MicrosoftDocs
diff --git a/‎docs/repos/git/auth-overview.md‎
Lines changed: 39 additions & 14 deletions b/‎docs/repos/git/auth-overview.md‎
Lines changed: 39 additions & 14 deletions
diff --git a/‎docs/repos/git/clone.md‎
Lines changed: 6 additions & 6 deletions b/‎docs/repos/git/clone.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎docs/repos/git/create-pr-status-server-with-azure-functions.md‎
Lines changed: 9 additions & 11 deletions b/‎docs/repos/git/create-pr-status-server-with-azure-functions.md‎
Lines changed: 9 additions & 11 deletions
@@ -1,41 +1,65 @@
 ---
 title: Authenticate with your Git repos
 titleSuffix: Azure Repos
-description: Choose between HTTPS, SSH, and personal access tokens to securely sign in to your Git repos.
+description: Learn how to authenticate with Azure Repos using Microsoft Entra OAuth tokens (recommended), personal access tokens, or SSH keys for secure Git operations.
 ms.assetid: 138f12d0-e3fd-4fde-a727-1b39d45c05c4
 ms.service: azure-devops-repos
 ms.topic: conceptual
-ms.date: 07/11/2024
+ms.date: 07/02/2025
 monikerRange: '<= azure-devops'
 ms.subservice: azure-devops-repos-git
+# customer-intent: As a developer, I want to understand the different authentication methods available for Azure Repos so I can choose the most secure option (Microsoft Entra OAuth tokens) for accessing my Git repositories.
 ---
 
 # Authentication with Azure Repos
 
 [!INCLUDE [version-lt-eq-azure-devops](../../includes/version-lt-eq-azure-devops.md)]
 
-Selecting the right authentication method is crucial for secure access to your Azure Repos and Azure DevOps Server Git repositories. Whether you're working from a command prompt or using a Git client that supports HTTPS or SSH, it's important to choose credentials that not only provide the necessary access but also limit the scope to what's needed for your tasks. 
+Secure authentication is fundamental to protecting your Azure Repos and Azure DevOps Server Git repositories. With multiple authentication options available—Microsoft Entra OAuth tokens, Personal Access Tokens, and SSH keys—choosing the right method ensures both security and productivity for your development workflow.
 
-Always revoke credentials when they're no longer required to maintain the security of your repositories. This approach ensures that you have the flexibility to work with your code securely and efficiently, while also safeguarding it against unauthorized access.
+**Microsoft Entra OAuth tokens are the recommended approach** for modern development teams, offering enhanced security through OAuth 2.0 standards and seamless integration with enterprise identity systems. Whether you're working from the command line, using Git clients, or integrating with CI/CD pipelines, selecting an authentication method with appropriate scope limits reduces security risks while maintaining the access you need.
+
+Always revoke or rotate credentials when they're no longer needed. This practice maintains repository security and follows the principle of least privilege access.
 
 ## Authentication mechanisms
 
-### Microsoft Entra OAuth tokens
+### Microsoft Entra OAuth tokens (Recommended)
+
+[Microsoft Entra tokens](../../integrate/get-started/authentication/entra.md) are the **preferred authentication method** for Git operations and [REST APIs](/rest/api/azure/devops/). They offer enhanced security features and can be used wherever personal access tokens are used. These tokens are generated for a user principal or a [managed identity and/or service principal](../../integrate/get-started/authentication/service-principal-managed-identity.md). 
+
+**Quick start with Azure CLI**: You can obtain a Microsoft Entra token for immediate use with Git operations using the Azure CLI. This method is ideal for testing or one-time operations.
+
+**For user authentication:**
+```bash
+ az login
+ az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv
+```
 
-[Microsoft Entra tokens](../../integrate/get-started/authentication/entra.md) are the preferred authentication for Git operations and [REST APIs](/rest/api/azure/devops/). They can be used wherever personal access tokens are used and generated for a user principal or a [managed identity and/or service principal](../../integrate/get-started/authentication/service-principal-managed-identity.md). 
+**For service principal authentication:**
+First [sign in as the service principal](/cli/azure/authenticate-azure-cli), then obtain the token:
+```bash
+az login --service-principal -u <client-id> -p <client-secret> --tenant <tenant-id>
+az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv
+```
 
-Here's a helpful tip on how to get a one-time Microsoft Entra token from the Azure CLI to call git fetch: (When generating on behalf of a service principal, make sure to [login as the service principal](/cli/azure/authenticate-azure-cli) first.)
+**Example usage with Git:**
 
 ```powershell
 $accessToken = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv
 git -c http.extraheader="AUTHORIZATION: bearer $accessToken" clone https://dev.azure.com/{yourOrgName}/{yourProjectName}/_git/{yourRepoName}
 ```
 
-### Personal access tokens
+### Personal access tokens (Alternative option)
+
+> [!NOTE]
+> While Personal Access Tokens are still supported, **Microsoft Entra OAuth tokens are recommended** for better security and modern authentication practices.
 
