az devops login --organization https://dev.azure.com/XXXX
token
able to login
AZ Login - Successfully connected to Azure
Try to run
az devops project list
TF400813: The user '1a6dbb80-5290-4fd1-a938-0ad7795dfd7a\xx.yyyy#abc.com' is not authorized to access this resource.
I have full access to this organisation,still not able to access
Here's a similar thread: TF400813: The user 'Guid\FirstName#c.com' is not authorized to access this resource
Please make sure the organization is connected to AAD and your account is one of the users in this AAD.
Also try to use a microsoft email address instead of XXXX#abc.com see if you can get authorized.
Related
I am logging into az cli using correct token:
echo my_pat | az devops login
But I see the following error while getting the existing repositories in a project:
az repos list --org {ado_org_url} --project {ado_project} --query '[*].name'
ERROR: The requested resource requires user authentication: https://dev.azure.com/my_org/my_project/\_apis/git/repositories
Am I missing any settings while setting up my pat? How can I get rid of this error?
You don't want to use the az devops login if you already set an AZURE_DEVOPS_EXT_PAT Environment Variable. If you not set an AZURE_DEVOPS_EXT_PAT Environment Variable set it first and do your CLI Task.
The az devops commands now enable sign-in with az login, you don't need to give a token if you've already signed in with az login interactively or with a username and password. However, you can't use az login to log in as the service principal. A PAT is required in that case.
If you still need to log in by using az devops login it requires the User Authentication. For that, you have to login using Service Principle
"user": {
"name": "***",
"type": "servicePrincipal"
}
References
How to securely login in Az CLI from a DevOps Pipeline
Fix ERROR: The requested resource requires User Authentication
MSDOC for Azure DevOps CLI sign in with a PAT
I want to get information about a service principal in an Azure PowerShell task in my DevOps pipeline using Get-AzADServicePrincipal but I get this error.
[Authorization_RequestDenied] : Insufficient privileges to complete the operation
The DevOps service principal has Contributor rights in the subscription.
I have created a custom role but unsure as to what permissions to assign to it so that I can run the command in my pipelines. My user account is Subscription Owner.
This error usually occurs when you do not have permission to read service principals, maybe Directory.Read.All or Application.Read.All are not being enabled. Please provide the service connection to those permissions by granting admin consent.
To enable that, go through the following steps:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your DevOps resource -> API Permissions
Now, click on Grant Admin Consent and it will change the status to
granted (Green) .
After performing all these, redeploy the DevOps Pipeline and run Get-AzADServicePrincipal to get the information about service principal.
If still it does not work, assign Directory Readers and Application Administrator roles to service principal of DevOps pipeline.
References:
Service Principal considerations when using Azure DevOps to manage
RBAC on Azure Resource Groups | by Andrew Kelleher | Azure
Architects | Medium
Azure: permissions to list service principals - Stack Overflow
I'm trying to connect my Azure DevOps Organization to my Azure AD Tenant. I'm the only user in both. I connect to both using my personal microsoft (#outlook.com) account. However, when I'm trying to link my DevOps orga to my Azure AD Tenant, Azure DevOps doesn't see me as a member of the Azure AD Tenant that I'm trying to connect to, even though I'm connected in Azure with the same Microsoft account that I use on Azure DevOps... I'm following the steps mentioned here.
Below pic shows the error message I'm getting while trying to connect my Azure DevOps orga to my Default Azure AD Tenant :
Here, you can see that I'm connected in my Azure AD Tenant with the same Microsoft account that in the previous picture :
Tried to do the same where only one member who is the only admin is present in the azure AD tenant.But could successfully connect to azure devops.
Please make sure you are connecting already existed AAD tenant and then creating connection. check if admin permissions are given .
I had these roles assigned .
I had guest user access same as member access
Could smoothly connect without any warnings to the same domain as that of azure ad.
I tried to reproduce the issue and so tried connect with the other tenant /directory and got the error similar to yours which is not your case as you mentioned you have same directory domain.
So in your case , please close all other tabs and signin to only the required tenant both in azure ad and also in azure devops.
Please check the access permissions for this organization, if the organization is denied access for external access.
See Access via Azure AD FAQs | Microsoft Docs which can guide to troubleshoot your error cause and it says to have co-admin or service admin permissions.
Also please take the points by #jessehouwing in the comments into consideration , if issue is still there :Create a new Global Admin user account in AAD,Add this user to the DevOps organisation and set as owner and give Project Collection Administrators permission,Remove that domain from the DevOps org and Re-add to the org and re-assign as the owner.
Else it might be some issue with the default directory permissions. You may contact and report a problem in https://developercommunity.
I created an Azure AD B2C tenant, added applications to it. After running the application, it allows me to enter username and password, but when I click login it throws an error,
inner exception = null: invalid_resource;AADSTS500011: The resource
principal named api://8e82b4f2-4962-4b66-a6f5-76667400cfed was not
found in the tenant named. This can happen if the application has not
been installed by the administrator of the tenant or consented to by
any user in the tenant. You might have sent your authentication
request to the wrong tenant.
Am using this library MSAL Mobile Flutter Plugin. I have followed all the steps described by documentation on the plugin, and on azure portal, but end up with that error. And I am logging in with users from the same tenant
What am i doing wrong?
I can easily reproduce your problem.
For AAD b2c tenant, it is somewhat different from AAD tenant. I noticed that the sample you refer to is aad. If you use aad b2c tenants, its scope should be:
https://zhaozhub2c.onmicrosoft.com/0ffde1a6-04d2-440e-87a5-d9fd69dbxxxx/mytest.
Please note that you cannot use client credential flow for Azure b2c because Azure b2c requires user login. I used ROPC flow to test and it works well.
I am trying to connect an existing MS-based DevOps organisation to our AAD (O365). I have a user account nnn#outlook.com in DevOps that is both Organization Owner and a Collection Administrator.
The same outlook.com account is a Member of the target Tenant directory. I can login to portal.azure.com using that account and see all the details of the AAD. I have made the account a Global Administrator.
When I click Connect Directory, I get a list of the tenants that account has access to. My target is there and I have confirmed that the Tenant ID matches.
When trying to connect I get the error message:
"User: nnnn#outlook.com is not allowed to link organization: xxxx to AAD tenant: zzzzz. Only active members of the AAD tenant are allowed to perform the link."
I tried creating a clean guest account, PS'd it to become a Member, but get the same result.
Any suggestions greatly appreciated.