← ADO Atlas

Microsoft sign-in (Entra ID OAuth) — setup

ADO Atlas can authenticate with Microsoft sign-in instead of a Personal Access Token: you click "Sign in with Microsoft" once, and the extension uses an Entra ID access token that refreshes itself — no token to copy, no expiry to babysit.

OAuth requires a one-time app registration in Microsoft Entra ID. It takes ~3 minutes; after that, signing in is one click.

Only for work/school accounts. Azure DevOps OAuth is a Microsoft Entra (work/school) resource — it does not exist for personal Microsoft accounts. If you sign in to dev.azure.com with a personal account (outlook/hotmail/live), use the Token (PAT) tab instead. The PAT method works for any account type.

1. Register an app in Entra ID

Open the Azure Portal → Microsoft Entra ID → App registrations → New registration.
Name: anything (e.g. ADO Atlas).
Supported account types: Accounts in any organizational directory (multitenant) if you'll use the default organizations tenant. (Single-tenant if you only ever sign in to one organization.)
Redirect URI: leave blank for now → Register.

2. Add the redirect URI

Open the extension, go to Microsoft sign-in, and copy the Redirect URI it shows (looks like https://<extension-id>.chromiumapp.org/).
In the app registration → Authentication → Add a platform → Mobile and desktop applications → add a custom redirect URI with that exact value → Configure.
(Recommended) On the same page set Allow public client flows to Yes and save. The extension is a public client using PKCE — there is no client secret.

Why chromiumapp.org? This redirect address is intercepted by Chrome to capture the sign-in result; it is required by chrome.identity and cannot be a website. The extension shows you the exact value to register.

3. Grant Azure DevOps permission

App registration → API permissions → Add a permission → Azure DevOps → Delegated permissions → check user_impersonation → Add permissions.
If your tenant requires admin approval, click Grant admin consent (or an admin approves at first sign-in).

4. Connect the extension

App registration → Overview → copy the Application (client) ID.
In the extension's Microsoft sign-in tab, paste the Application (client) ID and pick the Account type / tenant: Work or school account (organizations) or Specific tenant ID (paste a tenant GUID to pin one organization). Personal accounts aren't offered — Azure DevOps OAuth doesn't support them.
Click Sign in with Microsoft, complete the prompt and consent.
Pick your organization and project (they auto-populate after sign-in) → Save & Connect.

Troubleshooting

The Redirect URI depends on the extension's ID. A published Web Store extension has a stable ID, so register it once. An unpacked dev build gets a new ID per machine unless pinned with a key in manifest.json — the setup screen always shows the current value.
AADSTS50011 / redirect mismatch: the URI in Entra must match the one shown in the extension exactly (including the trailing /).
AADSTS65001 / consent required: grant admin consent in step 3, or have an admin approve.
Org not listed after sign-in: make sure your account is a member of the Azure DevOps organization and that the org allows Entra-based access.

Tokens (access + refresh) are stored locally and sent only to login.microsoftonline.com and Azure DevOps — see the Privacy Policy.