How to connect to TF Service without a prompt for LiveID credentials

Buck Hodges

Normally when you connect to the Team Foundation Service you are presented with a web page to log in with your Microsoft Account (aka LiveID). When you log in you can choose to have it remember you and you won’t have to enter your Microsoft Account credentials again (unless you don’t log in again for a long time, and then you’ll be prompted again).

That’s great for humans, but what about an application or another web service that wants to connect? For that the code will need to use “alternate credentials," which you must enable on your account. This is the same setting used to enable basic authentication for git-tf. Then we can write some code to connect to the service with those credentials.

Longer term, we will have OAuth support available as well, but that’s not ready yet.

Enabling Alternate Credentials

You’ll need to first to turn on this feature. First, visit your account or project in a browser, click on your name in the upper right, and then click My Profile.


On the User Profile dialog, click on the Credentials tab.


Now provide a password and save the changes.


Using Alternate Credentials in code

Before going further, you’ll need to make sure that you have Update 1 for Visual Studio 2012 or newer installed. That update includes enhancements to the TFS client object model to support alternate credentials.

The easiest way to get the latest update is either via clicking on the “toast” notification that pops up from the Windows taskbar or in VS going to Tools –> Extensions and Updates…, clicking on Updates followed by Product Updates and installing the latest update. Alternatively, you can download it here.

You can verify that you have Update 1 (or newer) installed in VS using Help –> About Microsoft Visual Studio.


Now that we have the credentials turned on, we’ll now use them from a simple console app.


After creating a new console app, add a reference to Microsoft.TeamFoundation.Client.dll, which you will find under v2.0 in ReferenceAssemblies. The client object model for TFS is almost entirely built with .NET 3.5 (CLR 2.0) in order to support running the TFS web parts in SharePoint.


Here’s the code.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;

using Microsoft.TeamFoundation.Client;

namespace ConsoleApplication1
    class Program
        static void Main(string[] args)
            NetworkCredential netCred = new NetworkCredential(
            BasicAuthCredential basicCred = new BasicAuthCredential(netCred);
            TfsClientCredentials tfsCred = new TfsClientCredentials(basicCred);
            tfsCred.AllowInteractive = false;

            TfsTeamProjectCollection tpc = new TfsTeamProjectCollection(
                new Uri(""),



I’ve added two using statements, one for System.Net to pull in NetworkCredential and one for Microsoft.TeamFoundation.Client for the TFS classes we’ll need.

The first thing we construct is a standard NetworkCredential object with the username (the email address that you use for your Microsoft Account) and the password that you created for alternate credentials. On the TfsClientCredentials object, we set AllowInteractive to false to prevent a prompt dialog being shown if the credentials are invalid.

In constructing the TfsTeamProjectCollection, we must specify the URL to the collection and the credentials. Note that all connections to accounts in TF Service require https. Currently, there is only one collection per account in TF Service, so it is always DefaultCollection.

Finally, we call Authenticate() to verify that we have supplied the correct credentials and test that it is working by printing the unique InstanceId of the collection.

Now the rest of the TFS client object model is available for use with the TF Service from applications that cannot prompt for credentials.


Follow me on Twitter at


Leave a comment

Feedback usabilla icon