How to grant Service Principle access right to Azure Repos

Copper Contributor

In Azure Pipelines, we need to get source code of another organization's Azure Repos. Currently we use personal access token, but it links to a user who might leave the organization. Can we use a service principle to authenticate? How to grant the service principle access right to the other organization's Azure Repos? 

14 Replies

@bbliang 

Use a service principal to authenticate and access another organization's Azure Repos in Azure Pipelines.

Here are the steps to grant the service principal access rights:

  • Create a service principal in the Azure Active Directory tenant of your organization, if you haven't done so already. You can create a service principal using the Azure Portal or the Azure CLI.
  • Assign the "Contributor" role to the service principal at the organization level. This will give the service principal access to all resources in the organization, including the Azure Repos.
  • Go to the Azure DevOps project that contains the pipeline, and navigate to the "Repos" tab. From there, click the "..." button next to the repo you want to access, and select "Security".
  • Add the service principal as a user in the repo's security settings, and grant it the "Read" permission.

Check out out document for further details .https://learn.microsoft.com/en-us/azure/devops/repos/git/set-git-repository-permissions?view=azure-d... 

@Robina 

for the 2nd step, the organization level means Azure DevOps Organization? How to assign "Contributor" Role to service principle at the organization level?

 

Auzre DevOps API permission was granted to the service principle.

bbliang_0-1679988740042.png

 

But I cannot find the service principle in Azure Devops organization users, project contributor, and repos security settings tab.

bbliang_1-1679989188279.png

 

bbliang_2-1679989418442.png

bbliang_3-1679989604609.png

 

 

@bbliang 

Azure DevOps, an organization is the top-level container that holds all your projects, teams, and other resources.To assign the "Contributor" role to a service principle at the organization level in Azure DevOps, you can follow these steps:

  1. Go to your Azure DevOps organization and click on the "Organization settings" gear icon in the lower left corner.
  2. In the left-hand menu, click on "Permissions".
  3. Click on "Security groups".
  4. Create a new security group or select an existing one.
  5. Click on "Members" to add members to the security group.
  6. Click on "Add" and select "Service principal".
  7. Type in the name or ID of the service principal and click "Add".
  8. Click on the security group again and click on "Permissions".
  9. Click on "Add" to add a new permission.
  10. Select the "Contributor" role from the list of available roles.
  11. Choose the scope of the permission (in this case, the organization).
  12. Click "Add" to save the permission.

 

After completing these steps, the service principal should have the "Contributor" role at the organization level. If you cannot find the service principal in the Azure DevOps organization users, project contributor, and repos security settings tab, make sure that you have granted the appropriate Azure DevOps API permissions to the service principal and that it has been added to the appropriate security group with the "Contributor" role.

@Robina 

For step 8-12, I cannot find the "Add" button to add a new permission (role) for the security group, but can only set the permission for items listed.

bbliang_0-1680507126519.png

 

It's possible that the "Add" button is not available because there are no permissions that can be added to the security group at the organization level. The organization-level permissions in Azure DevOps are typically set at the individual or team project level.

To check if this is the case, you can navigate to the "Permissions" section again and select the security group you created or selected. Then, look for the "Permissions" tab and check if there are any available permissions listed that can be assigned to the security group at the organization level.

If there are no available permissions listed, then it's likely that the security group can only be assigned permissions at the individual or team project level. In that case, you will need to navigate to the specific project or team and assign the "Contributor" role to the security group there.
Thanks.

I encountered the same authentication error when creating Azure Repos Connection with the Service Principle's APP ID and secret.

So it is not workable to use Service Principle to access another organization's Azure Repository.
It is possible to use a service principal to access another organization's Azure Repositories, but it requires some additional steps to grant the necessary permissions.

First, you will need to ensure that the service principal has been granted access to the Azure DevOps organization where the repositories are located. This can be done by adding the service principal as a member of the Azure DevOps organization, and granting it the appropriate permissions.

Next, you will need to grant the service principal access to the specific Azure Repositories that you want to access. This can be done by going to the Azure Repositories security settings and adding the service principal as a contributor or a reader, depending on the level of access you require.

Once the service principal has been granted access to the Azure DevOps organization and the Azure Repositories, you can use its App ID and secret to authenticate your connection.

@Robina 

 

Have added the service principle to the organization

bbliang_0-1681369189601.png

Have granted the service principle "Project Reader" Role for the project

bbliang_1-1681369480714.png

 

Have granted read access right to all repositories of the project.

bbliang_2-1681369651950.png

 

But still got the error message when verify the service connection

bbliang_3-1681369891972.png

 

Kindly type error message over here
Error Message when verify the service connection:

Failed to query service connection API: 'https://email address removed for privacy reasons/xxx/xxx/_git/xxxx/_apis/projects'. Status Code: 'Unauthorized', Response from server: ''
Contact Azure support for further assistance. They can help investigate the issue in more detail and provide guidance on resolving the problem.

@bbliang Could you pls tell how did you add azure devops permission to your service principal. Im unable to do so

Microsoft documentation states that you can only connect Service Principals in your connected Organization.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principa...
Here is documentation how to connect Azure DevOps to your Organization (Entra ID).
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-...

Thare is an workaround but it seems to be an overkill:
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principa...