use the Copy to Clipboard button to save the connection string. This connection string can be given to the Connection String option included in the connector connection window in Tableau.

Connecting to Azure DevOps

To connect to your Azure DevOps account, navigate to Profile > Organizations to obtain the name of your organization in the account. Set the Organization property to this value.

Note: Some table names exist in multiple catalogs and schemas. When querying a table, you should specify the catalog and schema in either the Catalog and Schema connection properties or the fully qualified table name.

Authenticating to Azure DevOps

Azure DevOps supports both Basic and Azure AD (OAuth-based) authentication.

Basic

When you connect to your Azure DevOps via Basic authentication, you provide both the Organization and a PersonalAccessToken.

To generate a personal access token, log in to your Azure DevOps Organization account and navigate to Profile > Personal Access Tokens > New Token. The generated token will be displayed.

Entra ID (Azure AD)

Note: Microsoft has rebranded Azure AD as Entra ID. In topics that require the user to interact with the Entra ID Admin site, we use the same names Microsoft does. However, there are still CData connection properties whose names or values reference "Azure AD".

Microsoft Entra ID is a multi-tenant, cloud-based identity and access management platform. It supports OAuth-based authentication flows that enable the driver to access Azure DevOps endpoints securely.

Authentication to Entra ID via a web application always requires that you first create and register a custom OAuth application, unless you connect via Tableau. This enables your application to define its own redirect URI, manage credential scope, and comply with organization-specific security policies.

For full instructions on how to create and register a custom OAuth application, see Creating an Entra ID (Azure AD) Application. For details about connecting via Tableau, see Tableau Integrated Azure, below.

After setting AuthScheme to AzureAD, the steps to authenticate vary, depending on the environment. For details on how to connect from desktop applications, web-based workflows, or headless systems, see the following sections.

Desktop Applications

You can authenticate from a desktop application using either the driver's embedded OAuth application or a custom OAuth application registered in Microsoft Entra ID.

Option 1: Use the Embedded OAuth Application

This is a pre-registered application, included with the driver. It simplifies setup and eliminates the need to register your own credentials and is ideal for development environments, single-user tools, or any setup where quick and easy authentication is preferred.

Set the following connection properties:

• AuthScheme: AzureAD
• InitiateOAuth:
  • GETANDREFRESH – Use for the initial login. Launches the login page and saves tokens.
  • REFRESH – Use this setting when you have already obtained valid access and refresh tokens. Reuses stored tokens without prompting the user again.

When you connect, the driver opens the Microsoft Entra sign-in page in your default browser. After signing in and granting access, the driver retrieves the access and refresh tokens and saves them to the path specified by OAuthSettingsLocation.

Option 2: Use a Custom OAuth Application

If your organization requires more control, such as managing security policies, redirect URIs, or application branding, you can instead register a custom OAuth application in Microsoft Entra ID and provide its values during connection.

During registration, record the following values:

• OAuthClientId: The client Id that was generated when you registered your custom OAuth application.
• OAuthClientSecret: The client secret that was that was generated when you registered your custom OAuth application.
• CallbackURL: A redirect URI you defined during application registration.

For full instructions on how to register a custom OAuth application and configure redirect URIs, see Creating an Entra ID (Azure AD) Application.

Set the following connection properties:

• AuthScheme: AzureAD
• InitiateOAuth:
  • GETANDREFRESH – Use for the initial login. Launches the login page and saves tokens.
  • REFRESH – Use this setting when you have already obtained valid access and refresh tokens. Reuses stored tokens without prompting the user again.
• OAuthClientId: The client Id that was generated when you registered your custom OAuth application.
• OAuthClientSecret: The client secret that was generated when you registered your custom OAuth application.
• CallbackURL: A redirect URI you defined during application registration.

After authentication, tokens are saved to OAuthSettingsLocation. These values persist across sessions and are used to automatically refresh the access token when it expires, so you don't need to log in again on future connections.

Headless Machines

Headless environments like CI/CD pipelines, background services, or server-based integrations do not have an interactive browser. To authenticate using AzureAD, you must complete the OAuth flow on a separate device with a browser and transfer the authentication result to the headless system.

Setup option:

• Transfer an OAuth settings file
  • Authenticate on another device, then copy the stored token file to the headless environment.

Transferring OAuth Settings

1. On a device with a browser:
   • Connect using the instructions in the Desktop Applications section.
   • After connecting, tokens are saved to the file path in OAuthSettingsLocation. The default filename is OAuthSettings.txt.

2. On the headless machine:
   • Copy the OAuth settings file to the machine.
   • Set the following properties:
     • AuthScheme: AzureAD
     • InitiateOAuth: REFRESH
     • OAuthSettingsLocation: Make sure this location grants read and write permissions to the driver to enable the automatic refreshing of the access token.
     • For custom applications:
       • OAuthClientId: The client Id that was generated when you registered your custom OAuth application.
       • OAuthClientSecret: The client secret that was generated when you registered your custom OAuth application.

After setup, the driver uses the stored tokens to refresh the access token automatically, no browser or manual login is required.

Tableau Integrated Azure AD

Tableau Integrated Azure AD enables users to log in to protected resources via Proof Key for Code Exchange (PKCE). PKCE is an extension to the auth code flow that is designed to prevent cross-site request forgery and authorization code injection attacks.

It is not necessary to create a custom OAuth application to log in via Tableau Integrated Azure. Instead:

1. Log in to the Tableau Server console.
2. At the list of Installed Connections, click Azure DevOps by CData.
3. In the General tab, to go the AuthScheme field and select Tableau Integrated AzureAD.
4. Enter the OAuth Instance URL.

   The OAuth instance URL can be entered either in the format:
   https://login.microsoft.online.com/common, where common indicates the tenant environment, or
   https://login.microsoftonline.us/common, where login.microsoftonline.us is the Azure environment.

Logging in via Tableau Integrated Azure AD provides a Tableau login screen, which creates a similar experience to the more typical OAuth experience.

Next Step

See Using the Connector to create data visualizations.