Choose the right authentication mechanism
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
For applications that interface with Azure DevOps Services, you must authenticate to gain access to resources like REST APIs. This article provides guidance to help you choose the right authentication mechanism for your application.
The following table outlines the recommended authentication mechanisms for different application types. Refer to the accompanying descriptions, examples, and code samples to help get you started.
| Type of application | Description | Example | Authentication mechanism | Code samples |
|---|---|---|---|---|
| Interactive client-side app (REST) | Client application that allows user interaction calling Azure DevOps Services REST APIs | Console application enumerating projects in an organization | Microsoft Authentication Library (MSAL) | sample |
| Interactive client-side app (client libraries) | Client application that allows user interaction calling Azure DevOps Services Client libraries | Console application enumerating bugs assigned to the current user | Client libraries | sample |
| Interactive JavaScript app | GUI-based JavaScript application | AngularJS single page app displaying project information for a user | Microsoft Authentication Library for JavaScript (MSAL JS) | sample |
| Interactive OAuth web app | GUI-based web application that requires user consent | Custom Web dashboard displaying build summaries | OAuth | sample |
| Non-interactive client-side app | Headless text only client-side application | Console app displaying all bugs assigned to a user | Device Profile | sample |
| Personal access token (PAT) | Bearer token to access your own resources | Use your PAT in place of your password for REST requests. Not ideal for building applications. | PATs | docs |
| Server app | Azure DevOps Server app using the Client OM library | Azure DevOps Server extension displaying team bug dashboards | Client Libraries | sample |
| Service principals app | Application with access to organization's Azure DevOps resources | Azure function to create work items | Service principals and managed identities | sample |
| Web extension | Azure DevOps Services extension | Agile Cards extension | VSS Web Extension SDK | sample |
For more information, see the following articles:
- About security and identity.
- OAuth authentication
- Service principals and managed identities
- Azure DevOps Client Libraries
- Azure DevOps extensions
- Azure DevOps data protection overview
Enabling IIS Basic Authentication invalidates using PATs for Azure DevOps Server
For more information, see Using IIS Basic Authentication with Azure DevOps on-premises.
Frequently asked questions (FAQs)
Q: Why can't my service account access the Azure DevOps REST API?
A: Your service account might not have "materialized." Service accounts without interactive sign-in permissions can't sign in. For more information, see this work-around for a solution.
Q: Should I use Azure DevOps Services Client Libraries or Azure DevOps Services REST APIs for my interactive client-side application?
A: We recommend using Azure DevOps Services Client Libraries over REST APIs for accessing Azure DevOps Services resources. They're simpler and easier to maintain when REST endpoint versions change. If the client libraries lack certain functionality, use MSAL for authentication with our REST APIs.
Q: Is this guidance only for Azure DevOps Services or is it also relevant for on-premises Azure DevOps Server users?
A: This guidance is primarily for Azure DevOps Services users. For Azure Devops Server users, we recommend using the Client Libraries, Windows Authentication, or Personal Access Tokens (PATs) for authentication.
Q: What if I want my application to authenticate with both Azure DevOps Server and Azure DevOps Services?
A: The best practice is to have separate authentication paths for Azure DevOps Server and Azure DevOps Services. You can use the requestContext to determine which service you're accessing and then apply the appropriate authentication mechanism. If you prefer a unified solution, PATs work for both.