Salesforce, Python, SQL, & other ways to put your data where you need it

Need event music? 🎸

Live and recorded jazz, pop, and meditative music for your virtual conference / Zoom wedding / yoga class / private party with quality sound and a smooth technical experience

💬 EN

I cannot, for the life of me, figure out how to programmatically see which 3rd-party OAuth apps an Azure DevOps user has approved. I can list their PATs, but I just can’t seem to find a way to list the ADO OAuth apps they’ve authorized to act on their behalf

Currently, Azure DevOps does not provide a direct API to programmatically list the third-party OAuth applications that a user has authorized. However, users can manually review and manage their authorized apps through their profile settings in Azure DevOps.

Manual Approach

Users can go to the Manage Authorizations section of their profile by visiting:

  • https://app.vssps.visualstudio.com/Profile/View and selecting Manage authorizations. This page lists all the services authorized to access their account, and users can revoke access if needed12.

Programmatic Workaround

If you need programmatic access to this information, there is no documented API for listing authorized OAuth apps directly. However, you can:

  1. Use the Azure DevOps REST APIs to retrieve user-related data or organization settings.
  2. Check for tokens or permissions granted to third-party services indirectly by examining scopes tied to OAuth tokens issued for API calls.

Limitations

  • Azure DevOps OAuth is slated for deprecation in 2026, with Microsoft Entra ID OAuth recommended as its replacement32.
  • The available APIs focus on managing PATs (Personal Access Tokens) or service principal permissions rather than individual user-authorized OAuth apps45.

For now, manual management remains the most reliable method for reviewing third-party app authorizations.

But how do I, an admin, find out who approved one? I want to tell them to disapprove it, because that’s against policy.

As an Azure DevOps administrator, there is no direct API or interface to identify which user approved a third-party OAuth app. However, you can take the following steps to investigate and address the situation:

1. Check Authorization Logs (Manual Process)

Azure DevOps does not provide detailed audit logs for OAuth app authorizations. However, you can:

  • Ask the suspected users to review their authorized apps by navigating to their Manage Authorizations page: https://aex.dev.azure.com/me.
  • Instruct them to revoke the app if it violates policy.

If your Azure DevOps organization is integrated with Azure AD (now Microsoft Entra ID), you can enforce admin consent for OAuth apps:

  • Go to Azure Portal > Azure AD > Enterprise Applications > User Settings.
  • Disable “Users can consent to apps accessing company data on their behalf.”
  • This ensures that only admins can approve apps, preventing unauthorized approvals in the future67.

3. Audit App Permissions in Azure AD

If the OAuth app is registered in Azure AD:

  • Navigate to Azure Portal > Azure AD > App Registrations > [App Name] > API Permissions.
  • Check who granted consent under “Grant Permissions” or “Admin Consent” logs.

4. Revoke App Authorization

To revoke an app in Azure DevOps:

  • Ask users to revoke it from their profile (https://aex.dev.azure.com/me).
  • Alternatively, if the app uses a service connection, you can delete or manage it under Project Settings > Service Connections.

5. Communicate with Users

If you identify the user who approved the app:

  • Inform them of the policy violation and request immediate revocation.
  • Provide guidance on securely managing authorizations.

Future Prevention

To avoid such incidents, enforce strict policies on app approvals and integrate Azure AD admin consent workflows for better control over third-party integrations.

How would an Azure AD admin consent workflows help with an ADO OAuth app?

An Azure AD admin consent workflow does not directly manage Azure DevOps OAuth apps because Azure DevOps uses its own OAuth mechanism, separate from Azure AD’s workflows. However, integrating Azure DevOps with Azure AD and enforcing admin consent workflows can indirectly help enforce policies and control app authorizations. Here’s how:

  1. Prevents Unauthorized Third-Party Apps:
    • By disabling user consent for apps in Azure AD, users cannot approve third-party applications without admin review. This ensures that only vetted applications are granted access to organizational resources89.
  2. Centralized Approval Process:
    • When users attempt to use apps requiring permissions, the admin consent workflow triggers a request for approval. Admins or designated reviewers can evaluate the app’s legitimacy and compliance with organizational policies before granting access89.
  3. Monitoring and Auditing:
    • Admins can view all pending consent requests under Azure AD > Enterprise Applications > Admin Consent Requests. This provides visibility into which apps users are attempting to authorize and allows admins to deny requests that violate policies109.
  4. Tenant-Wide Enforcement:
    • Admin consent workflows apply across the tenant, ensuring consistent enforcement of policies for all users and applications. This prevents individual users from bypassing security protocols119.

Limitations for Azure DevOps OAuth Apps

Azure DevOps OAuth apps are not natively governed by Azure AD admin consent workflows because they operate under Azure DevOps-specific authorization mechanisms. To address unauthorized OAuth app approvals within Azure DevOps:

  • Manual Review: Ask users to check their authorized apps via the “Manage Authorizations” page in their profile.
  • Policy Enforcement: Implement organizational policies restricting app approvals and educate users about security risks.

Future Considerations

Microsoft encourages transitioning to Microsoft Entra ID (formerly Azure AD) for unified identity management. If your organization integrates Azure DevOps with Entra ID, you can leverage admin workflows and permissions to better control third-party integrations811.

Are there any Kusto queries I could write – or other queries – to help me figure out who’s approved a particular ADO OAuth App? I know its client ID.

