Setting up Azure DevOps OAuth 2.0 credential

Release version: Washingtondc

Updated August 30, 2024

7 minutes to read

Create Azure DevOps OAuth 2.0 credential and use them to connect your Azure DevOps instance.

If you want to use Basic Authentication credentials instead of OAuth 2.0, skip this section and proceed to onboarding Azure DevOps using one of the following options:

Create a tenant in Microsoft Entra

Create a tenant in Microsoft Entra and set up the required permissions to create an Azure DevOps (ADO) app.

Before you begin

Role required: Tenant Creator in Azure DevOps.

About this task

Your tenant represents your organization and helps you to manage a specific instance of Microsoft Cloud services for your internal and external users.

If you have an existing tenant, which has access to create an ADO app, you do not need to perform this procedure. If you don’t have a tenant, you must create a tenant in Microsoft Entra, which will have access to create an ADO app.

Procedure

In the Microsoft Entra portal, navigate to Overview > Manage tenants.
Select Create.
Select the Workforce configuration, and select Continue.
Enter the following information:
- Your desired Organization name into the Organization name box.
- Your desired Initial domain name into the Initial domain name box.
Select Next: Review + Create.
Review the information that you entered and if the information is correct, select Create in the lower left corner.

For more information, see the Microsoft documentation.

Add a user to tenant in Microsoft Entra

Add a user who contains the admin role, to the tenant created in the previous procedure.

Before you begin

Role required: User Administrator in Azure DevOps

Procedure

In the Microsoft Entra ID tenant page, select the number of users link in the Tenant details section.
Select New user > Create new user.

In the Basics tab, enter the following details.

Table 1. Basics tab fields
Field	Value
User principal name	Enter a unique user name and select a domain from the menu after the @ symbol.
Mail nickname	If you need to enter an email nickname that is different from the user principal name you entered, clear the Derive from user principal name option, then enter the mail nickname.
Display name	Enter the user's name.
Password	Provide a password for the user to use during their initial sign-in. Clear the Auto-generate password option to enter a different password
Account enabled	This option is checked by default. Clear to prevent the new user from being able to sign in. You can change this setting after the user is created. This setting was called Block sign in in the legacy create user process.

Select Next: Properties to complete the next section.

Table 2. Properties tab fields
Field	Value
Identity	Enter the user's first and last name. Set the User type as either Member or Guest.
Job information	Add any job-related information, such as the user's job title, department, or manager.
Contact information	Add any relevant contact information for the user.
Parental controls	For organizations like K-12 school districts, the user's age group may need to be provided. Minors are 12 and under, Not adult are 13-18 years old, and Adults are 18 and over. The combination of age group and consent provided by parent options determine the Legal age group classification. The Legal age group classification may limit the user's access and authority.
Settings	Specify the user's global location.

Select Next: Assignments to complete the next section.
In the Assignments section, select + Add role.
From the menu that appears, select the Global Administrator role from the list and select the Select button.
Select the Review + create button.

For more information, see the Microsoft documentation.

Create an organization in Azure portal

Create an organization in the new tenant, which has access to create an app.

Before you begin

Role required: Global Administrator in Azure DevOps

Procedure

Log in to Azure portal with the user created in the previous procedure.
Navigate to Azure DevOps Organizations > My Azure DevOps Organizations.
Select Create new organization.
Enter the name of your ADO organization and location, and then select Continue.

This newly created org will be connected with the tenant created in the Create a tenant in Microsoft Entra topic.

Create an Azure DevOps app

Create and configure an Azure DevOps (ADO) app and copy the required values to enable OAuth 2.0 authentication with your ServiceNow instance.

Before you begin

Role required: Global Administrator in Azure DevOps

Procedure

In the Azure portal, navigate to App registrations.
Select + New registration.

On the App registrations page, enter your application's registration information as described in the table.

