Merge pull request #8318 from SamGrantham/docs-editor/entra-tokens-1758052266

prmerger-automator[bot] · web-flow · commit bb76f20b451b · 2025-09-17T16:57:54.000Z
Update entra-tokens.md
diff --git a/docs/cli/entra-tokens.md b/docs/cli/entra-tokens.md
@@ -7,7 +7,7 @@ ms.subservice: azure-devops-security
 monikerRange: 'azure-devops'
 ms.author: chcomley
 author: chcomley
-ms.date: 05/12/2025
+ms.date: 09/16/2025
 ---
 
 # Issue Entra tokens with Azure CLI
@@ -22,7 +22,7 @@ Use the [**Azure CLI**](/cli/azure/install-azure-cli) to issue a [Microsoft Entr
 | Azure CLI     | Download and install the [Azure CLI](/cli/azure/install-azure-cli). |
 | Entra app | (If authenticating for a service principal) Create the Entra application and have the app client ID and client secret ready. |
 
-## Acquiring an Entra token for yourself
+## Get an Entra token for yourself
 
 # [Azure CLI](#tab/azure-cli)
 
@@ -43,21 +43,24 @@ Use the [**Azure CLI**](/cli/azure/install-azure-cli) to issue a [Microsoft Entr
    ```
 
 # [Azure PowerShell](#tab/azure-powershell)
+## Get a token for a user
 
 1. Sign in to Azure PowerShell using the `Connect-AzAccount` command and follow the on-screen instructions.
-1. Set the correct subscription for the signed-in user with these PowerShell commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the [Azure portal](/azure/azure-portal/get-subscription-tenant-id).
+2. Set the correct subscription for the signed-in user with these PowerShell commands. Make sure the Azure subscription ID is associated with the tenant connected to the Azure DevOps organization you're trying to access. If you don't know your subscription ID, you can find it in the [Azure portal](/azure/azure-portal/get-subscription-tenant-id).
   
    ```azurepowershell-interactive
    Set-AzContext -Subscription <subscriptionID>
    ```
 
-1. Generate a Microsoft Entra ID access token with the `Get-AzAccessToken` command using the Azure DevOps resource ID: `499b84ac-1321-427f-aa17-267ca6975798`.
+3. Generate a Microsoft Entra ID access token with the `Get-AzAccessToken` command using the Azure DevOps resource ID: `499b84ac-1321-427f-aa17-267ca6975798`.
 
    ```azurepowershell-interactive
    Get-AzAccessToken -ResourceUrl '499b84ac-1321-427f-aa17-267ca6975798'
    ```
+> [!NOTE]
+> [Get-AzAccessToken](/powershell/module/az.accounts/get-azaccesstoken) returns the token as a [SecureString](/dotnet/api/system.security.securestring). If you're unsure of how to use SecureString, refer to the documentation. To convert a SecureString to plain text to use in an Auth Header, leverage the .NET [[System.Runtime.InteropServices.Marshal]](/dotnet/api/system.runtime.interopservices.marshal) class to [convert](/dotnet/api/system.runtime.interopservices.marshal.securestringtobstr) the SecureString to a BSTR (binary string) pointer, then [read](/dotnet/api/system.runtime.interopservices.marshal.ptrtostringbstr) the pointer as a plain text string to a variable.
 
-## Acquiring a token for a service principal
+## Get a token for a service principal
 
 1. Sign in to the Azure CLI as the service principal using the `az devops login` command.
 2. Follow the on-screen instructions and finish signing in.
diff --git a/docs/integrate/get-started/authentication/service-principal-managed-identity.md b/docs/integrate/get-started/authentication/service-principal-managed-identity.md
@@ -261,7 +261,7 @@ az login --identity
 az account get-access-token --resource https://app.vssps.visualstudio.com/
 ```
 
-For more information, see [Acquire Microsoft Entra tokens](../../../cli/entra-tokens.md#acquiring-a-token-for-a-service-principal).
+For more information, see [Acquire Microsoft Entra tokens](../../../cli/entra-tokens.md#get-a-token-for-a-service-principal).
 
 ### Step 5: Use tokens with Azure DevOps
 
