How to Replace my PAT for Accessing Azure DevOps API in .NET Web API?
I have a .NET Web API that I use to interact with the Azure DevOps API for creating and updating Work Items on Azure DevOps Boards of various organizations and DevOps projects. Currently, I'm using a Personal Access Token (PAT) from my own account for authentication, but I want to eliminate the use of this PAT for obvious reasons.
I have registered an Application in Azure and given it the vso.work_full permissions. I have also added an Authentication Service to my application.
public class AzureDevOpsAuthService
{
private readonly IConfidentialClientApplication _clientApp;
public AzureDevOpsAuthService(string clientId, string clientSecret, string tenantId)
{
_clientApp = ConfidentialClientApplicationBuilder.Create(clientId)
.WithClientSecret(clientSecret)
.WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
.Build();
}
public async Task<string> GetAccessTokenAsync()
{
var result = await _clientApp.AcquireTokenForClient(new[] { "499b84ac-1321-427f-aa17-267ca6975798/.default" }).ExecuteAsync();
return result.AccessToken;
}
}
This failed to work, giving me the following error:
Microsoft.VisualStudio.Services.Common.VssServiceException: TF401444: Please sign-in at least once as {TENANT ID} in a web browser to enable access to the service. at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.HandleResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync(HttpRequestMessage message, HttpCompletionOption completionOption, Object userState, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpRequestMessage message, Object userState, CancellationToken cancellationToken) at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.GetConnectionDataAsync(ConnectOptions connectOptions, Int64 lastChangeId, CancellationToken cancellationToken, Object userState)
I'm not sure what the problem is. It seems I should add the Application as a User in the organizations? But I can't seem to find it when I try to add a user or give it the Contributor role.
Questions:
- Is using an Azure App with multi-tenants the best way, or is there a better method?
- How can I add the application as a user to different Azure Tenants, so that I can access their Azure DevOps Boards to create and update Work Items?
Is using an Azure App with multi-tenants the best way
If you want to access multiple organizations connected to different Microsoft Entra ID, it's suggested to use multi-tenants app.
How can I add the application as a user to different Azure Tenants, so that I can access their Azure DevOps Boards to create and update Work Items?
Create a service principal using multi-tenant authentication and add a redirect uri
https://www.microsoft.comin TenantA.
Open the below URL in a private browser for adding it to another tenant, for example TenantB.
https://login.microsoftonline.com/<TenantB ID>/oauth2/authorize?client_id=<Application ID of the app in TenantA>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2FIt will ask for authorization on behalf of organization , you can accept it.
After the above is done, login to portal of TenantB and go to Enterprise Application you will see it. You can assign it with your needed role.
Go to the organization connected to TenantB, search and add the app into your org from Organization Settings -> Users ->Add users.
- ADF Out of memory exception
- Azure DevOps pipeline is throwing a "##[error]Project file(s) matching the specified pattern were not found". when publishing my app?
- Microsoft Entra ID: Receiving Old Token Version Despite Setting accessTokenAcceptedVersion to 2
- Rule Syntax for Azure user.memberof
- (unknown) Precondition failed when trying to create MS Graph Subscription
- Azure Function App Service Bus Trigger: Process 1 message at a time
- Azure HTTP Trigger - How to extract query parameter value from input binding- cosmosDB
- Python app deployment to Azure web app from pipeline not including requirement packages
- Force Azure Function using Service Bus Queues to only process one mesage at a time
- Azure Web Role with Transient Fault Handling Block exception: The path is too long after being fully qualified
- Azure Bicep - How to create diagnostic settings for NetworkInterface of private endpoint
- Is there a way to get static ip address for Azure Data Factory
- azure key vault - lag on secret changes
- How to create connection to create - queue item - HTTP Trigger - local - Azurite - Azure Queue Storage
- Getting error "404 The specified blob does not exist" when downlading blob using Uri
- How scopes are added to token in Azure Entra ID?
- Why does my Azure Cosmos DB SQL API Container Refuse Multiple Items With Same Partition Key Value?
- Postgres on Azure kubernetes volume permission error
- Azure: Subscribing to an external MQTT Broker
- azure.storage.blob._shared.authentication.AzureSigningError: Incorrect padding - Argo workflow
- Bash variable in JMESPath query expression
- Azure Devops pipeline failing due to AZ.Accounts Module update by MSFT
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
- Access Package Endpoint doesn't seem to be working
- install docker bash script doesn't work when used as Custom Data for Azure VM
- Docker image is not updating on Azure container registry via gitlab
- Terraform - How to find Azure Kubernetes AKS vnet ID for network peering
- Using Azure DataLakeServiceClient to download a file got forbidden response after few minutes success
- Verify that Bicep can return values from Azure Key vault