Share via

Migrating from Legacy Azure DevOps OAuth to Microsoft Entra OAuth: How Can I Support Both Organizational and Personal Accounts?

Jeel Gajera 5 Reputation points
2025-03-20T09:43:58.31+00:00

I am currently developing an application that integrates with the Azure DevOps API using OAuth authentication. Up until now, my implementation has used the legacy Azure DevOps OAuth flow and supports both organizational (work/school) and personal Microsoft accounts. However, as outlined in the Microsoft blog (Microsoft Entra OAuth for Azure DevOps), Microsoft is deprecating the legacy Azure DevOps OAuth approach in favor of Microsoft Entra OAuth.

My Goals:

  • Migrate from the legacy OAuth method to Microsoft Entra OAuth to avoid future deprecation issues.
  • Maintain support for both organizational accounts and personal Microsoft accounts.
  • Ensure that my authentication flow remains robust and future-proof.

The Problem:

  • The legacy flow currently supports personal & organizations accounts but will be deprecated, which poses long-term risks.
  • The new Microsoft Entra OAuth flow requires resource-specific scopes (for example, using https://app.vssps.visualstudio.com/.default), which are well documented for organizational accounts. However, there is little guidance on how to configure this new flow to also support personal accounts.
  • I am uncertain how to handle scope configuration and token management between these two account types when using Microsoft Entra OAuth.

My Questions:

  1. Migration Strategy: What is the recommended strategy to migrate from the legacy Azure DevOps OAuth flow to Microsoft Entra OAuth, particularly for an app that must support both personal and organizational accounts?
  2. Scope & Configuration: Are there best practices or sample implementations for configuring app registration, scopes, and token requests in Microsoft Entra OAuth that allow support for both account types?
  3. Handling Differences: How should I manage the differences in scope handling (e.g., using resource-specific scopes like https://app.vssps.visualstudio.com/.default) between organizational and personal accounts?

Any guidance, documentation pointers, or sample code would be greatly appreciated.

Thank you for your help!

Azure DevOps

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SrideviM 5,840 Reputation points Moderator
    2025-03-24T05:58:59.28+00:00

    Hello Jeel Gajera,

    Microsoft is deprecating Azure DevOps OAuth apps by 2026, so transitioning to Microsoft Entra OAuth is necessary. However, Entra OAuth currently supports only organizational accounts (work/school) and does not yet work with personal Microsoft accounts (MSA).

    For now, the best approach is to migrate organizational users to Microsoft Entra OAuth while continuing to use Azure DevOps OAuth for personal accounts as the Microsoft article says:

    User's image

    You can register your application in Microsoft Entra ID and configure API permissions by getting token using 499b84ac-1321-427f-aa17-267ca6975798/.default scope or more specific scopes like 499b84ac-1321-427f-aa17-267ca6975798/vso.code and 499b84ac-1321-427f-aa17-267ca6975798/vso.project.

    Since MSA support isn’t available yet, your application should detect the user type and direct them to the appropriate authentication method. Microsoft is currently working on native MSA support for Entra OAuth, so it's important to stay updated on their announcements. Until then, Azure DevOps OAuth remains the best option for supporting both account types.

    Hope this helps!

    If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.