HCP Terraform unable to connect to Azure DevOps OAuth app registrations

Introduction

Starting in April 2025, Microsoft will stop allowing new OAuth app connections for Azure DevOps. This change affects integrations with Terraform Cloud (HCP Terraform) that depend on OAuth to access Azure DevOps repositories. Until official support for Microsoft Entra ID is released, an alternative connection method is required.

Problem

New connections to Azure DevOps using OAuth will no longer be possible in Terraform Cloud after April 2025. This limits the ability to link Azure DevOps repositories to Terraform Cloud for new projects.

Prerequisites (if applicable)

• HCP Terraform Account (user account with permission to manage VCS connections)
• Azure DevOps Services
• Personal Access Token (PAT) from Azure DevOps
• (Optional) tfe Terraform provider version ~> 0.64.0 (used when managing Terraform Cloud setup through code)

Cause

Microsoft will deprecate new OAuth app registrations for Azure DevOps beginning in April 2025. As a result, new VCS connections using OAuth will not be supported. Existing OAuth connections may continue temporarily but cannot be recreated or newly established.

Solutions:

1. Use a Personal Access Token (PAT)

• Instead of OAuth, configure the Azure DevOps VCS provider in Terraform Cloud using a Personal Access Token (PAT).
• Documentation reference: https://developer.hashicorp.com/terraform/cloud-docs/vcs/azure-devops-services-pat

2. When using the tfe Provider

For environments managed with Terraform code, the tfe provider can be used to set up the connection to Azure DevOps via PAT.

Example main.tf:

terraform {
  required_providers {
    tfe = {
    version = "~> 0.64.0"
    }
  }
}

variable "ADO" {
  type = string
}

resource "tfe_oauth_client" "test" {
  name = "<desired name>"
  organization = "<organization>"
  api_url = "https://dev.azure.com"
  http_url = "https://dev.azure.com"
  oauth_token = var.ADO
  service_provider = "ado_services"
  organization_scoped = true
} 

Example terraform.auto.tfvars:

ADO = "<Personal Access Token>"

Ensure the PAT includes code(Read) and code(Status) scopes for accessing the Azure DevOps organization and repositories.

Outcome

Azure DevOps repositories should appear within Terraform Cloud after configuration.
If repositories are not visible, verify the token, its permissions, and the configured organization details.

Additional Information

• Microsoft Announcement on OAuth App Restrictions
• Terraform Cloud VCS Setup Using PAT
• Terraform Provider for Terraform Cloud (tfe)