Skip to main content
TestPulse requests only the scopes it needs, and is read-only except for the opt-in Coverage Builder.
ScopeWhy it is requested
vso.testRead Test Plans, suites, cases, points and results.
vso.workRead work items (requirements, bugs) for traceability.
vso.identityResolve testers and assignees by name.
vso.buildRead the associated build for a report.
vso.test_writeUsed only by the Coverage Builder to create plans and suites (opt-in).

The write scope

vso.test_write powers only the Coverage Builder’s create action. Adding it to the manifest is an administrator action and triggers an extension re-approval for the organisation. Until then, everything read-only keeps working — only plan creation is unavailable.

Permission ≠ scope

A 403 when creating a plan is almost always an area-path ACL — the Manage test plans permission is granted per area pathnot a missing scope. See Create the plan in Azure DevOps.

Privacy & data

Where data lives.

Read-only by design

The read/write boundary.