Tips & Tricks for Azure Repos: Configure Git Credential Manager for Entra ID Auth

Radoslav Gatev -

Git Credential Manager (GCM) is a cross-platform Git credential helper that handles authentication to common Git hosting services and stores credentials or tokens so you do not have to enter them for every Git operation.

You probably use it to authenticate against Azure DevOps without thinking about it.​ It is the tool that shows the login prompt whenever you run Git commands against a repository.​

The problem

Most of the time, GCM “just works” and makes it easy to move between Azure DevOps organizations and repositories.

But in some organizations, cloning (or any Git operation) fails and Git falls back to prompting for a username and password, which often won’t work in modern Azure DevOps setups.

git clone https://<organization>.visualstudio.com/<project-name>/_git/<repository-name>
Cloning into '<repository-name>'...
fatal: Failed to create PAT: DisablePatCreationPolicyViolation
Username for 'https://<organization>.visualstudio.com':

The root cause

The key detail here is the error message:
fatal: Failed to create PAT: DisablePatCreationPolicyViolation.

By default, GCM authenticates you to Azure DevOps and then obtains a personal access token (PAT), which it stores securely.​ Seeing an Entra sign-in prompt does not mean GCM is using Entra tokens as the final credential; it can still be exchanging that sign-in for a PAT behind the scenes.

It took some time to understand this behavior when I first hit the problem.

PATs are simple and convenient, but they are being phased out as the primary way to access Azure DevOps APIs.​ They are long‑lived secrets, and many organizations now restrict how they are created and used.​ In Azure DevOps, administrators can control PAT usage at the organization level with dedicated policies.

The fix

For Azure DevOps, the Git Credential Manager credential type defaults to PAT.​ To use Entra ID-based OAuth tokens instead, change the Azure Repos credential type to OAuth:

git config --global credential.azreposCredentialType oauth

After this change, GCM will request Entra ID tokens instead of PATs by default when you connect to Azure Repos