Authenticate to Azure DevOps with Microsoft Entra
Microsoft Entra ID is a separate Microsoft product with its own platform. As a leading identity and access management (IAM) provider, Microsoft Entra ID focuses on managing team members and safeguarding company resources. You can connect your Azure DevOps organization to a Microsoft Entra ID tenant, which offers many benefits to your company.
Once connected, the Microsoft Identity application platform on top of Microsoft Entra ID provides several advantages for app developers and org admins. You can register an application to access Azure tenants and define permissions needed from Azure resources, including Azure DevOps, which exists outside of the Azure tenant construct.
Microsoft Entra apps and Azure DevOps apps are separate entities with no knowledge of each other. The authentication methods differ: Microsoft Entra uses OAuth, while Azure DevOps uses its own OAuth. Microsoft Entra ID OAuth apps issue Microsoft Entra tokens, not Azure DevOps access tokens. These tokens have a standard one-hour duration before expiration.
Develop Azure DevOps apps on Microsoft Entra
Read the Microsoft Entra documentation thoroughly to understand the new functionality and different expectations during setup.
We support your app development with guidance for:
- Microsoft Entra OAuth apps (on-behalf-of user apps) for apps that perform actions on behalf of consenting users.
- Microsoft Entra service principals and managed identities (on-behalf-of itself apps) for apps that perform automated tooling within a team.
Replace PATs with Microsoft Entra tokens
Personal access tokens (PATs) are popular for Azure DevOps authentication due to their ease of creation and use. However, poor PAT management and storage can lead to unauthorized access to your Azure DevOps organizations. Long-lived or over-scoped PATs increase the risk of damage from a leaked PAT.
Microsoft Entra tokens offer a secure alternative, lasting only one hour before requiring a refresh. The authentication protocols for generating Entra tokens are more robust and secure. Security measures like conditional access policies protect against token theft and replay attacks. We encourage users to explore using Microsoft Entra tokens instead of PATs. We share popular PAT use cases and ways to replace PATs with Entra tokens in this workflow.
Ad-hoc requests to Azure DevOps REST APIs
You can also use the Azure CLI to get Microsoft Entra ID access tokens for users to call Azure DevOps REST APIs. Since Entra access tokens only last for one hour, they're ideal for quick one-off operations, like API calls that don't need a persistent token.
Acquire user tokens in Azure CLI
- Sign in to the Azure CLI using the
az logincommand and follow the on-screen instructions. - Set the right correct subscription for the signed-in user with these bash commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal.
az account set -s <subscription-id>
- Generate a Microsoft Entra ID access token with the
az account get-access-tokenthe Azure DevOps resource ID:499b84ac-1321-427f-aa17-267ca6975798.
az account get-access-token \
--resource 499b84ac-1321-427f-aa17-267ca6975798 \
--query "accessToken" \
-o tsv
For more information, see the Databricks docs.
Acquire service principal tokens in Azure CLI
Service principals can also use ad-hoc Microsoft Entra ID access tokens for ad-hoc operations. For more information, see Service principals and managed identities/Get a Microsoft Entra ID token with the Azure CLI.
Git operations with Git Credential Manager
You can also use Microsoft Entra tokens to perform Git operations. If you regularly push to git repositories, use the Git Credential Manager to easily request and manage your Microsoft Entra OAuth token credentials, as long as oauth is set as the default credential.azReposCredentialType.