Focused Systems

Passwordless Git SSO with Git Credential Manager

By Rod Christiansen • 10 Jun 2025  ·  View in browser

The Git ecosystem is phasing out long-lived personal-access tokens. Cloning with Personal Access Tokens are being retired, and new policies now let administrators block or tightly restrict PAT creation. Best-practice docs point to short-lived identity-provider tokens—refreshed automatically and governed by conditional-access rules—as the preferred way forward.

Wiring Git Credential Manager (GCM) into your local global Git helpers you trade fragile over-scoped PATs for one-hour tokens that renew silently and leave no secrets on disk or in build logs.

What this guide helps you with

macOS

How to setup GCM for password‑free access on macOS:

Prerequisites

Install / upgrade components

brew install --cask git-credential-manager
brew upgrade git

Configure global helpers

git config --global --replace-all credential.helper manager
git config --global --add credential.helper osxkeychain
git config --global credential.msauthFlow devicecode
git config --global credential.guiPrompt false

Persist settings for shells & GUI apps

echo 'export GCM_MSAUTH_FLOW=devicecode' >> ~/.zprofile
echo 'export GCM_GUI_PROMPT=0' >> ~/.zprofile

launchctl setenv GCM_MSAUTH_FLOW devicecode
launchctl setenv GCM_GUI_PROMPT 0

First run

git fetch   # single device‑code prompt, then silent

Windows

And here's how to setup on Windows, leveraging the Entra ID broker for silent SSO with Azure DevOps and device‑code for GitHub.

Prerequisites

Clean up old helpers

git credential-manager unconfigure
git credential-manager configure
git config –global –unset-all credential.helper
git config –global –remove-section credential

Enable Broker SSO (Azure DevOps) and Device Code (GitHub)

git config –global credential.helper manager-core
git config –global credential.microsoft.sso true
git config –global credential.msauthUseBroker true
git config –global credential.msauthFlow broker
git config –global credential.githubAuthModes devicecode

Strip hard‑coded usernames from remotes

git remote set-url origin https://dev.azure.com/ORG/PROJECT/_git/REPO
git remote set-url origin https://github.com/ORG/REPO

First run

git fetch   # one Windows dialog, then silent

Bulk‑fix existing repositories (optional)

Replace the sample paths below with the folder that contains multiple repositories.

PowerShell (Windows)

Get-ChildItem C:\Dev\Repos -Directory | ForEach-Object {
git -C $.FullName remote set-url origin (git -C $.FullName remote get-url origin -replace '://.@', '://')
}

zsh (macOS)

for d in ~/Dev/Repos/(.); do
url=$(git -C "$d" remote get-url origin | sed 's#://.*@#://#')
git -C "$d" remote set-url origin "$url"
done

Troubleshooting

Run git-credential-manager diagnose for a quick health check. Erase stale tokens with:

git credential-manager erase https://dev.azure.com
git credential-manager erase https://github.com

Need verbose output? Temporarily set:

export GIT_TRACE=1
export GCM_TRACE=1
git fetch

If GCM prompts twice on macOS, login.keychain-db may be read‑only. Unlock and purge stale entries, then retry:

security unlock-keychain ~/Library/Keychains/login.keychain-db
git credential-manager erase https://dev.azure.com
git credential-manager erase https://github.com

By switching from long-lived PATs to short-lived tokens through Git Credential Manager, you lock down your supply chain while making everyday Git activity faster and quieter:

Bake these GCM settings into your workstation images and onboarding scripts once, and every clone, fetch, and push runs hands-free from that point on. Stronger security, zero extra clicks, and no browser pop-ups—that’s a win on every front.

You're receiving this because you subscribed at blog.focused.systems.
Unsubscribe  ·  Focused Systems © 2026