Use the Azure CLI to issue a Microsoft Entra token and call Azure DevOps REST APIs. Since Entra access tokens only last for one hour, they're ideal for quick one-off operations. You can use Azure CLI to acquire a user token for yourself or on behalf of a service principal.
Prerequisites
| Category |
Requirements |
| Entra tenant and subscription |
Make sure the subscription is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your tenant or subscription ID, you can find it in the Azure portal. |
| Azure CLI |
Download and install the Azure CLI. |
| Entra app |
(If authenticating for a service principal) Create the Entra application and have the app client ID and client secret ready. |
Acquiring an Entra token for yourself
Sign in to the Azure CLI using the az login command and follow the on-screen instructions.
Set the correct subscription for the signed-in user with these bash commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal.
az account set -s <subscription-id>
Generate a Microsoft Entra ID access token with the az account get-access-token command using the Azure DevOps resource ID: 499b84ac-1321-427f-aa17-267ca6975798.
az account get-access-token \
--resource 499b84ac-1321-427f-aa17-267ca6975798 \
--query "accessToken" \
-o tsv
Sign in to Azure PowerShell using the Connect-AzAccount command and follow the on-screen instructions.
Set the correct subscription for the signed-in user with these PowerShell commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal.
Set-AzContext -Subscription <subscriptionID>
Generate a Microsoft Entra ID access token with the Get-AzAccessToken command using the Azure DevOps resource ID: 499b84ac-1321-427f-aa17-267ca6975798.
Get-AzAccessToken -ResourceUrl '499b84ac-1321-427f-aa17-267ca6975798'
Acquiring a token for a service principal
- Sign in to the Azure CLI as the service principal using the
az devops login command.
- Follow the on-screen instructions and finish signing in.
# To authenticate a service principal with a password or cert:
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
# To authenticate a managed identity:
az login --identity
- Set the right correct subscription for the signed-in service principal by entering the command:
az account set -s <subscription-id>
- Generate a Microsoft Entra ID access token with the
az account get-access-token the Azure DevOps resource ID: 499b84ac-1321-427f-aa17-267ca6975798.
$accessToken = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv
Note
Use the Azure DevOps application ID, not our resource URI, for generating tokens.
- Now, you can use
az cli commands per usual. Let's try to call an Azure DevOps API by passing it in the headers as a Bearer token:
$apiVersion = "7.1-preview.1"
$uri = "https://dev.azure.com/${yourOrgname}/_apis/projects?api-version=${apiVersion}"
$headers = @{
Accept = "application/json"
Authorization = "Bearer $accessToken"
}
Invoke-RestMethod -Uri $uri -Headers $headers -Method Get | Select-Object -ExpandProperty value ` | Select-Object id, name