Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Important
Microsoft Entra ID authentication is recommended for new applications integrating with Azure DevOps Services. Personal access tokens should be used sparingly and only when Microsoft Entra ID isn't available.
This article helps you choose the most appropriate authentication method for your Azure DevOps integration. Modern authentication approaches like Microsoft Entra ID provide enhanced security and are recommended for new applications.
Note
OAuth 2.0 and Microsoft Entra ID authentication are only available for Azure DevOps Services, not Azure DevOps Server. For on-premises scenarios, use Client Libraries, Windows Authentication, or personal access tokens.
Authentication methods by scenario
Choose the appropriate authentication method based on your application type and requirements:
| Application Type | Description | Example | Recommended Method | Code Samples |
|---|---|---|---|---|
| Web/desktop apps | Interactive applications using current frameworks | React app, .NET desktop app | Microsoft Entra ID OAuth with MSAL | sample |
| Service/background apps | Applications running without user interaction | Azure Functions, background services | Service principals & managed identities | sample |
| Legacy client apps | Existing applications using client libraries | Console apps with Azure DevOps .NET libraries | Client Libraries with OAuth | sample |
| Headless/CLI apps | Non-interactive command-line tools | Build scripts, automation tools | Device Code Flow | sample |
| Azure DevOps extensions | Extensions running within Azure DevOps | Custom dashboard widgets, work item forms | VSS Web Extension SDK | sample |
| Azure DevOps Server apps | On-premises Azure DevOps Server integrations | Custom server extensions | Client Libraries or Windows Auth | sample |
| Personal/ad-hoc scripts | Quick scripts for personal use | PowerShell scripts, curl commands | Personal Access Tokens | examples |
Getting started recommendations
For new applications
- Start with Microsoft Entra ID authentication for the best security and future compatibility.
- Use service principals or managed identities for service-to-service scenarios.
- Avoid personal access tokens in production applications.
For existing applications
- Plan migration from personal access tokens to Microsoft Entra ID authentication.
- Consider the authentication migration timeline for Azure DevOps improvements.
- Review your current authentication approach against security best practices.
For Azure DevOps Server
- Use Client Libraries with Windows Authentication when possible.
- Personal access tokens are acceptable for some Azure DevOps Server scenarios.
- Plan for future Azure DevOps Services migration to take advantage of modern authentication.
Frequently asked questions
Q: Should I use Microsoft Entra ID OAuth or Personal Access Tokens?
A: Use Microsoft Entra ID OAuth for:
- New applications and integrations
- Production workloads requiring robust security
- Applications needing enterprise identity integration
- Long-term projects with compliance requirements
Use Personal Access Tokens only for:
- Personal scripts and ad-hoc tasks
- Legacy applications during migration planning
- Azure DevOps Server scenarios where modern authentication isn't available
Q: Should I use service principals or user delegation for authentication?
A: Use service principals or managed identities when:
- Building applications that operate independently (background services, automation)
- Creating apps that don't require user interaction
- Implementing service-to-service communication
- Building CI/CD pipelines or automated workflows
Use user delegation (OAuth with user consent) when:
- Building applications that act on behalf of human users
- Creating interactive apps where users sign in with their own credentials
- Implementing features that require user-specific permissions
- Building apps that need to respect user's individual access rights
Q: How do I authenticate with both Azure DevOps Server and Azure DevOps Services?
A: Best practice: Create separate authentication paths:
- Azure DevOps Services: Use Microsoft Entra ID OAuth
- Azure DevOps Server: Use Client Libraries with Windows Authentication or PATs
Use the requestContext to detect the service type and apply the appropriate authentication method.
Q: Why can't my service account access Azure DevOps APIs?
A: Common issues:
- Service account not "materialized": Service accounts need interactive sign-in permissions or proper Microsoft Entra ID registration
- Insufficient permissions: Ensure the service account has appropriate Azure DevOps permissions
- Authentication method: Use service principals or managed identities instead of trying to authenticate as a service account
Q: How do I migrate from PATs to modern authentication?
A: Do the following steps:
- Identify current PAT usage in your applications
- Choose the appropriate modern method:
- Microsoft Entra ID OAuth for user-delegated scenarios
- Service principals for service-to-service scenarios
- Update authentication code using our migration samples
- Test thoroughly before removing PAT dependencies
- Monitor and validate the new authentication method
Next step
Choose your authentication implementation:
For new applications:
For service applications:
For personal scripts: