Authentication Azure App Credentials
Description
Use Azure AD service principal credentials (client id + secret) with the client credentials flow. Recommended for automated server-to-server access instead of PAT or delegated OAuth. [API reference]
Instructions
Step 1: Register the App in Microsoft Entra ID (AAD)
- Go to the Azure Portal > Microsoft Entra ID > App registrations and click New registration:
- Name it (e.g., ZS-AzureDevOps-AppCred).
- Set Supported account types to "Accounts in this organizational directory only" (Single Tenant):
- Leave Redirect URI blank (it's not used for Client Credentials).
- Click Register.
Step 2: Create a Client Secret
- In your new app, go to Certificates & secrets.
- Click New client secret, give it a name, and set an expiration.
- Copy the Secret Value immediately. You will never see it again once you leave the page:
Step 3: Set Permissions and Admin Consent
- Go to API permissions > Add a permission.
- Select Azure DevOps and click Delegated permissions.
- Check the necessary scopes (e.g.,
vso.project,vso.work_full). - Crucial: Click Grant admin consent for [Your Tenant]. Without this, the app cannot authenticate in the background.
Step 4: Map the App to Azure DevOps Organization
- Copy your Application (client) ID from the App Overview page.
- Go to your Azure DevOps Organization Settings > Users.
- Click Add users, paste the Application (client) ID in the search box, and select the App.
- Assign an Access level (usually Basic) and add it to the relevant Projects.
Step 5: Connection Settings
In your SSIS package or ODBC data source, use the following in the App Credentials configuration:
- In the Token URL field, paste the OAuth token endpoint (v2) URL from the Azure Portal 'Endpoints' tab.
- In the Client ID field, paste the Application (client) ID.
- In the Client Secret field, paste the Secret Value copied in Step 2.
- In the Scope field, use:
https://app.vssps.visualstudio.com/.default
Step 6: Finalize Connection
- Press Generate Token button to fetch the token using the Client Secret.
- Click Test Connection to confirm the setup.
- Done! You are ready to use the API Connector!
Parameters
| Parameter | Required | Default value | Options | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Name:
Label: Token URL |
YES |
|
|||||||||||||||||
|
Name:
Label: Client ID |
YES | ||||||||||||||||||
|
Name:
Label: Client Secret |
YES | ||||||||||||||||||
|
Name:
Label: Scopes (Use .default for App Credentials) For App Credentials or Certificates, use the **.default** scope to automatically include all permissions granted and consented to in the Azure App Registration. Note: offline_access is not used in App-Only flows as refresh tokens are not required. |
YES |
https://app.vssps.visualstudio.com/.default
|
|
||||||||||||||||
|
Name:
Label: Organization name or Id The organization name or Id obtained from Azure DevOps. |
YES | ||||||||||||||||||
|
Name:
Label: API Version The version of the Azure DevOps API to use. |
YES |
7.0
|
|
||||||||||||||||
|
Name:
Label: Default Project Name The default project name to make API calls for. |
|||||||||||||||||||
|
Name:
Label: RetryMode |
RetryWhenStatusCodeMatch
|
|
|||||||||||||||||
|
Name:
Label: RetryStatusCodeList |
429
|
||||||||||||||||||
|
Name:
Label: RetryCountMax |
5
|
||||||||||||||||||
|
Name:
Label: RetryMultiplyWaitTime |
True
|