| ms.topic | how-to |
|---|---|
| title | Issue Entra tokens with Azure CLI |
| description | Use Microsoft Entra authentication on top of Azure CLI |
| ms.assetid | 19285121-1805-4421-B7C4-63784C9A7CFA |
| ms.subservice | azure-devops-security |
| monikerRange | azure-devops |
| ms.author | chcomley |
| author | chcomley |
| ms.date | 09/16/2025 |
Use the Azure CLI to issue a Microsoft Entra token and call Azure DevOps REST APIs. Since Entra access tokens only last for one hour, they're ideal for quick one-off operations. You can use Azure CLI to acquire a user token for yourself or on behalf of a service principal.
| Category | Requirements |
|---|---|
| Entra tenant and subscription | Make sure the subscription is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your tenant or subscription ID, you can find it in the Azure portal. |
| Azure CLI | Download and install the Azure CLI. |
| Entra app | (If authenticating for a service principal) Create the Entra application and have the app client ID and client secret ready. |
-
Sign in to the Azure CLI using the
az logincommand and follow the on-screen instructions. -
Set the correct subscription for the signed-in user with these bash commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal.
az account set -s <subscription-id>
-
Generate a Microsoft Entra ID access token with the
az account get-access-tokencommand using the Azure DevOps resource ID:499b84ac-1321-427f-aa17-267ca6975798.az account get-access-token \ --resource 499b84ac-1321-427f-aa17-267ca6975798 \ --query "accessToken" \ -o tsv
-
Sign in to Azure PowerShell using the
Connect-AzAccountcommand and follow the on-screen instructions. -
Set the correct subscription for the signed-in user with these PowerShell commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal.
Set-AzContext -Subscription <subscriptionID> -
Generate a Microsoft Entra ID access token with the
Get-AzAccessTokencommand using the Azure DevOps resource ID:499b84ac-1321-427f-aa17-267ca6975798.Get-AzAccessToken -ResourceUrl '499b84ac-1321-427f-aa17-267ca6975798'
Note
Get-AzAccessToken returns the token as a SecureString. If you're unsure of how to use SecureString, refer to the documentation. To convert a SecureString to plain text to use in an Auth Header, leverage the .NET [System.Runtime.InteropServices.Marshal] class to convert the SecureString to a BSTR (binary string) pointer, then read the pointer as a plain text string to a variable.
- Sign in to the Azure CLI as the service principal using the
az devops logincommand. - Follow the on-screen instructions and finish signing in.
# To authenticate a service principal with a password or cert:
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
# To authenticate a managed identity:
az login --identity- Set the right correct subscription for the signed-in service principal by entering the command:
az account set -s <subscription-id>- Generate a Microsoft Entra ID access token with the
az account get-access-tokenthe Azure DevOps resource ID:499b84ac-1321-427f-aa17-267ca6975798.
$accessToken = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsvNote
Use the Azure DevOps application ID, not our resource URI, for generating tokens.
- Now, you can use
az clicommands per usual. Let's try to call an Azure DevOps API by passing it in the headers as aBearertoken:
$apiVersion = "7.1-preview.1"
$uri = "https://dev.azure.com/${yourOrgname}/_apis/projects?api-version=${apiVersion}"
$headers = @{
Accept = "application/json"
Authorization = "Bearer $accessToken"
}
Invoke-RestMethod -Uri $uri -Headers $headers -Method Get | Select-Object -ExpandProperty value ` | Select-Object id, name