When to Create a Custom AzureAD App

Creating a custom AzureAD application and a service principal that can access the necessary resources is required when authenticating using an Azure Service Principal.

Follow the steps below to create a custom AzureAD application and obtain the connection properties for the Azure Service Principal authentication.

Create a Custom AzureAD App

Desktop Apps

Register an application in the Azure portal to obtain the following connection properties:

• OAuthClientId
• OAuthClientSecret
• CallbackURLt

1. After logging in to the Azure Portal with your account, click Azure Active Directory > App Registrations.
2. Click New Registration.
3. Enter an application name and select Any Azure AD Directory - Multi Tenant. Then set the redirect url to http://localhost:33333, the provider's default. Or, set a different port and set the CallbackURL to the exact reply URL you defined.
4. On the main page of your application obtain the OAuthClientId, and then generate a OAuthClientSecret in Certificates and Secrets > Client Secrets.

You must also add permission to use the Azure DevOps API:

1. In the section, click API permissions > Add > Select an API your organization uses > Azure DevOps. If Azure DevOps does not appear as an option, navigate to Organization Settings > Azure Active Directory > Connect directory on your DevOps site and connect the organization to you Active Directory first.
2. In the Select Permissions step, enable the user_impersonation permission.

Web Apps

Register your Azure DevOps app on the Azure portal to obtain the following connection properties:

• OAuthClientId
• OAuthClientSecret

1. After logging in to the Azure Portal with your account, click Azure Active Directory > App Registrations.
2. Click New Registration.
3. Enter an app name and select Any Azure AD Directory - Multi Tenant. Set the Sign-on URL you want to use as a trusted redirect URL, where the user returns with the token that verifies that they have granted your app access.
4. On the main page of your app you can find the OAuthClientId. Generate a OAuthClientSecret in Certificates and Secrets > Client Secrets.

You must also add permission to use the Azure DevOps API:

1. In the section, click API permissions > Add > Select an API your organization uses > Azure DevOps. If Azure DevOps does not appear as an option, navigate to Organization Settings > Azure Active Directory > Connect directory on your DevOps site and connect the organization to you Active Directory first.
2. In the Select Permissions step, enable the user_impersonation permission.

Headless Machines

Register your Azure DevOps app on the Azure portal to obtain the following connection properties:

• OAuthClientId
• OAuthClientSecret

1. After logging in to the Azure Portal with your account, click Azure Active Directory > App Registrations.
2. Click New Registration.
3. Enter an app name and select Any Azure AD Directory - Multi Tenant. Then set the redirect url to http://localhost:33333, the provider's default. Or, set a different port and set the CallbackURL to the exact reply URL you defined.
4. On the main page of your application, obtain the OAuthClientId, and then generate a OAuthClientSecret in Certificates and Secrets > Client Secrets.

You must also add permission to use the Azure DevOps API:

1. In the section, click API permissions > Add > Select an API your organization uses > Azure DevOps. If Azure DevOps does not appear as an option, navigate to Organization Settings > Azure Active Directory > Connect directory on your DevOps site and connect the organization to you Active Directory first.
2. In the Select Permissions step, enable the user_impersonation permission.