 [Personal access tokens (PATs)](../../organizations/accounts/use-personal-access-tokens-to-authenticate.md) provide access to Azure DevOps without using your username and password directly. These tokens expire and allow you to restrict the scope of the data they can access.
 
-Use PATs to authenticate if you don't have SSH keys set up on your system or need to limit the permissions granted by the credential.
+**Use PATs when:**
+- You don't have SSH keys set up on your system
+- You need to limit the permissions granted by the credential
+- Microsoft Entra OAuth tokens aren't available in your scenario
 
 Git interactions require a username, which can be anything except an empty string. To use a PAT with HTTP basic authentication, `Base64-encode` your `$MyPat` as shown in the following code block.
 
@@ -67,12 +91,12 @@ git --config-env=http.extraheader=HEADER_VALUE clone https://dev.azure.com/yourO
 ### SSH keys
 
 Key authentication with SSH works through a public and private key pair that you create on your computer. 
-You associate the public key with your username from the web. Azure DevOps will encrypt the data sent to you with that key when you work with Git.
+You associate the public key with your username from the web. Azure DevOps encrypts the data sent to you with that key when you work with Git.
 You decrypt the data on your computer with the private key, which is never shared or sent over the network.
 
 ![Animated GIF showing adding of a SSH public key to Azure DevOps](media/ssh_add_public_key.gif)
 
-SSH is a great option if you've already got it set up on your system&mdash;just add a public key to Azure DevOps and clone your repos using SSH. SSH might be preferred for those on Linux, macOS, or Windows running [Git for Windows](https://www.git-scm.com/download/win) who can't use [Git credential managers](../../repos/git/set-up-credential-managers.md) or [personal access tokens](../../organizations/accounts/use-personal-access-tokens-to-authenticate.md) for HTTPS authentication.
+SSH is a great option if it's already set up on your system&mdash;just add a public key to Azure DevOps and clone your repos using SSH. SSH might be preferred for Linux, macOS, or Windows running [Git for Windows](https://www.git-scm.com/download/win) who can't use [Git credential managers](../../repos/git/set-up-credential-managers.md) or [personal access tokens](../../organizations/accounts/use-personal-access-tokens-to-authenticate.md) for HTTPS authentication.
 
 For more information, see [Set up SSH with Azure DevOps](use-ssh-keys-to-authenticate.md).
 
@@ -102,7 +126,8 @@ Use the [Git Credential Manager (GCM)](set-up-credential-managers.md) to avoid e
 
    Replace `{organization}` with your Azure DevOps organization name and `{repository}` with the name of your repository.
 
-## Related articles
+## Related content
+
 - [Use Git Credential Manager to authenticate to Azure Repos](set-up-credential-managers.md)
-- [About security, authentication, and authorization in Azure DevOps](../../organizations/security/about-security-identity.md)
-- [About permissions and security groups in Azure DevOps](../../organizations/security/about-permissions.md)
+- [Learn about security, authentication, and authorization in Azure DevOps](../../organizations/security/about-security-identity.md)
+- [Learn about permissions and security groups in Azure DevOps](../../organizations/security/about-permissions.md)
@@ -5,7 +5,7 @@ description: Learn how to create a local clone of any remote Git repo using Visu
 ms.assetid: b6240e2f-2d3d-4874-9953-7e554d5e3b97
 ms.service: azure-devops-repos
 ms.topic: tutorial
-ms.date: 10/19/2022
+ms.date: 07/02/2025
 monikerRange: '<= azure-devops'
 ms.subservice: azure-devops-repos-git
 ---
@@ -71,8 +71,8 @@ Typically, you need to know the clone URL of the remote repo that you want to cl
 
