I want to get all PATs via REST from Azure DevOps Server (on-premise). The REST API Docs show only access to Azure DevOps Services (hosted) with this URI
https://vssps.dev.azure.com/{organization}/_apis/tokenadmin/personalaccesstokens/{subjectDescriptor}?api-version=7.1-preview.1
How do I access the security areas (Identities, Accounts, etc.) via REST in Azure DevOps Server?
You could visit the page below for the token administration rest api.
Token Administration REST API for Azure DevOps Services - Azure DevOps Services REST API | Microsoft Learn
And you can check the api for the different workspaces with the dropdown list below.
1.List Personal Access Tokens
GET https://{instance}/{collection}/_apis/tokenadmin/personalaccesstokens/{subjectDescriptor}?api-version=6.0-preview.1
2.Read identities
GET https://{instance}/{collection}/_apis/identities?api-version=6.0
3.For security
https://learn.microsoft.com/en-us/rest/api/azure/devops/security/?view=azure-devops-server-rest-6.0
Related
I have an Azure DevOps server on-premises and I have written a small application that simply queries its API to get information from the Azure server. There is no authentication at the user level, since the application only displays information and does not POST/PUT/DELETE.
To query the API, I have used my PAT (personal access token), but this is not ideal. I have read that on the cloud version of Azure, you can just register the application to do it, but I have not found the same functionality for the on-premises version.
Am I missing something? Is the only alternative creating a technical user on the LDAP and get a PAT for it?
Is the only alternative creating a technical user on the LDAP and get
a PAT for it?
Yes, you are right.
Authorize access to REST APIs with OAuth 2.0
So 'App auth' is only supported in Azure DevOps Services (VSTS), not supported in Azure DevOps server (TFS).
I am looking for a way to create a service account to access the Azure Devops REST API.
The goal would be that this service account would be able to list all the projects.
For now the only solution I found was to create a new user, add it to an overall admin group and create a PAT for it.
Does anyone found another way of doing so ?
Thanks in advance
PS: we have a Azure Devops Service solution
Based on your description and concern, please note that the service account in Azure DevOps Service is automatically created for you when you create an organization in Azure DevOps Services. It is used when clients communicate with the hosted service and can be viewed through the web portal administration page.
And it is not supported to manually create service Account in Azure DevOps Service.
For more information, you could refer to the doc: Service account requirements - Azure DevOps | Microsoft Docs & Service accounts and dependencies - Azure DevOps Server | Microsoft Docs .
Does Azure DevOps REST API support OAuth 2 authentication with PKCE? The documentation page does not explicitly mention anything about PKCE but I'm wondering if it's just not there yet documented but already supported.
This doc uses the Azure DevOps App to do the OAuth 2.0 authentication, not sure if it supports the PKCE, you may need to have a try.
But another way to auth Azure DevOps REST API which is Azure AD auth code flow, supports PKCE, you need to register the azure ad app in the azure portal, add the Azure DevOps permission, see here. Then use the Azure AD auth code flow with PKCE to get the token and use the token to call the API. Remember to change the scope to 499b84ac-1321-427f-aa17-267ca6975798/.default.
I'm developing an extension that runs within a work item.
Is there a way I can acquire an AAD token for the current logged in user, which can be used to authenticate to an AAD protected backend service like Azure App Service/Key Vault etc?
I'm afraid you can't do that directly. Azure Devops Service and Azure are not the same things.
We can use VSS SDK and azure-devops-extension-api to get Azure-devops related info(AccessToken for Azure Devops Service,Org info, Project info, User info), but we can't get AAD token using these related api cause these apis are for Azure Devops Service.
We are trying to change the access level of users at the organization level say for example from stakeholder to basic in Azure DevOps Services programmatically - via REST API/Powershell/ARM. Could you please direct me to some documentation or any sources which can help us through.
You can do this via the Azure DevOps REST API via the User Entitlement Endpoint.
https://learn.microsoft.com/en-us/rest/api/azure/devops/memberentitlementmanagement/user%20entitlements/update%20user%20entitlement?view=azure-devops-rest-5.0