microsoft · Copilot · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025 · Dec 1, 2025
@@ -104,6 +104,8 @@ Gets a credentials object that can be used with the TFS extended client SDK.
 .DESCRIPTION
 The agent job token is used to construct the credentials object. The identity associated with the token depends on the scope selected in the build/release definition (either the project collection build/release service identity, or the project build/release service identity).
 
+For ClientOM 19 and later, VssClientCredentials is used. For older SDK versions, TfsClientCredentials is used as a fallback.
+
 Refer to Get-VstsTfsService for a more simple to get a TFS service object.
 
 *** DO NOT USE Agent.ServerOMDirectory *** See https://github.com/Microsoft/azure-pipelines-task-lib/tree/master/powershell/Docs/UsingOM.md for reliable usage when working with the TFS extended client SDK from a task.
@@ -164,6 +166,32 @@ function Get-TfsClientCredentials {
         }
         [System.AppDomain]::CurrentDomain.add_AssemblyResolve($onAssemblyResolve)
 
+        # Check if VssClientCredentials is available (ClientOM 19+).
+        # This type replaces TfsClientCredentials in newer SDK versions.
+        if ((Get-OMType -TypeName 'Microsoft.VisualStudio.Services.Client.VssClientCredentials' -OMKind 'ExtendedClient' -OMDirectory $OMDirectory)) {
+            $federatedCredential = $null
+
+            # Check if VssOAuthAccessTokenCredential is available.
+            if ((Get-OMType -TypeName 'Microsoft.VisualStudio.Services.OAuth.VssOAuthAccessTokenCredential' -OMKind 'ExtendedClient' -OMDirectory $OMDirectory)) {
+                $federatedCredential = New-Object Microsoft.VisualStudio.Services.OAuth.VssOAuthAccessTokenCredential($endpoint.auth.parameters.AccessToken)
+            }
+            # Fallback to VssOAuthCredential.
+            elseif ((Get-OMType -TypeName 'Microsoft.VisualStudio.Services.Client.VssOAuthCredential' -OMKind 'ExtendedClient' -OMDirectory $OMDirectory)) {
+                $federatedCredential = New-Object Microsoft.VisualStudio.Services.Client.VssOAuthCredential($endpoint.auth.parameters.AccessToken)
+            }
+
+            if ($federatedCredential) {
+                # Construct and return VssClientCredentials.
+                return New-Object Microsoft.VisualStudio.Services.Client.VssClientCredentials(
+                    (New-Object Microsoft.VisualStudio.Services.Common.WindowsCredential($false)), # Do not use default credentials.
+                    $federatedCredential,
+                    [Microsoft.VisualStudio.Services.Common.CredentialPromptType]::DoNotPrompt)
+            }
+
+            Write-Verbose "VssClientCredentials is available but no compatible OAuth credential type was found. Falling back to TfsClientCredentials."
+        }
+
+        # Fallback to TfsClientCredentials for older SDK versions.
         # Validate the type can be found.
         $null = Get-OMType -TypeName 'Microsoft.TeamFoundation.Client.TfsClientCredentials' -OMKind 'ExtendedClient' -OMDirectory $OMDirectory -Require