Authenticate with Azure DevOps with Microsoft Entra

Microsoft Entra ID is a separate Microsoft product with its own platform. As a leading identity and access management (IAM) provider, Microsoft Entra ID is focused on the needs of companies that need to manage team members and safeguard company resources. We offer the ability to connect your Azure DevOps organization to a Microsoft Entra ID tenant, and there may be many benefits to your company in doing so.

Once connected, the Microsoft Identity application platform on top of Microsoft Entra ID offers a few advantages that makes it appealing to app developers and org admins. On Microsoft Entra, you can register an application to access Azure tenants and define permissions needed from Azure resources, of which Azure DevOps is considered one. Azure DevOps exists outside of the construct of Azure tenants.

Microsoft Entra apps and Azure DevOps apps are separate entities with no knowledge of each other. The means to authenticate your application differs from Microsoft Entra OAuth to Azure DevOps OAuth. For one thing, Microsoft Entra ID OAuth apps are issued Microsoft Entra tokens, not Azure DevOps access tokens. These tokens have a standard one-hour duration before expiration.

Developing Azure DevOps apps on Microsoft Entra

We recommend reading the Microsoft Entra documentation thoroughly to understand the new functionality available via Microsoft Entra and the different expectations of you during setup.

We have guidance to support your app development for:

• Microsoft Entra OAuth apps (on-behalf-of user apps) for apps that perform actions on behalf of consenting users
• Microsoft Entra service principals and managed identities (on-behalf-of itself apps) for apps that perform automated tooling within a team

Replacing PATs with Microsoft Entra tokens

Personal access tokens (PATs) remain one of the most popular forms of authentication for Azure DevOps users for their ease of creation and use. However, poor PAT management and storage can result in unauthorized access to your Azure DevOps organizations. Letting PATs live for a long lifespan or over-scoping them can also increase the risk of damage that a leaked PAT can do.

Microsoft Entra tokens provide an appealing alternative since they only last for one hour before they must be refreshed. The authentication protocols to generate Entra tokens are more robust and secure. Security measures like conditional access policies protect against token theft and replay attacks. We're hoping to engage more users to explore using Microsoft Entra tokens wherever PATs may be commonly used today. We share some of the most popular PAT use cases and ways you might be able to replace the PAT with an Entra token in this workflow.

Ad-hoc requests to Azure DevOps REST APIs

You can also use the Azure CLI to get Microsoft Entra ID access tokens for users to call Azure DevOps REST APIs. Since Entra access tokens only live for one hour, they're ideal for quick one-off operations, like API calls that don't need a persistent token.

Acquire user tokens in Azure CLI

Credit to these instructions goes to the Databricks docs.

1. Sign in to the Azure CLI using the az login command and follow the on-screen instructions.
2. Set the right correct subscription for the signed-in user with these bash commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal. bash az account set -s <subscription-id>
3. Generate a Microsoft Entra ID access token with the az account get-access-token the Azure DevOps resource ID: 499b84ac-1321-427f-aa17-267ca6975798. bash az account get-access-token \ --resource 499b84ac-1321-427f-aa17-267ca6975798 \ --query "accessToken" \ -o tsv

Acquire service principal tokens in Azure CLI

Service principals can also use ad-hoc Microsoft Entra ID access tokens for ad-hoc operations. Instructions on how to do so are provided in this section in the guide to service principals and managed identities.

Git operations with Git Credential Manager

Microsoft Entra tokens can also be used to perform Git operations. For those regularly pushing to git repositories, using the Git Credential Manager offers a simple way to request and manage one's Microsoft Entra OAuth token credentials, so long as oauth is set as the default credential.azReposCredentialType.