I have my own private organization and repositories.
I also have multiple directories and all of them work except for the "Microsoft account" directory.
I am able to log into Azure Devops no problem using the Microsoft account directory.
I see my organization and I can go through my repositories, agents, pipelines, everything.
However, I can't change anything. All I get is the error or screens that don't load fully.
Its like its in read only mode.
I went into user settings to check permissions and it lets me in but only so far. It stops loading user lists after selecting groups.
It shows me groups and permissions for everything, however.
When I try and generate a PAT, the screen sits there and says "Loading Tokens..."
The error I see everywhere and in the network responses is:
$id: "1"
innerException: null
message: "TF400813: The user '' is not authorized to access this resource."
typeName: "Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server"
typeKey: "UnauthorizedRequestException"
errorCode: 0
eventId: 3000
Exactly like that, nothing there between the quotes.
It also shows up in Red text with just this message:
TF400813: The user '' is not authorized to access this resource.
To resolve this I have done the following:
Logged out of devops entirely, which seems to log me out of several services.
Switched between my AD accounts while logged in.
I've rebooted my machine(I first started seeing this in VS so I updated and rebooted as part of that)
Anything I'm missing here?
message: "TF400813: The user '' is not authorized to access this
resource.
This looks more like the anonymous access error as you said that there's nothing between the quotes.
In azure devops, e.g PAT generated, most services have themselves security module. When user want to make use of them, it must pass the firstly identity check. If for system, your visit and operate are identified as anonymous, it will look like read-only.
We ever handled such issue and found it due to the proxy blocking the traffic, which also lead him to get the same error when accessing azure devops with vscode.(Similar with yours)
You need confirm is there any proxy configured in your side.
If there's no proxy set but still has this issue. Since Stackflow is a open forum but this is a identity issue. I strongly suggest you contact here and then attach below info also:
Activity id: You could see this from the Headers of Network. For our backend, we could use this id to check the exactly stack
trace.
Org name and account name.
Fiddler trace. The mostly useful info we need is fiddler trace.
I tried a few options like setting the PAT in interactive screen or via environment variable or by storing it in a file and echoing that file content to the az devops login or az pipeline create command as mentioned in
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&viewFallbackFrom=vsts&tabs=preview-page#create-personal-access-tokens-to-authenticate-access
However none of them worked. Finally it worked after I changed the token (PAT) in the file
/home//.azure/azuredevops/personalaccesstoken.
Try to sign out and the sign in again,
it's worked for me.
Related
I can not see my queries using Excel Team plugin. I get an error enter image description here
TF8001:An error occurred while accessing the work item database. Contact the administrator
Please use the administrator account to check these:
First, please check whether the current query allows your account to access it.
click on the Shared query-->Security
Make sure that the related options are allowed.
Second, make sure that your account has access to the current work item.
Project Settings--> Project configuration
Finally if you execute the query to tfs work item database, you should contact your Administrator to add permission for your account.
So my goal is to create a Rundeck job that runs on a schedule and isn't run as my personal user, or any "regular" user, but rather a bot user. Ideally this bot user wouldn't have login access and restricted permissions for security reasons, but would be able to run certain jobs. I've tried searching, but the only information I'm finding is about how to create a "regular" user in Rundeck. Even if I go down that route of creating the bot user as a "regular" user, to use it, you need to pass in either the login credentials or an API token. An API token would be fine, if it could be generated and pulled in on the fly. However, that is not the case, the API has an expiration itself. If there is something I'm missing, please let me know. I'd love to get this working.
Rundeck Version: Rundeck 3.2.1-20200113
Rundeck Cli Version: 1.1.7
You can set the following configuration in your rundeck-config.properties file (usually at /etc/rundeck/ directory):
rundeck.api.tokens.duration.max=0
This will disable your maximum period, you can see this in the official documentation here.
With that, your "bot user" can do it through API / RD CLI as you wrote.
Try using webhooks https://docs.rundeck.com/docs/manual/12-webhooks.html
You can trigger a job by making a http-request
The way I've implemented bots is as a user who is a member of a 'bot' user group, with ACLs that lock down that group as required. Any passwords required for the scheduled job are loaded into the key storage of the bot user.
With this approach you still need someone who knows the bot credentials to login as them and set passwords/SSH keys, but that's a one-off. Is that what you're trying to avoid?
The one annoying thing I've found is that a scheduled job always seems to run as the last user to edit the job - so I grant edit access to bot users and make sure to set/reset the schedule after any edit by a normal user. Hoping to address this through https://github.com/rundeck/rundeck/issues/1603, you might want to give it a 👍.
I cannot create a new organization named ''OnLineO'', as this name already exists.
I'm about sure it's me who created it a few time ago, but none of my logons run.
Must I send an email to Visual Studio Marketplace (VSMarketplace#microsoft.com) as stated in this post : Recovering access to an organization ?
Through the query, I found that your organization:"OnLineO" has been backed up to AAD:"OnLineO".
Please go to azure DevOps profile page,switch to OnLineO domain and try to login. Please do this in the new incognito window of browser. Note that your login account also needs to be backed up to AAD.
If you still cannot log in, please provide vsid as shown below. Pay attention to the processing of personal privacy information.
Sorry for the delay. If organization OnLineO is backed up to AAD "OnLineO", this is a great info, but I don't understand what it means... ?
On my DevOps profile page in an Invited session in Chrome (more isolated than incognito in other browsers), I am switched to OnLineO
DevOps profile page
It's when I try to create OnLineO as a New Organization that I get this message :
New Organization
I am setting up the group of people who should see the test results and dashboards in Azure Devops (for external to project users).
I've created another team so they don't see the boards.
They have the rights to see the test results and this works, they
can see the test runs.
I've added the Test results dashboard for this new team which works
fine when you are internal user.
However, external users geting the error "FS.WebApi.Exception: TF400898: An Internal Error Occurred." and also no tests data is visible from the dashboard editor. It looks like those external users missing some permissions to see any test data via dashboard but I can't figure out which permissions are missing.
for external to project users
Are the external users here referring to members of different teams in the same project?
One reason I can think of permission is that the team's View analytics permission is set to deny,this may cause the widget content to fail to load. You can also view this case to see if it is the same internal error situation.
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow: