How to use a bearer token generated with client credentials flow in PowerShell to invoke DevOps REST API?

I'm working on a DevOps automation project and need to authenticate against a REST API using OAuth 2.0 client credentials flow. Specifically, I want to:

• Obtain a bearer token using client credentials flow.
• Use the token to authenticate and make requests to a REST API endpoint like list projects.

Here's the PowerShell script I've written so far:

$tenantId = "xxxxxxxx"
$clientId = "xxxxxxxx"
$clientSecret = "xxxxxxxx"
$scope = "https://dev.azure.com/.default" 
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = $scope
    grant_type    = "client_credentials"
}

$response = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body

$accessToken = $response.access_token

$apiUrl = "https://dev.azure.com/{organization}/_apis/projects?api-version=7.1"
$headers = @{
    "Authorization" = "Bearer $accessToken"
}

$apiResponse = Invoke-RestMethod -Uri $apiUrl -Headers $headers -Method Get

$apiResponse

However, when I run the script, I get following error:

Invoke-RestMethod : {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://dev.azure.com was not found in the tenant named Contoso. 
This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication 
request to the wrong tenant. Trace ID: 49b4c197-620b-4384-b2da-4eafc8771300 Correlation ID: b8253a59-0487-499f-8072-b4299a6186e5 Timestamp: 2024-11-22 
10:55:21Z","error_codes":[500011],"timestamp":"2024-11-22 10:55:21Z","trace_id":"49b4c197-620b-4384-b2da-4eafc8771300","correlation_id":"b8253a59-0487-499f-8072-b4299a6186e5","error_uri":"https://login.microsoftonline.com/error?code=500011"}
At line:14 char:13

The error seems to indicate that resource https://dev.azure.com isn't found in my tenant, or that the app hasn't been installed or consented to by anyone in the tenant.

Has anyone run into this before? I’m wondering:

Why am I getting this error, and how do I fix it? Are there any additional permissions or steps required to use client credentials with the Azure DevOps API?

Thanks in advance!

To resolve the error, you need to change scope value to 499b84ac-1321-427f-aa17-267ca6975798/.default and make sure to add application with proper access under Azure DevOps organization.

Initially, I registered one Entra ID application named DevOpsApp and granted access by adding it as user under my DevOps organization like this:

Now, I ran below PowerShell script by changing scope value and got the response with list of projects successfully as below:

$tenantId = "tenantId"
$clientId = "appId"
$clientSecret = "secret"
$scope = "499b84ac-1321-427f-aa17-267ca6975798/.default" 
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = $scope
    grant_type    = "client_credentials"
}

$response = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body

$accessToken = $response.access_token

$apiUrl = "https://dev.azure.com/{organization}/_apis/projects?api-version=7.1"
$headers = @{
    "Authorization" = "Bearer $accessToken"
}

$apiResponse = Invoke-RestMethod -Uri $apiUrl -Headers $headers -Method Get

$apiResponse.value

Response: