| title | Building Azure DevOps integrations with Microsoft Entra OAuth apps |
|---|---|
| description | Use Microsoft Entra authentication to integrate with Azure DevOps Services. |
| ms.assetid | 19285121-1805-4421-B7C4-63784C9A7CFA |
| ms.subservice | azure-devops-security |
| ms.topic | overview |
| monikerRange | azure-devops |
| ms.author | chcomley |
| author | chcomley |
| ms.date | 01/08/2025 |
[!INCLUDE version-eq-azure-devops]
The Microsoft identity platform offers many ways to authenticate users via the OAuth 2.0 protocol. In these docs, we use OAuth tokens to colloquially refer to on-behalf-of user flows, also known as delegated flows, for apps that request tokens to perform actions for their users.
This differs from apps that perform actions on-behalf-of themselves. For that, you would use service principals and managed identities.
- Register an application with the Microsoft identity platform
- Add permissions for access to Microsoft Graph: Learn how to add delegated permissions from an Azure resource. Instead of Microsoft Graph, select
Azure DevOpsfrom the list of resources. - Read about scopes and permissions in the Microsoft identity platform: Understand the
.defaultscope. See the scopes available for Azure DevOps in our list of scopes. - Request permissions through consent
- Use authentication libraries and code samples
- Explore support and help options for developers
- Understand application management in Microsoft Entra ID
- Add an enterprise application
- Explore the consent experience for applications in Microsoft Entra ID
- Microsoft Entra apps don't natively support Microsoft account (MSA) users for the Azure DevOps resource. If you're building an app that must cater to MSA users or support both Microsoft Entra and MSA users, Azure DevOps OAuth apps remain your best option. We're currently working on native support for MSA users through Microsoft Entra OAuth.
- Azure DevOps' resource identifier:
499b84ac-1321-427f-aa17-267ca6975798 - Azure DevOps' resource URI:
https://app.vssps.visualstudio.com - Use the
.defaultscope when requesting a token with all scopes that the app is permissioned for. - In a previous Azure DevOps OAuth app, you might have use Azure DevOps user identifiers that don't exist in Microsoft Entra. When migrating to Microsoft Entra, use the ReadIdentities API to resolve and match the different identities used by each identity provider.