Search code examples
azureazure-devopsmicrosoft-entra-id

Use App registration as a PAT for Azure DevOps

I have an application that consumes an Azure DevOps PAT to do write and read operations in the repositories and pipelines.

Recently I found that, I could do this with Azure Entra ID App Registrations federated credentials.

I am very much new to Azure Entra ID and couldn't find any resource how can I use these credentials to perform any operations as it would do with an Azure DevOps PAT.

I found this (https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#add-federated-credentials) where it is for github but seems I am not sure how it can be done for my use case which is;

  • An application implemented to update/read azure devops repositories

Can someone help me if you have encountered or implemented such a solution?

Solution

  • As far as I know, in Azure DevOps, the federated credentials of Microsoft Entra applications can be only available for Azure Resource Manager service connection.

    If you want to use a Microsoft Entra application to as the authentication to access the Azure DevOps resources, you can try to generate an access token (Microsoft Entra ID token) for the application following the steps below:

    Prerequisites in AAD

    1. Go to Microsoft Entra ID > App registrations to create a Service Principal if you do not have one in the current tenant.

    2. Open the Service Principal, go to Certificates & secrets > Client secrets tab to create a client secret for the Service Principal if there is not an existing valid client secret. Copy and remember the value of the client secret.

    Prerequisites in Azure DevOps Organization

    1. Go to Organization Settings > Microsoft Entra, ensure the organization has connected to the tenant which the Service Principal is in.

    2. Go to Organization Settings > Users, search and add the Service Principal into the organization.

    3. Add Service Principal into a group of the organization so that you can manage the permissions of the Service Principal through that group in the organization.

    Generate the Microsoft Entra ID token for the Service Principal

    You can use one of the following ways to generate the token:

    1. Using Bash script.

      access_token=$(curl -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
'https://login.microsoftonline.com/{tenant_ID}/oauth2/v2.0/token' \
-d 'grant_type=client_credentials&client_id={client_id}&client_secret={client_secret}&scope=499b84ac-1321-427f-aa17-267ca6975798/.default' \
| jq -r '.access_token')
      • Replace {tenant_ID} with the Directory (tenant) ID of the tenant.
      • Replace {client_id} with the Application (client) ID of the Service Principal.
      • Replace {client_secret} with the value of the client secret created in the Service Principal.

    2. Using Postman.

      enter image description here

    Note:

    This Microsoft Entra ID token has an only 24-hour lifetime as Microsoft Entra will regularly rotate the token. So, you need to refresh the token at least once every 24 hours.

    For more details, see "Use service principals & managed identities".