Defra Logo Defra Logo

AI Tools for Defra Pilot Teams

AI tools guidance for Defra pilot teams, covering data usage, privacy settings, auditing, logging, and compliance requirements.

Azure DevOps Model Context Protocol (MCP) Server

Tool Overview

The Azure DevOps MCP Server (microsoft/azure-devops-mcp) is a tool developed by Microsoft, currently in Public Preview. It acts as a secure, “local-first” bridge between Artificial Intelligence (AI) agents—such as GitHub Copilot or Claude Desktop—and the Azure DevOps (ADO) environment.

The tool uses the Model Context Protocol (MCP), an open standard that allows AI models to access real-time context from external tools. In a government context, this helps close the “context gap,” enabling AI to see specific work items, source code, and pipelines rather than relying solely on pre-trained data.

Architectural Mechanics

The server operates on a Host-Client-Server topology. It runs as a local Node.js process on the user’s machine.

  • The Host: The user’s IDE (e.g., VS Code).
  • The Client: The AI model (e.g., GitHub Copilot).
  • The Server: The MCP application itself.

Communication occurs via Standard Input/Output (stdio) using JSON-RPC. This means the server does not listen on an open network port, significantly reducing the local attack surface.

Privacy Settings

The tool is designed with a local-execution model.

  • No External Data Sharing: The MCP Server does not transmit data to third-party telemetry services or external cloud storage.
  • Local Boundary: All processing occurs within the user’s secure network and the authenticated Azure DevOps session.
  • Domain Filtering: Administrators can restrict which “domains” (e.g., Work Items, Repositories, or Wikis) the AI can access via the server configuration file.

Key Risks & Threat Vectors

While the architecture is robust, the integration of “Agentic AI” introduces several specific risks:

  • Indirect Prompt Injection (XPIA): A malicious actor could place hidden instructions inside a bug report or work item. If the AI reads this item, it might execute the hidden command (e.g., “delete this repository”).
  • The “Confused Deputy” Problem: Because the server runs with the user’s full permissions, a malicious script on the same machine could potentially send commands to the MCP server to perform actions on the user’s behalf.
  • Secret Leakage: The code_search tool is highly effective. If repositories contain hardcoded secrets, an AI agent could inadvertently surface these during a broad search.
  • Automation Bias: Users may accept “hallucinated” requirements or code changes generated by the AI without sufficient scrutiny.

Terms of Use and Privacy Policy

The tool is governed by the Supplemental Terms of Use for Microsoft Azure Previews.

  • “As-Is” Status: As a Public Preview feature, it is provided without a Service Level Agreement (SLA).
  • Production Use: It is not recommended for unattended, critical production workflows until it reaches General Availability (GA).
  • Responsibility: Security of the local endpoint remains the responsibility of the department (Shared Responsibility Model).

Data Management

Multi-Regional Processing

The MCP Server does not change where your data is stored. It respects the existing residency of the Azure DevOps tenant. If the department’s tenant is located in UK South, all API calls remain within that region.

Data in Transit

All communication between the local MCP Server and the Azure DevOps cloud endpoint is encrypted using HTTPS/TLS 1.2 or higher, adhering to NCSC Cloud Security Principles.

Data at Rest

The tool uses an in-memory LRU (Least Recently Used) cache to improve performance.

  • Volatile Storage: Data is stored in the system’s RAM and is cleared when the process or IDE is closed.
  • No Persistent Storage: There is no evidence of the tool writing sensitive work items or code snippets to the local disk.

Auditing

Currently, there is a technical blind spot regarding attribution:

  • User Identity: All actions performed by the AI agent are logged in Azure DevOps under the human user’s identity.
  • Lack of Differentiation: Standard logs do not easily distinguish between a manual change made by a human and an automated change made by the AI agent via the MCP server.
  • Recommendation: Security teams should monitor for unusual volumes of activity originating from individual accounts.

Access Controls

The tool enforces the identity of the user running the process. It supports three primary authentication methods:

  1. Interactive (Recommended): Uses az login (Entra ID). Supports Multi-Factor Authentication (MFA) and Conditional Access.
  2. Managed Identity: Recommended for cloud-hosted environments like Azure DevBox.
  3. Personal Access Tokens (PAT): Discouraged for government use as they are long-lived static secrets and often bypass MFA.

Compliance & Regulatory Considerations

  • Data Classification: Suitable for data up to OFFICIAL. Use for OFFICIAL-SENSITIVE requires a Data Protection Impact Assessment (DPIA) due to LLM processing.
  • NCSC Principles: Aligns with Principle 1 (Data in Transit) and Principle 11 (External Interface Protection).
  • Cyber Essentials Plus: The tool is compliant provided the Node.js runtime and the @azure-devops/mcp package are kept patched via internal artifact feeds.

References

  1. Microsoft Azure DevOps MCP Server GitHub Repository (microsoft/azure-devops-mcp)
  2. Model Context Protocol (MCP) Specification
  3. NCSC Cloud Security Guidance
  4. GOV.UK Service Manual: Technology Code of Practice
  5. Microsoft Supplemental Terms of Use for Azure Previews

Support links

All content is available under the Open Government Licence v3.0, except where otherwise stated