Skip to main content
This page covers on-prem (self-hosted) setup. You register your own Entra ID (Azure AD) app so Azure DevOps OAuth runs against your tenant. For the hosted SaaS integration, see Setup → Azure DevOps.
You need permission to create App registrations in your Microsoft Entra ID tenant and to grant admin consent for the requested API permissions.
Create the OAuth app in the same Microsoft Entra ID tenant that your Azure DevOps organization is connected to. An app registered in a different tenant cannot authenticate against that Azure DevOps organization.

Register the Garth Assist app

1

Open the Azure portal

Sign in to the Azure portal and go to Microsoft Entra ID → App registrations.
2

Create a new registration

Click New registration and fill in the details below.
FieldValue
NameGarth Assist
Supported account typesAccounts in any organizational directory (multitenant)
Redirect URIhttps://<dns-host>/api/garth-assist/oauth/azuredevops/callback (platform: Web)
Under Supported account types, select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) to enable multi-tenant support.
Replace <dns-host> with the DNS host of your on-prem Garth deployment — for example https://app.heygarth.ai/api/garth-assist/oauth/azuredevops/callback.
Click Register.
3

Create a client secret

Open Certificates & secrets → Client secrets and click New client secret. Set a description and expiry, then click Add. Copy the secret Value immediately.
The client secret value is shown only once. Copy and store it securely before leaving the page.
4

Add API permissions

Open API permissions → Add a permission and add the delegated permissions below, then click Grant admin consent for your tenant.Azure DevOps
PermissionDescription
vso.buildBuild (read)
vso.code_statusCode (status)
vso.code_writeCode (read and write)
vso.profileUser profile (read)
vso.projectProject and team (read)
Microsoft Graph
PermissionDescription
emailView users’ email address
offline_accessMaintain access to data you have given it access to
openidSign users in
profileView users’ basic profile
User.ReadSign in and read user profile
All permissions are Delegated. After granting admin consent, each permission’s Status should show a green Granted for <tenant> check.

Environment variables

Record the following values for your on-prem deployment:
Environment variableValue
AZURE_DEVOPS_CLIENT_IDThe Application (client) ID from the app’s Overview page
AZURE_DEVOPS_CLIENT_SECRETThe client secret value created in step 3