Share via

How to grant Entra Id Oauth2 token to perform git push /pull to Azure DevOps

Ihor Vinokur 0 Reputation points
2025-08-19T12:03:00.5433333+00:00

I have configured an Oauth2 flow with an Entra ID application. The problem is that the generated Oauth2 token does not have enough permissions to do git remote operations, such as git pull or push. I tried to add the vso.code.write scope to the authorize, request but that caused to the invalid_client error. If I add an Azure DevOps permission in the API permissions tab of the application page, it does not appear in the list of permissions in the authorization request popup. When I click the Grant Admin consent button an error is shown: Could not grant admin consent. Your organization does not have a subscription (or service principal) for the following API(s): Azure DevOps. The question is: how to perform remote git operations to Azure DevOps using the Entra ID Oauth2 token?

Azure DevOps

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Durga Reshma Malthi 11,400 Reputation points Microsoft External Staff Moderator
    2025-08-19T15:51:38.52+00:00

    Hi Ihor Vinokur

    Azure DevOps does not use Entra ID OAuth2 tokens directly for Git remote operations like git pull or git push.

    Instead, it expects one of the following:

    1. Personal Access Token (PAT)
    2. OAuth2 via Azure DevOps itself (not Entra) - https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
    3. Service Principal + Service Connection
    4. Git Credential Manager (GCM)

    The error "Your organization does not have a subscription (or service principal) for the following API(s): Azure DevOps"

    means that Azure DevOps is not exposed as an enterprise application in your tenant. Unlike Microsoft Graph, Azure DevOps doesn’t automatically register itself in Entra ID for delegated permissions. So even if you manually add the API permissions, Entra ID can’t validate or consent to them.

    Steps for OAuth2 via Azure DevOps itself (not Entra):

    • Go to Azure DevOps -> Organization Settings -> OAuth apps or configurations.
    • Register your client app.
    • Request scopes such as vso.code_write.
    • Use DevOps’s OAuth endpoints (https://app.vssps.visualstudio.com/oauth2/authorize, .../token).
    • Use the token against Git HTTPS endpoints.

    Personal Access Token (PAT):

    • Go to Azure DevOps -> User Settings -> Personal Access Tokens -> Generate a token with Code (Read & Write) scope and use it in Git like: 
        git clone https://<username>@dev.azure.com/<org>/<project>/_git/<repo>
      and provide the PAT as the password.

    Hope this helps!

    Please Let me know if you have any queries.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.