Unfortunately, Azure DevOps does not provide a direct way to query or log which user approved a specific OAuth app programmatically, even if you have the app’s client ID. However, here are some approaches you can consider:

1. Check Azure DevOps Audit Logs

Azure DevOps audit logs might contain information about OAuth app authorizations. If auditing is enabled for your organization:

  • Navigate to Organization Settings > Audit Logs in Azure DevOps.
  • Search for entries related to the app’s client ID or authorization events.
  • Look for records that might indicate which user authorized the app.

Audit logs can be exported and queried using tools like KQL (Kusto Query Language) if integrated with Azure Monitor or Log Analytics.

2. Use Azure AD Logs (If Integrated)

If your Azure DevOps organization is integrated with Azure AD (Microsoft Entra ID), you can query Azure AD sign-in logs or consent logs for activity related to the app’s client ID:

  • In Azure Portal > Microsoft Entra ID > Sign-in Logs, filter by the app’s client ID.
  • Check for user consent events in Enterprise Applications > User Consent.

You can write KQL queries in Log Analytics to identify users who interacted with the app:

AuditLogs
| where OperationName == "Consent to application"
| where TargetResources contains "<App Client ID>"
| project TimeGenerated, InitiatedBy, TargetResources

3. Query Application Insights (Indirect Approach)

If the third-party app logs activity to Application Insights, you may be able to trace user interactions indirectly. Use KQL queries in Application Insights Log Analytics:

requests
| where customDimensions["client_id"] == "<App Client ID>"
| summarize count() by user_Id, timestamp

4. Manual Investigation

If none of the above logs provide direct answers:

  • Ask users to review their authorized apps under Manage Authorizations (https://aex.dev.azure.com/me) and verify if they’ve approved the app.
  • Cross-reference known users with recent activity or suspicious approvals.

Limitations

Azure DevOps OAuth does not natively log user approvals in a way that is easily queryable. Transitioning to Microsoft Entra OAuth may improve visibility and control over app authorizations in the future.

I have ADO audit logs turned on, but ADO OAuth app approval and use aren’t showing up.

Azure DevOps audit logs do not currently include events related to OAuth app approvals or usage. The auditing feature focuses on changes to artifacts, permissions, and other administrative actions, but it does not log user authorizations for third-party OAuth apps1213. This limitation makes it difficult to track which user approved a specific OAuth app directly through audit logs.

Alternatives to Identify OAuth App Approvals

Since audit logs don’t capture these events, here are alternative approaches you can consider:

1. Manual Review via User Profiles

  • Ask users to manually check their authorized apps under Manage Authorizations (https://aex.dev.azure.com/me).
  • If you know the client ID of the app, users can confirm if they have authorized it and revoke access if necessary.

2. Use Azure DevOps REST API While there isn’t a direct API for listing authorized OAuth apps, you can use the Azure DevOps REST API to query permissions or tokens associated with the app:

  • Use the Audit Log API to search for related activity (though OAuth authorizations may not appear).
  • If the app interacts with Azure DevOps resources (e.g., pipelines or repositories), look for its activity in resource-specific logs.

3. Transition to Microsoft Entra ID If your organization is integrated with Microsoft Entra ID (formerly Azure AD), you can enforce admin consent workflows and monitor app authorizations centrally:

  • Disable user consent for third-party apps in Azure AD > Enterprise Applications > User Settings.
  • Use Sign-in Logs or Consent Logs in Azure AD to track activity related to the app’s client ID.

4. Export Audit Logs to External Systems Configure an audit stream to export logs to a centralized system like Splunk or Log Analytics14. While OAuth approvals won’t appear directly, analyzing broader activity patterns might reveal indirect clues about app usage.

Future Considerations

Azure DevOps OAuth is being deprecated in favor of Microsoft Entra ID OAuth by 20261516. Migrating to Microsoft Entra ID will provide better governance and visibility into app authorizations, including admin-controlled workflows for third-party integrations.

  1. https://learn.microsoft.com/en-us/azure/devops/service-hooks/authorize?view=azure-devops 

  2. https://learn.microsoft.com/en-us/azure/devops/organizations/settings/manage-authorizations?view=azure-devops  2

  3. https://github.com/MicrosoftDocs/azure-devops-docs/blob/main/docs/integrate/get-started/authentication/oauth.md 

  4. https://learn.microsoft.com/en-us/answers/questions/2203005/how-to-access-azure-devops-resources-via-microsoft 

  5. https://stackoverflow.com/questions/56527208/access-azure-devops-rest-api-with-oauth 

  6. https://stackoverflow.com/questions/61763901/azure-oauth2-flow-when-approval-is-requested 

  7. https://learn.microsoft.com/en-us/answers/questions/555505/admin-consent-for-oauth-applications 

  8. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow  2 3

  9. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/review-admin-consent-requests  2 3 4

  10. https://www.reddit.com/r/Office365/comments/ox8e8j/how_to_test_admin_consent_workflow_required_for/ 

  11. https://learn.microsoft.com/en-us/answers/questions/555505/admin-consent-for-oauth-applications  2

  12. https://learn.microsoft.com/en-us/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops 

  13. https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-events?view=azure-devops 

  14. https://www.devjev.nl/posts/2025/automating-azure-devops-auditing-configure-streams-with-powershell/ 

  15. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/azure-devops-oauth?view=azure-devops 

  16. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops