Team Foundation Server (TFS) setup

Tags: Flow

Below is a step-by-step guide on how to connect your TFS account to Flow. In order to make a successful connection please ensure you complete the following steps prior to Integrating with Flow.

  1. Allowlist Flow's static IP addresses on port 443 over HTTPS.
  2. Have an SSL certificate that uses a public certificate authority (CA)
  3. Have a public DNS record pointing to the IP address that is being exposed for Flow analysis.

Who can use this?



Important: We strongly recommend you use a service account to create this Integration. Please see How to create a service account for instructions and information about why service accounts are important.

Permission requirements

To use all integration services such as repos, pull requests, tickets and webhooks, two conditions must be met:

  1. First, please review the personal access token scopes outlined below. 

  2. Second, the service account needs to be a Project Collection Administrator at the organizational level. 

If webhooks are not needed, the single permission required to establish a connection and import repos is the View instance-level information permission at the user level. The service account will also need to be added to each project you wish to import into Flow. 

Webhook permissions: In order to enable webhooks, the service account needs to be a Project Collection Administrator and at least one repository needs to be imported from a project. 

Version Requirements

TFS version 2018 or higher

TFS configuration

  1. In order to connect your TFS account, you will need to first create a new integration. On your Flow home page, go to the top navigation bar and click Settings. Using the left navigation under Integrations, click Integrations.
  2. Select the Add Integration button in the top right hand corner of your integrations screen.

  3. On the following page select TFS from the Integration Provider list and click Next.

  4. On this page you will need to input the following information:

    • Email - Email associated with the service account.
    • Password - Password associated with the service account.
    • Personal Access Token (see below)
    • Base URL - https://{your_TFS_domain}/{yourorganization} 

Creating a personal access token

To create a personal access token in TFS follow the instructions below. 

  1. Locate Security under your gravatar menu.

  2. On the Personal access token page click Add.

  3. Fill in the following information for your new personal access token and click Create when finished.

    • Description
    • Expiration date
    • Scopes - Below find the minimum scopes required to connect your account.
      • Code (read)
      • Code (search)
      • Identity (read)
      • Project and team (read)
      • Service Endpoints (read and query)
      • User profile (read)
      • Work items search (read)
      • Work items (read)

Finishing Up

Now that you have created a personal access token you can complete your integration setup in Flow. 

  1. Copy your access token and paste it into the Flow Personal Access Token field. 

  2. Click Test connection.

  3. If the connection was successful you will see the following message:

    If the connection was not successful, please verify your credentials and access token and try again.
  4. Once you have successfully connected to your TFS account, click Next.
  5. On the next screen you will be selecting the services you want turned on for this Integration. If you would like to import pull request and ticket data in addition to repo data, then leave all services on. You can turn services on and off at any time. Click Next.

  6. Name your integration so you can identify the account you connected with. Click Create.

  7. You have successfully created a new TFS integration.

  8. You can begin to import your repos by going to your repo import page. Click the repo import page link. To learn more about managing your new integration settings, see Manage integrations.


If you are unable to get your integration setup, please see the troubleshooting scenarios below. 

Could not connect to URL


If you receive the above error message when you test your integration, please review the following information:

  • Check your base URL.

 It should be in the following format:


  • If you are behind a firewall, review the initial setup of the connection - allowlist IPs, public DNS, certificate signed by a public CA. 

Authorization denied

If you were unable to authenticate the connection, please check your credentials and personal access scopes and try again. 

Connection tests successfully but I am not seeing all my projects and repositories 

If you are not seeing all the projects and/or repos that you expect, double check your permissions at the organization and project level. If you are not a Project Collection Administrator you will need to be added to each project that you want to add to your Flow account. 

back to top

If you need help, please email for 24/7 assistance.