Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services
The Microsoft identity platform offers many ways to authenticate users via the OAuth 2.0 protocol. In these docs, we use OAuth tokens to colloquially refer to on-behalf-of user flows, also known as delegated flows, for apps that request tokens to perform actions for their users.
This differs from apps that perform actions on-behalf-of themselves. For that, you would use service principals and managed identities.
Resources for developers
- Register an application with the Microsoft identity platform
- Add permissions for access to Microsoft Graph: Learn how to add delegated permissions from an Azure resource. Instead of Microsoft Graph, select
Azure DevOpsfrom the list of resources. - Read about scopes and permissions in the Microsoft identity platform: Understand the
.defaultscope. See the scopes available for Azure DevOps in our list of scopes. - Request permissions through consent
- Use authentication libraries and code samples
- Explore support and help options for developers
Resources for admins
- Understand application management in Microsoft Entra ID
- Add an enterprise application
- Explore the consent experience for applications in Microsoft Entra ID
Tips for building & migrating
- Microsoft Entra apps don't natively support Microsoft account (MSA) users for the Azure DevOps resource. If you're building an app that must cater to MSA users or support both Microsoft Entra and MSA users, Azure DevOps OAuth apps remain your best option. We're currently working on native support for MSA users through Microsoft Entra OAuth.
- Azure DevOps' resource identifier:
499b84ac-1321-427f-aa17-267ca6975798 - Azure DevOps' resource URI:
https://app.vssps.visualstudio.com - Use the
.defaultscope when requesting a token with all scopes that the app is permissioned for. - In a previous Azure DevOps OAuth app, you might have use Azure DevOps user identifiers that don't exist in Microsoft Entra. When migrating to Microsoft Entra, use the ReadIdentities API to resolve and match the different identities used by each identity provider.