| title | Building Azure DevOps integrations with Microsoft Entra OAuth apps |
|---|---|
| description | Use Microsoft Entra authentication to integrate with Azure DevOps Services. |
| ms.assetid | 19285121-1805-4421-B7C4-63784C9A7CFA |
| ms.subservice | azure-devops-security |
| ms.topic | conceptual |
| monikerRange | azure-devops |
| ms.author | chcomley |
| author | chcomley |
| ms.date | 01/08/2025 |
[!INCLUDE version-eq-azure-devops]
This guide provides information and links to more information on building a Microsoft Entra OAuth app for Azure DevOps. Microsoft Entra ID offers robust identity and access management capabilities, which allow you to authenticate users and perform actions on their behalf using OAuth tokens. Use this information to apply Microsoft Entra OAuth tokens for various app flows, including delegated access and service principal-based access.
The Microsoft identity platform offers many ways to authenticate users via the OAuth 2.0 protocol. In these docs, we use OAuth tokens to colloquially refer to on-behalf-of user flows, also known as delegated flows, for apps that request tokens to perform actions for their users. The rest of this guide offers helpful resources for these app developers.
Another common app flow we support is building on-behalf-of app using service principals and managed identities. Microsoft Entra tokens can also be used for ad-hoc requests with the Azure CLI or git operations through the Git Credential Manager.
Important
When creating a new OAuth 2.0 app, start here with Microsoft Entra OAuth apps, as Azure DevOps OAuth apps are planned for deprecation in 2026. Learn more in our blog post.
- Register an application with the Microsoft identity platform
- Add permissions for access to Microsoft Graph: Learn how to add delegated permissions from an Azure resource. Instead of Microsoft Graph, select
Azure DevOpsfrom the list of resources. - Read about scopes and permissions in the Microsoft identity platform: Understand the
.defaultscope. See the scopes available for Azure DevOps in our list of scopes. - Request permissions through consent
- Use authentication libraries and code samples
- Manage personal access tokens via API: Use the PAT lifecycle management APIs with Microsoft Entra tokens. Our docs and the associated sample app provide examples for setting up a Microsoft Entra app to use Azure DevOps REST APIs.
- Explore support and help options for developers
- Understand application management in Microsoft Entra ID
- Add an enterprise application
- Explore the consent experience for applications in Microsoft Entra ID
Note
Microsoft Entra OAuth apps don't natively support Microsoft account (MSA) users for Azure DevOps REST APIs. If you're building an app that must cater to MSA users or support both Microsoft Entra and MSA users, Azure DevOps OAuth apps remain your best option. We're currently working on native support for MSA users through Microsoft Entra OAuth.
- Important Azure DevOps IDs:
- Microsoft Entra resource identifier:
499b84ac-1321-427f-aa17-267ca6975798 - Resource URI:
https://app.vssps.visualstudio.com - Use the
.defaultscope when requesting a token with all scopes that the app is permissioned for.
- Microsoft Entra resource identifier:
- When you migrate an existing app, you might use Azure DevOps user identifiers that don't exist in Microsoft Entra. Use the ReadIdentities API to resolve and match the different identities used by each identity provider.