Forum Discussion
How to grant Service Principle access right to Azure Repos
In Azure Pipelines, we need to get source code of another organization's Azure Repos. Currently we use personal access token, but it links to a user who might leave the organization. Can we use a service principle to authenticate? How to grant the service principle access right to the other organization's Azure Repos?
Use a service principal to authenticate and access another organization's Azure Repos in Azure Pipelines.
Here are the steps to grant the service principal access rights:
- Create a service principal in the Azure Active Directory tenant of your organization, if you haven't done so already. You can create a service principal using the Azure Portal or the Azure CLI.
- Assign the "Contributor" role to the service principal at the organization level. This will give the service principal access to all resources in the organization, including the Azure Repos.
- Go to the Azure DevOps project that contains the pipeline, and navigate to the "Repos" tab. From there, click the "..." button next to the repo you want to access, and select "Security".
- Add the service principal as a user in the repo's security settings, and grant it the "Read" permission.
Check out out document for further details .https://learn.microsoft.com/en-us/azure/devops/repos/git/set-git-repository-permissions?view=azure-devops
for the 2nd step, the organization level means Azure DevOps Organization? How to assign "Contributor" Role to service principle at the organization level?
Auzre DevOps API permission was granted to the service principle.
But I cannot find the service principle in Azure Devops organization users, project contributor, and repos security settings tab.
Azure DevOps, an organization is the top-level container that holds all your projects, teams, and other resources.To assign the "Contributor" role to a service principle at the organization level in Azure DevOps, you can follow these steps:
- Go to your Azure DevOps organization and click on the "Organization settings" gear icon in the lower left corner.
- In the left-hand menu, click on "Permissions".
- Click on "Security groups".
- Create a new security group or select an existing one.
- Click on "Members" to add members to the security group.
- Click on "Add" and select "Service principal".
- Type in the name or ID of the service principal and click "Add".
- Click on the security group again and click on "Permissions".
- Click on "Add" to add a new permission.
- Select the "Contributor" role from the list of available roles.
- Choose the scope of the permission (in this case, the organization).
- Click "Add" to save the permission.
After completing these steps, the service principal should have the "Contributor" role at the organization level. If you cannot find the service principal in the Azure DevOps organization users, project contributor, and repos security settings tab, make sure that you have granted the appropriate Azure DevOps API permissions to the service principal and that it has been added to the appropriate security group with the "Contributor" role.
Would like to share a similar post for reference:
- Thanks.
I encountered the same authentication error when creating Azure Repos Connection with the Service Principle's APP ID and secret.
So it is not workable to use Service Principle to access another organization's Azure Repository.- It is possible to use a service principal to access another organization's Azure Repositories, but it requires some additional steps to grant the necessary permissions.
First, you will need to ensure that the service principal has been granted access to the Azure DevOps organization where the repositories are located. This can be done by adding the service principal as a member of the Azure DevOps organization, and granting it the appropriate permissions.
Next, you will need to grant the service principal access to the specific Azure Repositories that you want to access. This can be done by going to the Azure Repositories security settings and adding the service principal as a contributor or a reader, depending on the level of access you require.
Once the service principal has been granted access to the Azure DevOps organization and the Azure Repositories, you can use its App ID and secret to authenticate your connection.
- Microsoft documentation states that you can only connect Service Principals in your connected Organization.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#2-add-and-manage-service-principals-in-an-azure-devops-organization
Here is documentation how to connect Azure DevOps to your Organization (Entra ID).
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
Thare is an workaround but it seems to be an overkill:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#q-can-i-add-a-managed-identity-from-a-different-tenant-to-my-organization
