Forum Discussion
How to grant Service Principle access right to Azure Repos
In Azure Pipelines, we need to get source code of another organization's Azure Repos. Currently we use personal access token, but it links to a user who might leave the organization. Can we use a service principle to authenticate? How to grant the service principle access right to the other organization's Azure Repos?
- Microsoft documentation states that you can only connect Service Principals in your connected Organization.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#2-add-and-manage-service-principals-in-an-azure-devops-organization
Here is documentation how to connect Azure DevOps to your Organization (Entra ID).
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
Thare is an workaround but it seems to be an overkill:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#q-can-i-add-a-managed-identity-from-a-different-tenant-to-my-organization Would like to share a similar post for reference:
- Thanks.
I encountered the same authentication error when creating Azure Repos Connection with the Service Principle's APP ID and secret.
So it is not workable to use Service Principle to access another organization's Azure Repository.- It is possible to use a service principal to access another organization's Azure Repositories, but it requires some additional steps to grant the necessary permissions.
First, you will need to ensure that the service principal has been granted access to the Azure DevOps organization where the repositories are located. This can be done by adding the service principal as a member of the Azure DevOps organization, and granting it the appropriate permissions.
Next, you will need to grant the service principal access to the specific Azure Repositories that you want to access. This can be done by going to the Azure Repositories security settings and adding the service principal as a contributor or a reader, depending on the level of access you require.
Once the service principal has been granted access to the Azure DevOps organization and the Azure Repositories, you can use its App ID and secret to authenticate your connection.
Use a service principal to authenticate and access another organization's Azure Repos in Azure Pipelines.
Here are the steps to grant the service principal access rights:
- Create a service principal in the Azure Active Directory tenant of your organization, if you haven't done so already. You can create a service principal using the Azure Portal or the Azure CLI.
- Assign the "Contributor" role to the service principal at the organization level. This will give the service principal access to all resources in the organization, including the Azure Repos.
- Go to the Azure DevOps project that contains the pipeline, and navigate to the "Repos" tab. From there, click the "..." button next to the repo you want to access, and select "Security".
- Add the service principal as a user in the repo's security settings, and grant it the "Read" permission.
Check out out document for further details .https://learn.microsoft.com/en-us/azure/devops/repos/git/set-git-repository-permissions?view=azure-devops
for the 2nd step, the organization level means Azure DevOps Organization? How to assign "Contributor" Role to service principle at the organization level?
Auzre DevOps API permission was granted to the service principle.
But I cannot find the service principle in Azure Devops organization users, project contributor, and repos security settings tab.
sarthak876Microsoft
bbliang Could you pls tell how did you add azure devops permission to your service principal. Im unable to do so
