Choosing an auth method
Compare PAT, delegated OAuth, and Service Principal authentication for connecting ADO Pilot to your Azure DevOps organization.
Last updated
ADO Pilot supports three ways to authenticate against your Azure DevOps organization. In v1, only the personal access token (PAT) path is shipped — delegated OAuth and Service Principal are planned for a later release. This page explains the trade-offs so you can plan ahead.
The three methods at a glance
- Personal access token (PAT) — fastest to set up, no extra cost, the only option available in v1.
- Delegated OAuth — one-click sign-in with a Microsoft account. Planned for v2+.
- Service Principal — org-scoped identity with no personal token. Planned for v2+.
Decision matrix
| Method | Setup time | Security posture | Extra cost | Best for | Available in v1? |
|---|---|---|---|---|---|
| Personal access token | About 5 minutes | Good if rotated every 90 days | None | Every team in v1 | Yes |
| Delegated OAuth | About 2 minutes | Tied to the consenting user's account | None | Teams that want zero copy-paste | No, v2+ |
| Service Principal | About 15 minutes | Org-scoped, no personal credentials | One Azure DevOps Basic license per org | Enterprises with Conditional Access | No, v2+ |
Personal access token
PAT is what you use today. The Azure DevOps user who creates the token grants ADO Pilot the four scopes it needs (see Required PAT scopes) and pastes the token into the onboarding wizard.
What to know:
- Setup is contained to one person — no Entra ID admin involvement.
- The token expires on a fixed date (90 days is the recommended window).
- The token is bound to the user who created it. If that user leaves the organization or has their account disabled, ADO Pilot stops working until someone else issues a new PAT.
- You are responsible for rotating it on schedule — see Rotating your PAT.
For step-by-step setup, see Creating a Personal Access Token.
Delegated OAuth
In v2+, you will be able to click Sign in with Microsoft on the wizard's connect step and authorize ADO Pilot in a single round trip. The connection is bound to the consenting user's Entra ID identity and refreshes automatically.
Trade-offs to expect:
- No PAT to copy or rotate.
- The connection breaks if the consenting user departs or has their access revoked, just as with PAT.
- Conditional Access policies on your tenant may block the sign-in. Your tenant admin can allow ADO Pilot as a trusted application, or you can fall back to PAT.
Service Principal
Service Principal is the enterprise-grade option planned for v2+:
- Authenticates as an Entra ID application owned by your organization, not by any individual user.
- Survives personnel changes — no rebinding when someone leaves.
- Respects Conditional Access policies cleanly because it uses certificate-based auth rather than a user token.
- Requires one Azure DevOps Basic license assigned to the service principal in your organization (currently about $6 per month, billed by Microsoft).
- Requires an Entra ID admin to consent to ADO Pilot's application registration.
Which should I pick today?
If you are onboarding now, use PAT. It is the only method we ship in v1 and is sufficient for production reviews on every plan tier. When delegated OAuth and Service Principal land, you will be able to switch from the Integration settings page without losing review history, repository configuration, plans, or billing.