    :::image type="content" source="media/clone/visual-studio-2019/common/github-clone-repo.png" border="true" alt-text="Screenshot of the Clone popup on the  page on the GitHub site." lightbox="media/clone/visual-studio-2019/common/github-clone-repo-lrg.png":::
 
-> [!IMPORTANT]
-> The "Generate Git Credentials" button will be removed in January 2025, to reduce creation of unnecessary and underutilized personal access tokens. Review the Git Authentication docs for all authentication methods available to you for git clone operations.
+> [!TIP]
+> **Microsoft Entra ID tokens are the recommended authentication method** for Git operations. The "Generate Git Credentials" button was removed in January 2025 to encourage the use of more secure authentication methods. For all available authentication options, including the preferred Microsoft Entra OAuth tokens, see the [Authentication overview](auth-overview.md).
 
 ## Clone an Azure Repos Git repo
 
@@ -105,7 +105,7 @@ Visual Studio 2019 version 16.8 and later versions provides a Git version contro
 
    :::image type="content" source="media/clone/visual-studio-2019/team-explorer/connect-add-server.png" border="true" alt-text="Screenshot of the 'Connect to a Project' window in Visual Studio 2019." lightbox="media/clone/visual-studio-2019/team-explorer/connect-add-server-lrg.png":::
 
-After you've cloned a remote Git repo, Visual Studio detects the local clone and adds it to the list of **Local Repositories** in the **Git** menu.
+After you clone a remote Git repo, Visual Studio detects the local clone and adds it to the list of **Local Repositories** in the **Git** menu.
 
 :::image type="content" source="media/clone/visual-studio-2019/common/local-repositories.png" border="true" alt-text="Screenshot of the 'Local Repositories' option in the Git menu in Visual Studio 2019." lightbox="media/clone/visual-studio-2019/common/local-repositories-lrg.png":::
 
@@ -165,15 +165,15 @@ You can clone any Git repo that's accessible to you by using the clone URL of th
 
    :::image type="content" source="media/clone/visual-studio-2019/team-explorer/clone-remote-repo.png" border="true" alt-text="Screenshot of the Clone options in the 'Local Git Repositories' section of the 'Team Explorer' Connect view in Visual Studio 2019." lightbox="media/clone/visual-studio-2019/team-explorer/clone-remote-repo-lrg.png":::
 
-After you've cloned a remote Git repo, Visual Studio detects the local clone and adds it to the list of **Local Repositories** in the **Git** menu.
+After you clone a remote Git repo, Visual Studio detects the local clone and adds it to the list of **Local Repositories** in the **Git** menu.
 
 :::image type="content" source="media/clone/visual-studio-2019/common/local-repositories.png" border="true" alt-text="Screenshot of the 'Local Repositories' option from the Git menu in Visual Studio 2019." lightbox="media/clone/visual-studio-2019/common/local-repositories-lrg.png":::
 
 #### [Git Command Line](#tab/git-command-line)
 
 1. If you haven't already, [download and install Git](http://git-scm.com/download). Enable [Git Credential Manager](set-up-credential-managers.md) when prompted during the install, or [configure SSH authentication](use-ssh-keys-to-authenticate.md).
 
