The Microsoft 365 provider supports authentication using Azure DevOps Pipelines’ OpenID Connect (OIDC) tokens. This approach allows Terraform to authenticate to Microsoft 365 services directly from Azure DevOps pipelines without storing long-lived credentials as pipeline variables or service connections.
How Azure DevOps OIDC Works
Token Generation
Azure DevOps Pipelines generates a short-lived OIDC token for each pipeline run
Token Request
The Microsoft 365 provider requests this token during Terraform execution
Present Token
The provider presents the token to Microsoft Entra ID
Trust Relationship
Based on a pre-configured trust relationship, Entra ID issues a Microsoft Graph access token
API Calls
The provider uses this token to authenticate API requests
Prerequisites
An Azure DevOps organization and project
Permissions to create and configure app registrations in Microsoft Entra ID
Ability to modify Azure DevOps pipelines
Permissions to create service connections in Azure DevOps
Setup
Create App Registration
# Set variables TENANT_ID = "00000000-0000-0000-0000-000000000000" APP_NAME = "terraform-m365-provider" # Create app registration APP_ID = $( az ad app create --display-name $APP_NAME --query appId -o tsv ) # Create service principal az ad sp create --id $APP_ID # Grant API permissions az ad app permission add \ --id $APP_ID \ --api 00000003-0000-0000-c000-000000000000 \ --api-permissions 9241abd9-d0e6-425a-bd4f-47ba86e767a4=Role # Grant admin consent az ad app permission admin-consent --id $APP_ID
Create Service Connection
In your Azure DevOps project:
Go to Project settings > Service connections
Click New service connection > Azure Resource Manager
Select Workload Identity federation (manual)
Fill in:
Service connection name : e.g., “M365Provider”Subscription ID : Your Azure subscription IDTenant ID : Your Microsoft Entra ID tenant IDService principal client ID : The app registration client IDIssuer : Your Azure DevOps org URLSubject : Service connection identifier
Configure Federated Credential
# Set variables ADO_ORG = "your-azure-devops-org" ADO_PROJECT = "your-azure-devops-project" SERVICE_CONNECTION_NAME = "M365Provider" # Create federated credential az ad app federated-credential create \ --id $APP_ID \ --parameters "{ \" name \" : \" ado-federated-credential \" , \" issuer \" : \" https://vstoken.dev.azure.com/${ ADO_ORG } \" , \" subject \" : \" sc://${ ADO_ORG }/${ ADO_PROJECT }/${ SERVICE_CONNECTION_NAME } \" , \" audiences \" :[ \" api://AzureADTokenExchange \" ]}"
Azure DevOps Pipeline Configuration trigger : - main pool : vmImage : ubuntu-latest variables : serviceConnectionId : 'M365Provider' steps : - task : TerraformInstaller@0 inputs : terraformVersion : 'latest' - task : TerraformTaskV3@3 displayName : 'Terraform init' inputs : provider : 'azurerm' command : 'init' backendServiceArm : '$(serviceConnectionId)' backendAzureRmResourceGroupName : 'your-resource-group' backendAzureRmStorageAccountName : 'your-storage-account' backendAzureRmContainerName : 'tfstate' backendAzureRmKey : 'terraform.tfstate' - task : TerraformTaskV3@3 displayName : 'Terraform apply' inputs : provider : 'azurerm' command : 'apply' environmentServiceNameAzureRM : '$(serviceConnectionId)' env : M365_TENANT_ID : '$(tenantId)' M365_AUTH_METHOD : 'oidc_azure_devops' M365_CLIENT_ID : '$(clientId)' M365_ADO_SERVICE_CONNECTION_ID : '$(serviceConnectionId)'
Provider Configuration export M365_TENANT_ID = "00000000-0000-0000-0000-000000000000" export M365_AUTH_METHOD = "oidc_azure_devops" export M365_CLIENT_ID = "00000000-0000-0000-0000-000000000000" export M365_ADO_SERVICE_CONNECTION_ID = "M365Provider" # Alternative Azure ARM environment variables export ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID = "M365Provider" export ARM_OIDC_AZURE_SERVICE_CONNECTION_ID = "M365Provider"
provider "microsoft365" {}
provider "microsoft365" { auth_method = "oidc_azure_devops" tenant_id = "00000000-0000-0000-0000-000000000000" entra_id_options = { client_id = "00000000-0000-0000-0000-000000000000" ado_service_connection_id = "M365Provider" } }
Required Pipeline Environment Variables Azure DevOps automatically sets the following environment variables required for OIDC authentication:
SYSTEM_ACCESSTOKEN: Token used to authenticate to Azure DevOps servicesSYSTEM_OIDCREQUESTURI: URI to request OIDC tokens
These variables are automatically available to your Terraform commands in most tasks.
Security Best Practices
Pipeline Conditions Restrict which branches or paths can trigger the pipeline
Approval Gates Use environments with approval gates for sensitive operations
Conditional Access Configure additional conditions in Microsoft Entra ID
Least Privilege Grant only minimum required API permissions
Troubleshooting
Verify the federated credential is configured correctly in Entra ID with matching issuer and subject values.
Service connection issues
Check the service connection configuration in Azure DevOps. Ensure it’s properly configured for workload identity federation.
Ensure you’ve granted admin consent for the required Microsoft Graph permissions in your app registration.
Missing environment variables
Verify that SYSTEM_ACCESSTOKEN and SYSTEM_OIDCREQUESTURI are set and accessible in your pipeline. Some custom tasks may not pass these through automatically.
Subject or issuer mismatch
Double-check that the subject and issuer values match between Azure DevOps and the federated credential in Entra ID.
