How to Access Azure DevOps Resources via Microsoft Entra OAuth Apps from a Third-Party Application?

Question

Hi,

I am currently working on integrating Azure DevOps resources into a third-party application, and I would like to utilize Microsoft Entra for authentication via OAuth. Could someone please provide guidance on the correct steps to set up and authenticate a third-party application to access Azure DevOps resources using Microsoft Entra OAuth apps?

Specifically, I’m looking for information on:

1. Setting up the OAuth app in Microsoft Entra.
2. Granting necessary permissions for Azure DevOps resources.
3. Authenticating and obtaining access tokens for API calls.
4. Any potential issues or best practices to keep in mind during this process.

Any insights or resources you can share would be greatly appreciated!

Thank you in advance!

Answer 1

I understand you are trying to access Azure DevOps resources via Microsoft Entra OAuth Apps from a Third-Party Application.

If you are using Azure DevOps OAuth, visit your Azure DevOps organization settings page and make sure to enable third-party application access via OAuth like this:

For Microsoft Entra ID OAuth, toggling above option is not needed. Register one Entra ID single tenant application named DevOpsMarApp as below:

You can find the Client ID and Tenant ID in the app’s overview section, while the Client Secret is generated under Certificates & Secrets. Be sure to copy the secret immediately, as it won’t be visible later.

Client ID and Tenant ID:

Client Secret:

There is no need to add API permissions in Entra ID application while generating token using client credentials flow as a service principal. But while using delegated flows where user interaction is there, granting API permissions of Azure DevOps API is mandatory.

Before generating access token using client credentials flow as a service principal, make sure to manually add application under your Azure DevOps organization as user and grant access:

Go to Azure DevOps portal > Organization Settings > Users > Add users > Enter Application name > Select app > Access level > Add Projects > Azure DevOps Groups > Add

Now, use below parameters to generate access token using client credentials flow via Postman:

POST https://login.microsoftonline.com/tenantId/oauth2/v2.0/token

client_id: appId

client_secret: secret

grant_type: client_credentials

scope: 499b84ac-1321-427f-aa17-267ca6975798/.default

Response:

You can now use this access token to call Azure DevOps API based on the permissions it inherits from Azure DevOps group it's been added:

GET https://dev.azure.com/orgname/_apis/projects?api-version=7.1
Authorization: Bearer <access_token>

Response:

Since access tokens expire after an hour, your app will need to request a new one periodically. Make sure your app is added to right Azure DevOps group or API calls may fail with 403 or 401 errors.

Refer this Microsoft article to know more. Also, store client secrets securely.

Hope this helps!

---

Please do not forget to click "Accept the answer” and Yes wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.