Adds a new comment to a work item. Use this tool when you need to: - Provide feedback or clarification on a work item - Document decisions made about the work - Add context without changing the work item's fields - Communicate with team members about specific tasks IMPORTANT: Comments in Azure De...
AI agents use add_work_item_comment to create or update resources in MCP Azure DevOps Server — usually the action step of a workflow, after the agent has gathered context. Every call changes real data in your MCP Azure DevOps Server environment.
While comments cannot be deleted post-creation (suggesting Destructive-like permanence), the core action is creating/adding data to a work item, which is a Write operation. The permanence is a property of the platform, not the tool's reversibility—admins or the platform could theoretically remove comments.
From the tool's definition Tool 'Adds a new comment to a work item' modifies work item state by creating a new comment entry. Description explicitly states 'Comments in Azure DevOps become part of the permanent work item history and cannot be edited or deleted after they are added',…
Documented attack patterns abuse exactly the kind of access add_work_item_comment gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and MCP Azure DevOps Server, and nothing reaches the server without passing your rules. This is the rule we recommend for add_work_item_comment:
{
"version": "1",
"default": "deny",
"tools": {
"add_work_item_comment": {
"limits": [
{
"counter": "add_work_item_comment_rate",
"window": "minute",
"max": 30,
"scope": "grant"
}
]
}
}
}add_work_item_comment stays usable, but capped — an agent stuck in a loop can't make hundreds of changes a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Adds a new comment to a work item. Use this tool when you need to: - Provide feedback or clarification on a work item - Document decisions made about the work - Add context without changing the work item's fields - Communicate with team members about specific tasks IMPORTANT: Comments in Azure DevOps become part of the permanent work item history and cannot be edited or deleted after they are added. The comment will be attributed to the user associated with the Personal Access Token used for authentication. Args: id: The work item ID text: The text of the comment (supports markdown formatting) project: Optional project name. If not provided, will be determined from the work item. Returns: Formatted string containing confirmation and the added comment with author information and timestamp. It is categorised as a Write tool in the MCP Azure DevOps Server MCP Server, which means it can create or modify data. Consider rate limits to prevent runaway writes.
Register the MCP Azure DevOps Server MCP server in PolicyLayer and add a rule for add_work_item_comment: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches MCP Azure DevOps Server. Nothing to install.
add_work_item_comment is a Write tool with medium risk. Write tools should be rate-limited to prevent accidental bulk modifications.
Yes. Add a rate_limit block to the add_work_item_comment rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for add_work_item_comment. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
add_work_item_comment is provided by the MCP Azure DevOps Server MCP server (vortiago/mcp-azure-devops). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Deterministic rules across all 21 MCP Azure DevOps Server tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.
Free to start. No card required.
21 MCP Azure DevOps Server tools catalogued and risk-classified — across an index of 42,500+ MCP servers.