Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services | Azure DevOps Server | Azure DevOps Server 2022 | Azure DevOps Server 2020
This article explains authentication approaches for the cross-platform CLI (tfx-cli) and Azure DevOps.
Important
We recommend using Microsoft Entra ID authentication as the primary method for authentication. Personal access tokens (PATs) should be used only when Microsoft Entra ID authentication isn't available. Basic authentication is deprecated and not recommended.
Prerequisites
Before you begin, ensure you have:
- Node.js (latest LTS version recommended) 
- tfx-cli installed globally: - npm install -g tfx-cli
For more information about tfx-cli, see the Node CLI for Azure DevOps on GitHub.
Authentication methods
Choose the appropriate authentication method based on your environment:
| Method | Recommended for | 
|---|---|
| Microsoft Entra ID | Azure DevOps Services | 
| PAT | Azure DevOps Server, automation scripts | 
| Basic Authentication | Azure DevOps Server only | 
Microsoft Entra ID authentication (Recommended)
For Azure DevOps Services, use Microsoft Entra ID authentication for the best security:
tfx login
When prompted:
- Enter your service URL, for example, https://dev.azure.com/Your_Organization.
- Follow the browser-based authentication flow.
- Complete the sign-in process in your browser.
For detailed guidance on Microsoft Entra ID authentication, see Microsoft Entra-based authentication.
PAT authentication
Use PATs when Microsoft Entra ID authentication isn't available, such as with Azure DevOps Server.
Create and use a PAT
- Create a PAT with the required scopes. 
- Sign in using the PAT: - tfx login
- When prompted, provide: - Service URL: Your Azure DevOps instance URL.
- Personal access token: The PAT you created.
 
Example URLs:
- Azure DevOps Services: https://dev.azure.com/Your_Organization
- Azure DevOps Server: https://yourserver/tfs/DefaultCollection
- Visual Studio Marketplace: https://marketplace.visualstudio.com
Example session:
~$ tfx login
Copyright Microsoft Corporation
> Service URL: https://dev.azure.com/Your_Organization
> Personal access token: **********************
Logged in successfully
Basic authentication (Deprecated)
Warning
Basic authentication is deprecated and not recommended. Use Microsoft Entra ID instead. Basic authentication:
- Sends credentials in plaintext
- Can cause issues with Git command line operations
- Poses security risks
Configure basic authentication (Azure DevOps Server only)
If you must use basic authentication with Azure DevOps Server installations:
- Enable IIS Basic Authentication: - Open Server Manager.
- Install the Basic Authentication feature for IIS.
- In IIS Manager, go to your Azure DevOps Server website.
- Double-select Authentication in the Features view.
- Enable Basic Authentication.
- Leave domain and realm settings empty.
 
- Sign in with basic authentication: - tfx login --auth-type basic
- When prompted, provide: - Service URL: Your on-premises server URL (for example, http://yourserver:8080/tfs/DefaultCollection).
- Username: Use domain\usernameformat (for example,fabrikam\john)
- Password: Your domain password.
 
- Service URL: Your on-premises server URL (for example, 
Tip
Consider configuring SSL for secure communication when using basic authentication.