cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to grant Service Principle access right to Azure Repos

bbliang
Copper Contributor

‎Feb 15 2023 07:20 PM - last edited on ‎Mar 05 2024 02:26 PM by

‎Feb 15 2023 07:20 PM - last edited on ‎Mar 05 2024 02:26 PM by

How to grant Service Principle access right to Azure Repos

In Azure Pipelines, we need to get source code of another organization's Azure Repos. Currently we use personal access token, but it links to a user who might leave the organization. Can we use a service principle to authenticate? How to grant the service principle access right to the other organization's Azure Repos? 

Labels:
27.9K Views
1 Like
12 Replies
Reply
12 Replies
Robina

‎Feb 15 2023 08:48 PM

‎Feb 15 2023 08:48 PM

Re: How to grant Service Principle access right to Azure Repos

@bbliang 

Use a service principal to authenticate and access another organization's Azure Repos in Azure Pipelines.

Here are the steps to grant the service principal access rights:

  • Create a service principal in the Azure Active Directory tenant of your organization, if you haven't done so already. You can create a service principal using the Azure Portal or the Azure CLI.
  • Assign the "Contributor" role to the service principal at the organization level. This will give the service principal access to all resources in the organization, including the Azure Repos.
  • Go to the Azure DevOps project that contains the pipeline, and navigate to the "Repos" tab. From there, click the "..." button next to the repo you want to access, and select "Security".
  • Add the service principal as a user in the repo's security settings, and grant it the "Read" permission.

Check out out document for further details .https://learn.microsoft.com/en-us/azure/devops/repos/git/set-git-repository-permissions?view=azure-d... 

0 Likes
Reply
bbliang

‎Mar 28 2023 12:46 AM

‎Mar 28 2023 12:46 AM

Re: How to grant Service Principle access right to Azure Repos

@Robina 

for the 2nd step, the organization level means Azure DevOps Organization? How to assign "Contributor" Role to service principle at the organization level?

 

Auzre DevOps API permission was granted to the service principle.

bbliang_0-1679988740042.png

 

But I cannot find the service principle in Azure Devops organization users, project contributor, and repos security settings tab.

bbliang_1-1679989188279.png

 

bbliang_2-1679989418442.png

bbliang_3-1679989604609.png

 

 

0 Likes
Reply
Robina

‎Mar 28 2023 06:38 AM - edited ‎Mar 28 2023 07:17 AM

‎Mar 28 2023 06:38 AM - edited ‎Mar 28 2023 07:17 AM

Re: How to grant Service Principle access right to Azure Repos

@bbliang 

Azure DevOps, an organization is the top-level container that holds all your projects, teams, and other resources.To assign the "Contributor" role to a service principle at the organization level in Azure DevOps, you can follow these steps:

  1. Go to your Azure DevOps organization and click on the "Organization settings" gear icon in the lower left corner.
  2. In the left-hand menu, click on "Permissions".
  3. Click on "Security groups".
  4. Create a new security group or select an existing one.
  5. Click on "Members" to add members to the security group.
  6. Click on "Add" and select "Service principal".
  7. Type in the name or ID of the service principal and click "Add".
  8. Click on the security group again and click on "Permissions".
  9. Click on "Add" to add a new permission.
  10. Select the "Contributor" role from the list of available roles.
  11. Choose the scope of the permission (in this case, the organization).
  12. Click "Add" to save the permission.

 

After completing these steps, the service principal should have the "Contributor" role at the organization level. If you cannot find the service principal in the Azure DevOps organization users, project contributor, and repos security settings tab, make sure that you have granted the appropriate Azure DevOps API permissions to the service principal and that it has been added to the appropriate security group with the "Contributor" role.

0 Likes
Reply
bbliang

‎Apr 03 2023 12:35 AM

‎Apr 03 2023 12:35 AM

Re: How to grant Service Principle access right to Azure Repos

@Robina 

For step 8-12, I cannot find the "Add" button to add a new permission (role) for the security group, but can only set the permission for items listed.

bbliang_0-1680507126519.png

 

0 Likes
Reply
Robina

‎Apr 04 2023 10:56 AM

‎Apr 04 2023 10:56 AM

Re: How to grant Service Principle access right to Azure Repos

It's possible that the "Add" button is not available because there are no permissions that can be added to the security group at the organization level. The organization-level permissions in Azure DevOps are typically set at the individual or team project level.

To check if this is the case, you can navigate to the "Permissions" section again and select the security group you created or selected. Then, look for the "Permissions" tab and check if there are any available permissions listed that can be assigned to the security group at the organization level.

If there are no available permissions listed, then it's likely that the security group can only be assigned permissions at the individual or team project level. In that case, you will need to navigate to the specific project or team and assign the "Contributor" role to the security group there.
0 Likes
Reply
bbliang

‎Apr 06 2023 12:08 AM

‎Apr 06 2023 12:08 AM

Re: How to grant Service Principle access right to Azure Repos

Thanks.

I encountered the same authentication error when creating Azure Repos Connection with the Service Principle's APP ID and secret.

So it is not workable to use Service Principle to access another organization's Azure Repository.
0 Likes
Reply
Robina

‎Apr 07 2023 11:26 AM

‎Apr 07 2023 11:26 AM

Re: How to grant Service Principle access right to Azure Repos

It is possible to use a service principal to access another organization's Azure Repositories, but it requires some additional steps to grant the necessary permissions.

First, you will need to ensure that the service principal has been granted access to the Azure DevOps organization where the repositories are located. This can be done by adding the service principal as a member of the Azure DevOps organization, and granting it the appropriate permissions.

Next, you will need to grant the service principal access to the specific Azure Repositories that you want to access. This can be done by going to the Azure Repositories security settings and adding the service principal as a contributor or a reader, depending on the level of access you require.

Once the service principal has been granted access to the Azure DevOps organization and the Azure Repositories, you can use its App ID and secret to authenticate your connection.
0 Likes
Reply
bbliang

‎Apr 13 2023 12:12 AM

‎Apr 13 2023 12:12 AM

Re: How to grant Service Principle access right to Azure Repos

@Robina 

 

Have added the service principle to the organization

bbliang_0-1681369189601.png

Have granted the service principle "Project Reader" Role for the project

bbliang_1-1681369480714.png

 

Have granted read access right to all repositories of the project.

bbliang_2-1681369651950.png

 

But still got the error message when verify the service connection

bbliang_3-1681369891972.png

 

0 Likes
Reply
Robina

‎Apr 14 2023 10:18 AM

‎Apr 14 2023 10:18 AM

Re: How to grant Service Principle access right to Azure Repos

Kindly type error message over here
0 Likes
Reply
bbliang

‎Apr 18 2023 02:24 AM

‎Apr 18 2023 02:24 AM

Re: How to grant Service Principle access right to Azure Repos

Error Message when verify the service connection:

Failed to query service connection API: 'https://email address removed for privacy reasons/xxx/xxx/_git/xxxx/_apis/projects'. Status Code: 'Unauthorized', Response from server: ''
0 Likes
Reply
Robina

‎Apr 19 2023 01:58 AM

‎Apr 19 2023 01:58 AM

Re: How to grant Service Principle access right to Azure Repos

Contact Azure support for further assistance. They can help investigate the issue in more detail and provide guidance on resolving the problem.
0 Likes
Reply