A team uses Azure Repos, Azure Boards, and pull requests for all changes to the main branch. Auditors found several production fixes that cannot be traced back to an approved work item.
You need to prevent untraceable changes from being merged while minimizing manual review effort. Developers should still be able to create small commits locally before they know the final work item ID.
Which configuration best satisfies the requirement?