We have added new Azure DevOps scopes for delegated OAuth apps on the Microsoft Identity platform, also colloquially known as Azure Active Directory OAuth apps. These new scopes will enable app developers to announce specifically which permissions they are hoping to request from the user in order to perform app duties. They may look familiar as these new scopes are the same ones available via Azure DevOps OAuth today.
user_impersonation was the only scope available for app developers to choose from. This scope gives the app full access to all Azure DevOps APIs, which means it will be able to do anything that the user is able to do across all organizations that the user belongs to.
Now with more granular scopes available, you can rest easy that apps can only request and access solely those APIs that the requested scopes have granted them permission to access.
Please note that these new permissions are only available for delegated flows, they do not exist as application permissions on app-only flows.
New OAuth App Developers
This also brings the Azure AD OAuth apps to parity with our own implementation of Azure DevOps OAuth, as far as scopes go. A common concern for new app developers is that only the latter offered scoped access tokens – this is no longer the case. We recommend all net new apps to explore the Microsoft Identity platform and see what additional features and tooling are available via Azure AD OAuth apps.
Existing OAuth App Developers
If you have an existing Azure AD OAuth app with the
user_impersonation scope, consider down-scoping your app to just the scopes your app truly needs. Reducing the risk vector of any leaked access tokens is always a good thing!
To determine what scopes you need on your app, look for the
scopes header on the API Reference pages for each of the APIs your app calls.
Once you alter the scopes requested through your Azure AD app registration, you may need to get consent for these new scopes from your users or admin, depending on how your app and tenant is configured.
We appreciate your patience as we brought out this highly-requested feature for OAuth app developers. We welcome any feedback you have on this new security measure on the blog post comments below, or as always, through the Developer Community.