-1. At the command prompt, run the Git clone command with the [clone URL](#clone_url) of the remote repo. This command will create a local clone repo under the current folder.
+1. At the command prompt, run the Git clone command with the [clone URL](#clone_url) of the remote repo. This command creates a local clone repo under the current folder.
 
 ```console
 git clone <clone URL>
 
@@ -5,7 +5,7 @@ description: Create a serverless function to listen to pull request events and p
 ms.assetid: 
 ms.service: azure-devops-repos
 ms.topic: conceptual
-ms.date: 02/14/2025
+ms.date: 07/02/2025
 monikerRange: '<= azure-devops'
 ms.subservice: azure-devops-repos-git
 ---
@@ -14,7 +14,7 @@ ms.subservice: azure-devops-repos-git
 
 [!INCLUDE [version-lt-eq-azure-devops](../../includes/version-lt-eq-azure-devops.md)]
 
-The pull request (PR) workflow allows developers to receive feedback on their code from peers and automated tools. Non-Microsoft tools and services can also participate in the PR workflow by using the PR [Status API](/rest/api/azure/devops/git/pull%20request%20statuses). This article guides you through creating a custom branch policy using [Azure Functions](https://azure.microsoft.com/services/functions/) to validate PRs in an Azure DevOps Git repository. Azure Functions eliminate the need to provision and maintain servers, even as your workload grows. They provide a fully managed compute platform with high reliability and security.
+The pull request (PR) workflow allows developers to receive feedback on their code from peers and automated tools. Non-Microsoft tools and services can also participate in the PR workflow by using the PR [Status API](/rest/api/azure/devops/git/pull%20request%20statuses). This article guides you through creating a custom branch policy using [Azure Functions](https://azure.microsoft.com/services/functions/) to validate PRs in an Azure DevOps Git repository. Azure Functions eliminates the need to provision and maintain servers, even as your workload grows. They provide a fully managed compute platform with high reliability and security.
 
 For more information about PR status, see [Customize and extend pull request workflows with pull request status](pull-request-status.md).
 
@@ -25,7 +25,7 @@ For more information about PR status, see [Customize and extend pull request wor
 | **Organization** | An [organization in Azure DevOps](../../organizations/accounts/create-organization.md) with a Git repository. |
 | **Azure Function** | An [Azure Function](#create-a-basic-azure-function-to-listen-to-azure-repos-events), which implements a serverless, event-driven solution that integrates with Azure DevOps to create custom branch policies and automate PR validation.|
 | **Service Hooks** | [Configure service hooks](#configure-a-service-hook-for-pr-events) for PR events to notify your Azure function when a pull request changes. |
-| **Personal Access Token (PAT)** | Create a PAT with the **Code (status)** scope to have permission to change PR status. For more information, see [Use PATs to authenticate](../../organizations/accounts/use-personal-access-tokens-to-authenticate.md). |
+| **Authentication** | **Microsoft Entra ID token** with the **Code (status)** scope to have permission to change PR status. For more information, see [Microsoft Entra authentication](../../integrate/get-started/authentication/entra.md). |
 
 ### Create a basic Azure Function to listen to Azure Repos events
 
@@ -140,13 +140,13 @@ Now that your server can receive service hook events when new PRs are created, u
 
 Update the code of your Azure function, similar to the following example.
 
-Make sure to update the code with your organization name, project name, repository name, and [PAT token](../../organizations/accounts/use-personal-access-tokens-to-authenticate.md). In order to have permission to change PR status, the PAT requires [vso.code_status](../../integrate/get-started/authentication/oauth.md#scopes) scope, which you can grant by selecting the **Code (status)** scope on the **Create a personal access token** page.
+Make sure to update the code with your organization name, project name, repository name, and Microsoft Entra ID token. In order to have permission to change PR status, the token requires [vso.code_status](../../integrate/get-started/authentication/oauth.md#scopes) scope, which you can obtain through Microsoft Entra authentication.
 
 >[!Important]
->This sample code stores the PAT in code, simplifying the sample. It is recommended to store secrets in KeyVault and retrieve them from there.
+>This sample code stores the token in code, simplifying the sample. It is recommended to store secrets in Azure Key Vault and retrieve them from there using managed identity for enhanced security.
 
 
-This sample inspects the PR title to see if the user indicated if the PR is a work in progress by adding **WIP** to the title. If so, the sample code changes the status posted back to the PR. Replace the code in your Azure function with the following code which updates the status posted back to the PR.
+This sample inspects the PR title to see if the user indicated if the PR is a work in progress by adding **WIP** to the title. If so, the sample code changes the status posted back to the PR. Replace the code in your Azure function with the following code, which updates the status posted back to the PR.
 
 ```cs
 using System;
@@ -162,9 +162,9 @@ private static string repositoryName   = "[Repo Name]";          // Repository n
 
 /*
     This is here just to simplify the sample, it is recommended to store
-    secrets in KeyVault and retrieve them from there.
+    secrets in Azure Key Vault and retrieve them using managed identity.
 */
-private static string pat = "[PAT TOKEN]";
+private static string accessToken = "[MICROSOFT_ENTRA_TOKEN]";
 
 public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
 {
@@ -215,9 +215,7 @@ private static void PostStatusOnPullRequest(int pullRequestId, string status)
     using (HttpClient client = new HttpClient())
     {
         client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(
-                ASCIIEncoding.ASCII.GetBytes(
-                string.Format("{0}:{1}", "", pat))));
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
 
         var method = new HttpMethod("POST");
         var request = new HttpRequestMessage(method, Url)