Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra ID is an identity and access management (IAM) platform that allows companies to manage organization membership and safeguard company resources. Many Azure DevOps enterprise customers choose to connect their Azure DevOps organization to a Microsoft Entra ID tenant to support managing the large volume of users in their company and take advantage of other security features that Microsoft Entra offers.
Note
Microsoft Entra was once called Azure Active Directory (Azure AD), so you may still see references to Azure AD across Microsoft products. Active Directory may also be referenced as the on-premises equivalent of Microsoft Entra.
Once connected, the Microsoft Identity application platform that sits on top of Microsoft Entra ID can be used to register an application to access Azure tenants and define the permissions needed from Azure resources, including Azure DevOps.
We support app development for:
- Microsoft Entra OAuth apps (on-behalf-of users)
- Microsoft Entra service principals and managed identities (on-behalf-of itself apps)
Azure DevOps-based auth vs. Entra-based auth
Many native Azure DevOps-based authentication (for example, personal access tokens (PATs) or Azure DevOps OAuth apps) were created before Microsoft Entra. Microsoft Entra tokens offer a secure alternative, lasting only one hour before requiring a refresh. The authentication protocols for generating Entra tokens are more robust and secure. Security measures like Conditional Access policies protect against token theft and replay attacks. Meanwhile, our native tokens sit outside Azure and don't have native support for concepts, like tenants or Conditional Access.
Tokens issued by each platform are also distinct. Microsoft Entra OAuth apps issue Microsoft Entra tokens, not Azure DevOps access tokens. These tokens can't be used interchangeably on each platform. If you are exploring migrating from Azure DevOps OAuth to Microsoft Entra OAuth, users must reauthorize for the new app.
Replace PATs with Microsoft Entra tokens
Personal access tokens (PATs) are a popular form of Azure DevOps authentication due to their ease of creation and use. However, poor PAT management and storage can result in leaks and unauthorized access to your Azure DevOps organizations. Long-lived or over-scoped PATs increase the risk of damage from a leaked PAT. We encourage users to explore using Microsoft Entra tokens instead of PATs whenever possible.
Common PAT alternatives
Due to their increasing risk, admins are increasingly requesting security policies that restrict PAT creation. As a result, PATs are becoming a less viable alternative for accessing Azure DevOps programmatically. Outside of migrating any existing app development to the Microsoft Identity platform, we share some common use cases across Azure DevOps that historically rely on PATs and their recommended Microsoft Entra alternative.
| PAT scenario | Entra alternative |
|---|---|
| Authenticate with Git Credential Manager (GCM) | GCM defaults to authenticating with PATs. Set the default credential type to oauth. Learn more on our Git Credential Manager (GCM) page . |
| Authenticate in a build or release pipeline | Use a service connection with Workload Identity Federation. |
| Ad-hoc requests to Azure DevOps REST APIs | Issue a one-off Microsoft Entra token using Azure CLI. |
Tip
Have an Azure DevOps PAT scenario with no clear Microsoft Entra token alternative? Share your scenario in the Developer Community!