Table 3. App registrations page
Field	Value
Name	Enter a meaningful application name that is displayed to users.
Supported account types	Select Accounts in this Organizational directory only (Single tenant)
Redirect URL	Enter your ServiceNow instance URL.

Select Register.
In the newly created application, from the Overview page in the left navigation pane and copy the following details:
- Application (client) ID
- Directory (tenant) ID
Add a client secret by selecting the Manage > Certificates & secrets link in the left navigation pane.
For more information, see the Add a client secret and Register an application topics in Microsoft documentation.
Copy the client secret value.
Navigate to Manage > API permissions.
Select + Add a permission, and select the Microsoft APIs tab on the right.
Search and select Azure DevOps and add the vso.project permission.
Select the vso.project permission, and copy the Resource App ID value.

Note:
The resource app ID value copied here will be added in the OAuth Entity Scopes for the Application Registry.

Register Azure DevOps as an OAuth provider

Use the information generated during Azure DevOps (ADO) app account configuration to register Azure DevOps as an OAuth provider and enable the instance to request OAuth 2.0 tokens.

Before you begin

Role required: admin

Procedure

In ServiceNow DevOps Change Velocity, navigate to All > System OAuth > Application Registry.
Select New.
The What kind of OAuth application? message is displayed.
Select Connect to a third party OAuth Provider.

On the form, fill in the fields.

Table 4. Application Registry form fields
Field	Description
Name	Name to uniquely identify the record. For example, enter `My ADO App Provider`.
Client ID	Client ID of your ADO app (hint: available in the Overview section of your ADO app).
Client Secret	Client secret of your ADO app (hint: available in the Certificates & secrets section of your ADO app).
Default Grant type	Type of grant associated with application registry. Select Client Credentials.
Authorization URL	Enter: https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize Where, Directory (tenant) ID is the alphanumeric value found in the Overview section of your ADO app.
Token URL	Enter: https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token Where, Directory (tenant) ID is the alphanumeric value found in the Overview section of your ADO app.

Leave the rest of the form fields as is.
Select and hold (or right-click) the form header, and select Save.
The system validates the OAuth credentials and populates the Redirect URL (Hint: It should match the redirect URL previously provided in your ADO app creation).
Select the OAuth Entity Scopes related tab.
Add the OAuth scope value as <Resource App ID value copied in step 11 of the previous procedure>/.default.

Configure organization and project level settings

Configure organization and project level settings for your app.

Before you begin

Role required: Member of the Project Collection Administrators group or organization's owner.

Procedure

Navigate to Organizational Settings of your organization in the Azure DevOps portal.
Select Users.
In the Users or Service Principals field, select the app you created in the previous procedure to the list.
Navigate back to the users list, and select the app user.
Select the Actions menu, and select Manage Access.
Add the project that you want to enable the app to access, and assign the Project Administrator role to that project.
Note:
If you aren’t seeing your release or classic pipelines, ensure that the Disable creation of classic release pipelines setting is switched off for your organization.
Navigate to Project Settings of your project.
Select Permissions.
There will be one project team created under permissions by default.
Select the default project team, and navigate to the Members tab.
Add your app user.

Create credential record and get OAuth token

Create credential record and get OAuth token.

Before you begin

Role required: admin, sn_devops.admin

About this task

For ADO OAuth 2.0, you must create separate credential records for build, release, and feeds in ServiceNow.

Procedure

Navigate to All > Connections & Credentials > Credentials.
Select New.
The What type of Credentials would you like to create? message is displayed.
Select OAuth 2.0 Credentials.

On the form, fill in the fields.

Table 5. OAuth 2.0 Credentials form fields
Field	Value required
Name	Name to uniquely identify the record. For example, enter `My ADO APP Build Credential`.
Active	Option to enable the record.
OAuth Entity Profile	Default OAuth Entity profile created in the Application Registry.

Save the record.
Select the Get OAuth Token related link to generate the OAuth token.
Repeat the procedure to create release and feeds credentials.