Refresh, prioritize Entra, de-pri PATs

Author: chcomley

docs/integrate/get-started/authentication/entra.md

@@ -1,43 +1,104 @@
 ---
 ms.topic: how-to
-title: Authenticate to Azure DevOps with Microsoft Entra ID access tokens
-description: Use Microsoft Entra authentication to access Azure DevOps Services.
+title: Authenticate to Azure DevOps with Microsoft Entra ID
+description: Use Microsoft Entra ID authentication for secure access to Azure DevOps Services with modern identity management capabilities.
 ms.assetid: 19285121-1805-4421-B7C4-63784C9A7CFA
 ms.subservice: azure-devops-security
+ai-usage: ai-assisted
 monikerRange: 'azure-devops'
 ms.author: chcomley
 author: chcomley
-ms.date: 01/31/2025
+ms.date: 07/14/2025
 ---
 
-# Authenticate to Azure DevOps with Microsoft Entra
+# Authenticate to Azure DevOps with Microsoft Entra ID
 
-[Microsoft Entra ID](/entra/fundamentals/whatis) is an identity and access management (IAM) platform that allows companies to manage organization membership and safeguard company resources. Many Azure DevOps enterprise customers choose to [connect their Azure DevOps organization to a Microsoft Entra ID tenant](../../../organizations/accounts/connect-organization-to-azure-ad.md) to support managing the large volume of users in their company and take advantage of other [security features that Microsoft Entra offers](../../../organizations/accounts/access-with-azure-ad.md).
+[!INCLUDE [version-eq-azure-devops](../../../includes/version-eq-azure-devops.md)]
+
+> [!IMPORTANT]
+> **Microsoft Entra ID authentication is the recommended approach** for new applications integrating with Azure DevOps Services. It provides enhanced security, enterprise identity integration, and modern authentication capabilities.
+
+This article explains the benefits of Microsoft Entra ID authentication and guides you through implementing it in your applications.
+
+## Overview
+
+[Microsoft Entra ID](/entra/fundamentals/whatis) is Microsoft's cloud-based identity and access management platform that lets organizations:
+
+- **Manage user identities** and control access to resources
+- **Implement enterprise security policies** like multi-factor authentication and Conditional Access
+- **Integrate with thousands of applications** including Azure DevOps Services
+- **Provide single sign-on (SSO)** across Microsoft and non-Microsoft services
+
+Many Azure DevOps enterprise customers [connect their Azure DevOps organization to Microsoft Entra ID](../../../organizations/accounts/connect-organization-to-azure-ad.md) to use these capabilities and [enhanced security features](../../../organizations/accounts/access-with-azure-ad.md).
 
 > [!NOTE]
-> Microsoft Entra was once called [Azure Active Directory (Azure AD)](/entra/fundamentals/new-name), so you may still see references to Azure AD across Microsoft products. Active Directory may also be referenced as the on-premises equivalent of Microsoft Entra.
+> Microsoft Entra ID was previously known as [Azure Active Directory (Azure AD)](/entra/fundamentals/new-name). You might still see references in some Microsoft products and documentation.
+
+## Authentication options
+
+The [Microsoft Identity platform](/entra/identity-platform/) provides two primary authentication patterns for Azure DevOps access:
+
+### User delegation (OAuth)
+**Best for**: Interactive applications that act on behalf of users
+
+- Users sign in with their Microsoft Entra ID credentials
+- Applications receive delegated permissions to act as the signed-in user
+- Supports multi-factor authentication and Conditional Access policies
+- Ideal for web applications, desktop apps, and user-facing tools
+
+**Get started**: [Microsoft Entra ID OAuth implementation](entra-oauth.md)
+
+### Application identity (Service principals and managed identities)
+**Best for**: Background services and automation scenarios
+
+- Applications authenticate using their own identity (not user credentials)
+- Suitable for CI/CD pipelines, background services, and automated tools
+- More secure for service-to-service communication
+- Supports both service principals and Azure managed identities
+
+**Get started**: [Service principals and managed identities](service-principal-managed-identity.md)
+
+## Benefits of Microsoft Entra ID authentication
 
-Once connected, the [Microsoft Identity application platform](/entra/identity-platform/) that sits on top of Microsoft Entra ID can be used to register an application to access Azure tenants and define the permissions needed from Azure resources, including Azure DevOps.
+Microsoft Entra ID authentication provides significant advantages over legacy Azure DevOps authentication methods:
 
