If you use build service identities like Project Collection Build Service to call Advanced Security APIs, the Advanced Security permission changes in Sprint 269 broke that. We restricted API access for build identities as a security improvement but failed to provide an early notice for customers that relied upon this for various automations.
We’re rolling it back temporarily. The restriction will be re-enforced on May 15, 2026.
What you should do
Action is required. The recommended path is a service principal with Advanced Security: Read alerts permissions for your Advanced Security-enabled repositories. Scope it narrowly, and if the service principal isn’t committing code, it won’t consume an Advanced Security committer license.
Status checks in Sprint 272
We’re also shipping status checks soon, which give teams a native way to gate on security posture without API-driven alert mutations from pipeline identities.
April 15, 2026 update: the rollout of this feature has been delayed and will now be rolled out early to mid-May, ahead of the permission restriction date.
This won’t replace every automation scenario, though it enables pull request-time blocking on the presence of high and critical alerts.
Have feedback or hitting gaps moving to a service principal? Let us know.
Action required by April 15: move API automation to a service principal with Advanced Security: Read alerts or watch for status checks in Sprint 272.
Congrats on getting the PR status checks in! this will be a massive help in this area. Looks like it made it in early, though – sprint 271 (https://learn.microsoft.com/en-us/azure/devops/release-notes/2026/ghazdo/sprint-271-update). Would the stuff done there be enough for this issue or do we need to wait for the next one?
actually, nvm. There’s a note on the RN page saying that “These features will roll out over the next two to three weeks”, and at the moment the validation step just hangs and waits for hours so it looks like this isn’t fully connected yet. We’ve waited for over a year for this feature to come around, so what another 3 weeks? 🙂
Hi David! We unfortunately also needed to push the release of this back due to unexpected impact – apologies. We expect the new availability of built-in status checks to be around early to mid-May.
I’ve updated the timeline on this blog post to reflect this change.