Passwordless Git SSO with Git Credential Manager
The Git ecosystem is phasing out long-lived personal-access tokens. Cloning with Personal Access Tokens are being retired, and new policies now let administrators block or tightly restrict PAT creation. Best-practice docs point to short-lived identity-provider tokens—refreshed automatically and governed by conditional-access rules—as the preferred way forward.
Wiring Git Credential Manager (GCM) into your local global Git helpers you trade fragile over-scoped PATs for one-hour tokens that renew silently and leave no secrets on disk or in build logs.
What this guide helps you with
- Enable seamless Single‑Sign‑On on macOS and Windows for:
- Azure DevOps (
https://dev.azure.com/ORG/…) - GitHub.com or GitHub Enterprise (
https://github.com/…)
- Azure DevOps (
macOS
How to setup GCM for password‑free access on macOS:
Prerequisites
- Homebrew
- Git ≥ the version bundled with Xcode 15
- Git Credential Manager (installed below)
Install / upgrade components
brew install --cask git-credential-manager
brew upgrade git
Configure global helpers
git config --global --replace-all credential.helper manager
git config --global --add credential.helper osxkeychain
git config --global credential.msauthFlow devicecode
git config --global credential.guiPrompt false
Persist settings for shells & GUI apps
echo 'export GCM_MSAUTH_FLOW=devicecode' >> ~/.zprofile
echo 'export GCM_GUI_PROMPT=0' >> ~/.zprofile
launchctl setenv GCM_MSAUTH_FLOW devicecode
launchctl setenv GCM_GUI_PROMPT 0
- VS Code: add
"git.terminalAuthentication": falseto settings.json - Git Tower:
defaults write com.fournova.Tower5 UseCredentialManager -bool true
First run
git fetch # single device‑code prompt, then silent
Windows
And here's how to setup on Windows, leveraging the Entra ID broker for silent SSO with Azure DevOps and device‑code for GitHub.
Prerequisites
- Git for Windows ≥ 2.45 (bundles GCM v2)
- Device joined to Entra ID (native, hybrid, or AAD‑registered)
Clean up old helpers
git credential-manager unconfigure
git credential-manager configure
git config --global --unset-all credential.helper
git config --global --remove-section credential
Enable Broker SSO (Azure DevOps) and Device Code (GitHub)
git config --global credential.helper manager-core
git config --global credential.microsoft.sso true
git config --global credential.msauthUseBroker true
git config --global credential.msauthFlow broker
git config --global credential.githubAuthModes devicecode
Strip hard‑coded usernames from remotes
git remote set-url origin https://dev.azure.com/ORG/PROJECT/_git/REPO
git remote set-url origin https://github.com/ORG/REPO
First run
git fetch # one Windows dialog, then silent
Bulk‑fix existing repositories (optional)
Replace the sample paths below with the folder that contains multiple repositories.
PowerShell (Windows)
Get-ChildItem C:\Dev\Repos -Directory | ForEach-Object {
git -C $_.FullName remote set-url origin (git -C $_.FullName remote get-url origin -replace '://.*@', '://')
}
zsh (macOS)
for d in ~/Dev/Repos/*(.); do
url=$(git -C "$d" remote get-url origin | sed 's#://.*@#://#')
git -C "$d" remote set-url origin "$url"
done
Troubleshooting
Run git-credential-manager diagnose for a quick health check. Erase stale tokens with:
git credential-manager erase https://dev.azure.com
git credential-manager erase https://github.com
Need verbose output? Temporarily set:
export GIT_TRACE=1
export GCM_TRACE=1
git fetch
If GCM prompts twice on macOS, login.keychain-db may be read‑only. Unlock and purge stale entries, then retry:
security unlock-keychain ~/Library/Keychains/login.keychain-db
git credential-manager erase https://dev.azure.com
git credential-manager erase https://github.com
By switching from long-lived PATs to short-lived tokens through Git Credential Manager, you lock down your supply chain while making everyday Git activity faster and quieter:
- MFA is enforced automatically and refreshed in the background.
- Tokens rotate every hour, slashing the window for theft or replay.
- No secrets leak into scripts, CI logs, or dotfiles—nothing to scrub later.
Bake these GCM settings into your workstation images and onboarding scripts once, and every clone, fetch, and push runs hands-free from that point on. Stronger security, zero extra clicks, and no browser pop-ups—that’s a win on every front.