Azure DevOps VCS Integration Fails Due to OAuth Deprecation - Use PAT-Based Authentication

Avatar
Ashish Chawla
  • Updated

Issue

Users are unable to create new Azure DevOps Services (ADOS) VCS connections in Terraform Cloud due to Microsoft's retirement of OAuth App registrations starting April 2025.

Affected workflows include creating new workspace integrations using the Azure DevOps OAuth-based flow, resulting in failure to authorise or fetch repositories.
Ref :  No new Azure DevOps OAuth apps beginning April 2025

 

Impact

  • New OAuth-based VCS connections to Azure DevOps Services fail to register.

  • Existing OAuth connections may continue to work but cannot be reauthorized if disconnected.

  • Users are blocked from creating Terraform workspaces backed by ADOS Git repositories.

 

Resolution

HashiCorp has implemented support for Personal Access Token (PAT)-based connections to Azure DevOps Services in both:

  • Terraform Cloud UI

  • TFE Provider (via tfe_oauth_client resource)

Not sure, How to create Personal Access Token (PAT) ? Click here 

Terraform Cloud UI

  1. Navigate to Settings > Version Control Providers in your HCP-Terraform organization.

  2. Choose Azure DevOps Services.

  3. Select the new option for Configure with Personal Access Token ( Use a Personal Access Token to securely connect..

  4. Enter the required token and details.

  5. Test and save the connection.

Note: PATs must be created with sufficient read access to the repositories you wish to use.

 

TFE Provider (via tfe_oauth_client resource)

You can also create the connection using Terraform's tfe provider as shown:


Main.tf

terraform {
   required_providers {
      tfe = {
        version = "~> 0.64.0"
        }
    }
}

variable "ADO" {
  type = string
}

resource "tfe_oauth_client" "test" {
   name                = "<desired name>"
   organization        = "<organization>"
   api_url             = "https://dev.azure.com"
   http_url            = "https://dev.azure.com"
   oauth_token         = var.ADO
   service_provider    = "ado_services"
   organization_scoped = true
}

terraform.auto.tfvars

ADO = "<REDACTED>"

Important: The value of the ADO variable should be a Personal Access Token (PAT) generated from Azure DevOps Services. Make sure your PAT has appropriate scopes, such as "Code (Read)" and "Project and Team (Read)", to allow repository access.


Although Terraform Cloud UI suggests selecting only Code:read and Code:status when generating your PAT, in practice, some Azure DevOps repositories require broader permissions such as Code: Read & Write or even Full Access for the connection to succeed.

 

Limitation

  • Terraform Cloud does not currently support automatic rotation or renewal of Personal Access Tokens. When a PAT expires, you must manually generate a new token in Azure DevOps and update your VCS connection settings in Terraform Cloud.

Next Steps

  • Customers are encouraged to migrate to PAT-based connections for all new Azure DevOps integrations.

  • Entra ID support is being developed as a long-term solution and will be announced in upcoming Terraform Cloud releases.

Reference : Set up the Azure DevOps Services VCS provider using personal access tokens

 

Still Need Help?

If you're still having issues or need help transitioning to PAT-based authentication
Please contact HashiCorp Support.

Articles in this section

See more

Related articles