Forum Discussion

bbliang's avatar
bbliang
Copper Contributor
Feb 16, 2023

How to grant Service Principle access right to Azure Repos

In Azure Pipelines, we need to get source code of another organization's Azure Repos. Currently we use personal access token, but it links to a user who might leave the organization. Can we use a ser...
Azure DevOps
Robina's avatar
Robina
Iron Contributor
Feb 16, 2023

bbliang 

Use a service principal to authenticate and access another organization's Azure Repos in Azure Pipelines.

Here are the steps to grant the service principal access rights:

  • Create a service principal in the Azure Active Directory tenant of your organization, if you haven't done so already. You can create a service principal using the Azure Portal or the Azure CLI.
  • Assign the "Contributor" role to the service principal at the organization level. This will give the service principal access to all resources in the organization, including the Azure Repos.
  • Go to the Azure DevOps project that contains the pipeline, and navigate to the "Repos" tab. From there, click the "..." button next to the repo you want to access, and select "Security".
  • Add the service principal as a user in the repo's security settings, and grant it the "Read" permission.

Check out out document for further details .https://learn.microsoft.com/en-us/azure/devops/repos/git/set-git-repository-permissions?view=azure-devops 

  • bbliang's avatar
    bbliang
    Copper Contributor
    Mar 28, 2023

    Robina 

    for the 2nd step, the organization level means Azure DevOps Organization? How to assign "Contributor" Role to service principle at the organization level?

     

    Auzre DevOps API permission was granted to the service principle.

     

    But I cannot find the service principle in Azure Devops organization users, project contributor, and repos security settings tab.

     

     

     

    • Robina's avatar
      Robina
      Iron Contributor
      Mar 28, 2023

      bbliang 

      Azure DevOps, an organization is the top-level container that holds all your projects, teams, and other resources.To assign the "Contributor" role to a service principle at the organization level in Azure DevOps, you can follow these steps:

      1. Go to your Azure DevOps organization and click on the "Organization settings" gear icon in the lower left corner.
      2. In the left-hand menu, click on "Permissions".
      3. Click on "Security groups".
      4. Create a new security group or select an existing one.
      5. Click on "Members" to add members to the security group.
      6. Click on "Add" and select "Service principal".
      7. Type in the name or ID of the service principal and click "Add".
      8. Click on the security group again and click on "Permissions".
      9. Click on "Add" to add a new permission.
      10. Select the "Contributor" role from the list of available roles.
      11. Choose the scope of the permission (in this case, the organization).
      12. Click "Add" to save the permission.

       

      After completing these steps, the service principal should have the "Contributor" role at the organization level. If you cannot find the service principal in the Azure DevOps organization users, project contributor, and repos security settings tab, make sure that you have granted the appropriate Azure DevOps API permissions to the service principal and that it has been added to the appropriate security group with the "Contributor" role.

      • bbliang's avatar
        bbliang
        Copper Contributor
        Apr 03, 2023

        Robina 

        For step 8-12, I cannot find the "Add" button to add a new permission (role) for the security group, but can only set the permission for items listed.

         

    • sarthak876's avatar
      sarthak876
      Icon for Microsoft rankMicrosoft
      May 22, 2024

      bbliang Could you pls tell how did you add azure devops permission to your service principal. Im unable to do so

Resources