-We support app development for:
-* [Microsoft Entra OAuth apps (on-behalf-of users)](entra-oauth.md)
-* [Microsoft Entra service principals and managed identities (on-behalf-of itself apps)](service-principal-managed-identity.md)
+### Enhanced security
+- **Short-lived tokens** (1 hour expiration) reduce risk from compromised credentials
+- **Conditional Access policies** protect against token theft and unauthorized access
+- **Multi-factor authentication** support for other security layers
+- **Advanced threat protection** with real-time risk assessment
 
-## Azure DevOps-based auth vs. Entra-based auth
+### Enterprise integration
+- **Single sign-on** across Microsoft and non-Microsoft applications
+- **Centralized identity management** for users and applications
+- **Policy enforcement** at the organizational level
+- **Audit and compliance** capabilities for governance requirements
 
-Many native Azure DevOps-based authentication (for example, [personal access tokens (PATs)](../../../organizations/accounts/use-personal-access-tokens-to-authenticate.md) or Azure DevOps OAuth apps) were created before Microsoft Entra. Microsoft Entra tokens offer a secure alternative, lasting only one hour before requiring a refresh. The authentication protocols for generating Entra tokens are more robust and secure. Security measures like [Conditional Access policies](../../../organizations/accounts/change-application-access-policies.md#cap-support-on-azure-devops) protect against token theft and replay attacks. Meanwhile, our native tokens sit outside Azure and don't have native support for concepts, like tenants or Conditional Access.
+### Developer experience
+- **Modern authentication libraries** (MSAL) with automatic token refresh
+- **Consistent identity platform** across all Microsoft services
+- **Rich documentation and samples** for quick implementation
+- **Active support and development** with regular feature updates
 
-Tokens issued by each platform are also distinct. Microsoft Entra OAuth apps issue Microsoft Entra tokens, not Azure DevOps access tokens. These tokens can't be used interchangeably on each platform. If you are exploring migrating from Azure DevOps OAuth to Microsoft Entra OAuth, users must reauthorize for the new app.
+### Comparison with legacy methods
 
-## Replace PATs with Microsoft Entra tokens
+| Feature | Microsoft Entra ID | Personal Access Tokens | Azure DevOps OAuth |
+|---------|-------------------|------------------------|-------------------|
+| **Token lifespan** | 1 hour (auto-refresh) | Up to 1 year | Configurable |
+| **Multi-factor authentication** | ✅ Native support | ❌ Not supported | ❌ Not supported |
+| **Conditional Access** | ✅ Full support | ❌ Not supported | ❌ Not supported |
+| **Enterprise policies** | ✅ Enforced | ⚠️ Limited | ⚠️ Limited |
+| **Audit logging** | ✅ Comprehensive | ⚠️ Basic | ⚠️ Basic |
+| **Future investment** | ✅ Active development | ⚠️ Maintenance mode | ❌ Deprecated |
 
-Personal access tokens (PATs) are a popular form of Azure DevOps authentication due to their ease of creation and use. However, poor PAT management and storage can result in leaks and unauthorized access to your Azure DevOps organizations. Long-lived or over-scoped PATs increase the risk of damage from a leaked PAT. We encourage users to explore using Microsoft Entra tokens instead of PATs whenever possible.
+> [!IMPORTANT]
+> **Token compatibility**: Microsoft Entra ID tokens and Azure DevOps tokens aren't interchangeable. Applications migrating from Azure DevOps OAuth to Microsoft Entra ID OAuth require user reauthorization.
 
-### Common PAT alternatives
+### Migration from legacy authentication
 
-Due to their increasing risk, admins are increasingly requesting [security policies that restrict PAT creation](../../../organizations/accounts/manage-pats-with-policies-for-administrators.md). As a result, PATs are becoming a less viable alternative for accessing Azure DevOps programmatically. Outside of migrating any existing app development to the Microsoft Identity platform, we share some common use cases across Azure DevOps that historically rely on PATs and their recommended Microsoft Entra alternative.
+Organizations increasingly adopt [security policies that restrict Personal Access Token (PAT) creation](../../../organizations/accounts/manage-pats-with-policies-for-administrators.md) due to security risks. Microsoft Entra ID authentication provides secure alternatives for common PAT scenarios.
 
-| PAT scenario | Entra alternative |
+| PAT scenario | Microsoft Entra alternative |
 |------------|------------|
 | Authenticate with Git Credential Manager (GCM) | GCM defaults to authenticating with PATs. Set the default credential type to `oauth`. Learn more on our [Git Credential Manager (GCM) page](../../../repos/git/set-up-credential-managers.md) . |
 | Authenticate in a build or release pipeline | Use a [service connection with Workload Identity Federation](../../../pipelines/library/connect-to-azure.md#create-an-azure-resource-manager-service-connection-that-uses-workload-identity-federation). |