Rediger

Del via


Choose the right authentication mechanism

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

For applications that interface with Azure DevOps Services, you must authenticate to gain access to resources like REST APIs. This article provides guidance to help you choose the right authentication mechanism for your application.

The following table outlines the recommended authentication mechanisms for different application types. Refer to the accompanying descriptions, examples, and code samples to help get you started.

Type of application Description Example Authentication mechanism Code samples
Interactive client-side app (REST) Client application that allows user interaction calling Azure DevOps Services REST APIs Console application enumerating projects in an organization Microsoft Authentication Library (MSAL) sample
Interactive client-side app (client libraries) Client application that allows user interaction calling Azure DevOps Services Client libraries Console application enumerating bugs assigned to the current user Client libraries sample
Interactive JavaScript app GUI-based JavaScript application AngularJS single page app displaying project information for a user Microsoft Authentication Library for JavaScript (MSAL JS) sample
Interactive OAuth web app GUI-based web application that requires user consent Custom Web dashboard displaying build summaries OAuth sample
Non-interactive client-side app Headless text only client-side application Console app displaying all bugs assigned to a user Device Profile sample
Personal access token (PAT) Bearer token to access your own resources Use your PAT in place of your password for REST requests. Not ideal for building applications. PATs docs
Server app Azure DevOps Server app using the Client OM library Azure DevOps Server extension displaying team bug dashboards Client Libraries sample
Service principals app Application with access to organization's Azure DevOps resources Azure function to create work items Service principals and managed identities sample
Web extension Azure DevOps Services extension Agile Cards extension VSS Web Extension SDK sample

For more information, see the following articles:

Enabling IIS Basic Authentication invalidates using PATs for Azure DevOps Server

For more information, see Using IIS Basic Authentication with Azure DevOps on-premises.

Frequently asked questions (FAQs)

Q: Why can't my service account access the Azure DevOps REST API?

A: Your service account might not have "materialized." Service accounts without interactive sign-in permissions can't sign in. For more information, see this work-around for a solution.

Q: Should I use Azure DevOps Services Client Libraries or Azure DevOps Services REST APIs for my interactive client-side application?

A: We recommend using Azure DevOps Services Client Libraries over REST APIs for accessing Azure DevOps Services resources. They're simpler and easier to maintain when REST endpoint versions change. If the client libraries lack certain functionality, use MSAL for authentication with our REST APIs.

Q: Is this guidance only for Azure DevOps Services or is it also relevant for on-premises Azure DevOps Server users?

A: This guidance is primarily for Azure DevOps Services users. For Azure Devops Server users, we recommend using the Client Libraries, Windows Authentication, or Personal Access Tokens (PATs) for authentication.

Q: What if I want my application to authenticate with both Azure DevOps Server and Azure DevOps Services?

A: The best practice is to have separate authentication paths for Azure DevOps Server and Azure DevOps Services. You can use the requestContext to determine which service you're accessing and then apply the appropriate authentication mechanism. If you prefer a unified solution, PATs work for both.