Today, we officially closed the doors on any new Azure DevOps OAuth app registrations.
As we prepare for the end-of-life for Azure DevOps OAuth apps in 2026, we’ll begin outreach to engage existing app owners and support them through the migration process to use the Microsoft Identity platform instead for future app development with Azure DevOps. This platform, used across Microsoft teams, can access the same Azure DevOps REST APIs, with the added benefit of ongoing regular investment and additional security controls available to company admins. We’ve collected a list of helpful resources from Microsoft Entra docs to support you in this migration effort.
We will also begin regularly removing apps with secrets that have expired more than six months ago (180 days ago). App owners of these inactive apps will be informed and if there’s any further need for the app registration between now and Azure DevOps OAuth’s end-of-life in 2026, you are asked to rotate the app secret before April 30.
Lastly, we’ll also be reaching out to app owners of apps with long-lasting secrets. Now with our new overlapping secrets feature, apps with long-lasting secrets have a downtime-free approach to regularly rotate their secrets and move away from unnecessarily long-living secrets. We recommend all app owners build a secret rotation flow into their app code. Not only is this good app security practice, all new Azure DevOps OAuth app secrets will now default to a 60-day secret lifespan.
0 comments
Be the first to start the discussion.