Issue Entra tokens with Azure CLI

Article
2025-05-14

Use the Azure CLI to issue a Microsoft Entra token and call Azure DevOps REST APIs. Since Entra access tokens only last for one hour, they're ideal for quick one-off operations. You can use Azure CLI to acquire a user token for yourself or on behalf of a service principal.

Prerequisites

Category	Requirements
Entra tenant and subscription	Make sure the subscription is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your tenant or subscription ID, you can find it in the Azure portal.
Azure CLI	Download and install the Azure CLI.
Entra app	(If authenticating for a service principal) Create the Entra application and have the app client ID and client secret ready.

Sign in to the Azure CLI using the az login command and follow the on-screen instructions.
Set the correct subscription for the signed-in user with these bash commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal.
```
az account set -s <subscription-id>
```
Generate a Microsoft Entra ID access token with the az account get-access-token command using the Azure DevOps resource ID: 499b84ac-1321-427f-aa17-267ca6975798.
```
az account get-access-token \
--resource 499b84ac-1321-427f-aa17-267ca6975798 \
--query "accessToken" \
-o tsv
```

Sign in to Azure PowerShell using the Connect-AzAccount command and follow the on-screen instructions.
Set the correct subscription for the signed-in user with these PowerShell commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the Azure portal.
```
Set-AzContext -Subscription <subscriptionID>
```
Generate a Microsoft Entra ID access token with the Get-AzAccessToken command using the Azure DevOps resource ID: 499b84ac-1321-427f-aa17-267ca6975798.
```
Get-AzAccessToken -ResourceUrl '499b84ac-1321-427f-aa17-267ca6975798'
```

Acquiring a token for a service principal

Sign in to the Azure CLI as the service principal using the az devops login command.
Follow the on-screen instructions and finish signing in.

# To authenticate a service principal with a password or cert:
az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>

# To authenticate a managed identity:
az login --identity

Set the right correct subscription for the signed-in service principal by entering the command:

az account set -s <subscription-id>

Generate a Microsoft Entra ID access token with the az account get-access-token the Azure DevOps resource ID: 499b84ac-1321-427f-aa17-267ca6975798.

$accessToken = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv

Note

Use the Azure DevOps application ID, not our resource URI, for generating tokens.

Now, you can use az cli commands per usual. Let's try to call an Azure DevOps API by passing it in the headers as a Bearer token:

$apiVersion = "7.1-preview.1"
$uri = "https://dev.azure.com/${yourOrgname}/_apis/projects?api-version=${apiVersion}"
$headers = @{
    Accept = "application/json"
    Authorization = "Bearer $accessToken"
}
Invoke-RestMethod -Uri $uri -Headers $headers -Method Get | Select-Object -ExpandProperty value ` | Select-Object id, name

Share via

Issue Entra tokens with Azure CLI

Prerequisites

Acquiring an Entra token for yourself

Feedback

Additional resources