How to grant Service Principle access right to Azure Repos

New Contributor

In Azure Pipelines, we need to get source code of another organization's Azure Repos. Currently we use personal access token, but it links to a user who might leave the organization. Can we use a service principle to authenticate? How to grant the service principle access right to the other organization's Azure Repos? 

3 Replies


Use a service principal to authenticate and access another organization's Azure Repos in Azure Pipelines.

Here are the steps to grant the service principal access rights:

  • Create a service principal in the Azure Active Directory tenant of your organization, if you haven't done so already. You can create a service principal using the Azure Portal or the Azure CLI.
  • Assign the "Contributor" role to the service principal at the organization level. This will give the service principal access to all resources in the organization, including the Azure Repos.
  • Go to the Azure DevOps project that contains the pipeline, and navigate to the "Repos" tab. From there, click the "..." button next to the repo you want to access, and select "Security".
  • Add the service principal as a user in the repo's security settings, and grant it the "Read" permission.

Check out out document for further details . 


for the 2nd step, the organization level means Azure DevOps Organization? How to assign "Contributor" Role to service principle at the organization level?


Auzre DevOps API permission was granted to the service principle.



But I cannot find the service principle in Azure Devops organization users, project contributor, and repos security settings tab.








Azure DevOps, an organization is the top-level container that holds all your projects, teams, and other resources.To assign the "Contributor" role to a service principle at the organization level in Azure DevOps, you can follow these steps:

  1. Go to your Azure DevOps organization and click on the "Organization settings" gear icon in the lower left corner.
  2. In the left-hand menu, click on "Permissions".
  3. Click on "Security groups".
  4. Create a new security group or select an existing one.
  5. Click on "Members" to add members to the security group.
  6. Click on "Add" and select "Service principal".
  7. Type in the name or ID of the service principal and click "Add".
  8. Click on the security group again and click on "Permissions".
  9. Click on "Add" to add a new permission.
  10. Select the "Contributor" role from the list of available roles.
  11. Choose the scope of the permission (in this case, the organization).
  12. Click "Add" to save the permission.


After completing these steps, the service principal should have the "Contributor" role at the organization level. If you cannot find the service principal in the Azure DevOps organization users, project contributor, and repos security settings tab, make sure that you have granted the appropriate Azure DevOps API permissions to the service principal and that it has been added to the appropriate security group with the "Contributor" role.