| title | Build Azure DevOps integrations with Microsoft Entra OAuth apps |
|---|---|
| description | Microsoft Entra OAuth apps: Discover how to build secure Azure DevOps integrations using delegated authentication and enhance your development process. |
| ms.subservice | azure-devops-security |
| ms.custom | pat-reduction, UpdateFrequency3 |
| ms.topic | overview |
| monikerRange | azure-devops |
| ms.author | chcomley |
| ms.reviewer | chcomley |
| author | chcomley |
| ms.date | 04/02/2026 |
[!INCLUDE version-eq-azure-devops]
The Microsoft identity platform offers many ways to authenticate users via the OAuth 2.0 protocol. In this article, OAuth tokens refers to on-behalf-of user flows, also known as delegated flows, where apps request tokens to perform actions for their users.
This approach differs from apps that perform actions on-behalf-of themselves. For that approach, use service principals and managed identities.
- Register an application with the Microsoft identity platform
- Add permissions for access to Microsoft Graph: Learn how to add delegated permissions from an Azure resource. Instead of Microsoft Graph, select
Azure DevOpsfrom the list of resources. - Read about scopes and permissions in the Microsoft identity platform: Understand the
.defaultscope. See the scopes available for Azure DevOps in our list of scopes. - Request permissions through consent
- Use authentication libraries and code samples
- Explore support and help options for developers
- Understand application management in Microsoft Entra ID
- Add an enterprise application
- Explore the consent experience for applications in Microsoft Entra ID
- Microsoft Entra apps don't natively support Microsoft account (MSA) users for the Azure DevOps resource. If you're building an app that must cater to MSA users or support both Microsoft Entra and MSA users, Azure DevOps OAuth apps remain your best option. Microsoft is currently working on native support for MSA users through Microsoft Entra OAuth.
- Azure DevOps' resource identifier:
499b84ac-1321-427f-aa17-267ca6975798 - Azure DevOps' resource URI:
https://app.vssps.visualstudio.com - Use the
.defaultscope when requesting a token with all scopes that the app is permissioned for. - In a previous Azure DevOps OAuth app, you might have used Azure DevOps user identifiers that don't exist in Microsoft Entra. When migrating to Microsoft Entra, use the ReadIdentities API to resolve and match the different identities used by each identity provider.