Authentication overview
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
Selecting the right authentication method is crucial for secure access to your Azure Repos and Azure DevOps Server Git repositories. Whether you're working from a command prompt or using a Git client that supports HTTPS or SSH, it's important to choose credentials that not only provide the necessary access but also limit the scope to what's needed for your tasks.
Always revoke credentials when they're no longer required to maintain the security of your repositories. This approach ensures that you have the flexibility to work with your code securely and efficiently, while also safeguarding it against unauthorized access.
Important
Azure DevOps doesn't support Alternate Credentials authentication. If you're still using Alternate Credentials, we strongly encourage you to switch to a more secure authentication method.
Authentication comparison
| Authentication Type | When to use | Secure? | Ease of setup | Additional tools |
|---|---|---|---|---|
| Personal access tokens | You need an easy to configure credential or need configurable access controls | Very secure (when using HTTPS) | Easy | Optional (Git credential managers) |
| SSH | You already have SSH keys set up, or are on macOS or Linux | Very secure | Intermediate | Windows users will need the SSH tools included with Git for Windows |
Note
Visual Studio 2019 version 16.8 and later versions provide a new Git menu for managing the Git workflow with less context switching than Team Explorer. Procedures provided in this article under the Visual Studio tab provide information for using the Git experience as well as Team Explorer. For more information, see Side-by-side comparison of Git and Team Explorer.
Personal access tokens
Personal access tokens (PATs) provide access to Azure DevOps without using your username and password directly. These tokens expire and allow you to restrict the scope of the data they can access. Use PATs to authenticate if you don't have SSH keys set up on your system or need to limit the permissions granted by the credential.
For more information, see Use personal access tokens
Use Git Credential Manager to generate tokens
The Git Credential Manager is an optional tool that makes it easy to create PATs when you're working with Azure Repos. Sign in to the web portal, generate a token, and then use the token as your password when you're connecting to Azure Repos.
PATs are generated on demand when you have the credential manager installed. The credential manager creates the token in Azure DevOps and saves it locally for use with the Git command line or other client.
Note
Current versions of Git for Windows include the Git credential manager as an optional feature during installation.
SSH key authentication
Key authentication with SSH works through a public and private key pair that you create on your computer. You associate the public key with your username from the web. Azure DevOps will encrypt the data sent to you with that key when you work with Git. You decrypt the data on your computer with the private key, which is never shared or sent over the network.
SSH is a great option if you've already got it set up on your system—just add a public key to Azure DevOps and clone your repos using SSH. If you don't have SSH set up on your computer, you should use PATs and HTTPS instead - it's secure and easier to set up.
For more information, see Set up SSH with Azure DevOps.
OAuth
Use OAuth to generate tokens for accessing REST APIs. The Accounts and Profiles APIs support only OAuth.
- SSH authentication to generate encryption keys when you use Linux, macOS, or Windows running Git for Windows and can't use Git credential managers or personal access tokens for HTTPS authentication.