A year ago I published a Visual Studio Code extension with vsce. I wish to publish an update, but lost the old token. I created a new one, but have not been able to find the right combination of permissions to republish.
Without supplying a new token, I get:
> vsce publish
ERROR Failed request: (401)
Using the new token with Full access scope on All accessible organizations or with the documented Marketplace scopes, I get:
> vsce publish -p newtoken
ERROR Access Denied: xxx needs the following permission(s) on the resource /aaa/bbb to perform this action: Make changes to, share, or view certificate of an existing extension
What have I missed in setting up permissions to republish?
Arg. I should have known once I took the time to post a question I'd figure out the problem. Back story: After adopting Azure AD, there was great confusion among developers here between Office 365 accounts and Microsoft accounts--because we had been advised to use the same email address for both.
Long story short, the problem was I was attempting to publish using a token from my Office 365 account, when the extension was originally published under my Microsoft account. It was long enough ago that I didn't remember that. I also gave my O365 account access to the organization owned by my Microsoft account, so I could conveniently access various resources with either one.
I created a new token under my Microsoft account, and boom, publish succeeded.
Related
I get the following error
We cannot complete your request
server_error: The request could not be completed. Please try again later.
Error link:
https://login.live.com/HandleGithubResponse.srf?code=c3f48c4783f6d1d5ef1b&state=38FEE58AB9343DAB#
update
I used GitHub to log in to Azure before, and published a plugin. Now, when I want to log in to Azure using GitHub, I will be forced to log in to my MS account. My mailbox is rxliuli#gmail.com on both MS and GitHub.
At the same time, I created an organization rxliuli after logging in with an MS account, Azure did not have any errors, but when I want to log in to rxliuli (create a personal token), it will prompt ERROR Failed request: (401) What's wrong, is there any way for me to use the publisher name rxliuli after logging in with GitHub before?
update
I can't use vsce to create any new users right now. . .
update
Currently, I can use github to log in to azure, but using vsce login rxliuli still shows ERROR Failed request: (401), I am sure that the token has all permissions and has not expired
Well, actually because the token I created has no choice to allow all organizations. . .
ref: https://code.visualstudio.com/api/working-with-extensions/publishing-extension#i-get-403-forbidden-or-401-unauthorized-error-when-i-try-to-publish-my-extension
I cannot create a new organization named ''OnLineO'', as this name already exists.
I'm about sure it's me who created it a few time ago, but none of my logons run.
Must I send an email to Visual Studio Marketplace (VSMarketplace#microsoft.com) as stated in this post : Recovering access to an organization ?
Through the query, I found that your organization:"OnLineO" has been backed up to AAD:"OnLineO".
Please go to azure DevOps profile page,switch to OnLineO domain and try to login. Please do this in the new incognito window of browser. Note that your login account also needs to be backed up to AAD.
If you still cannot log in, please provide vsid as shown below. Pay attention to the processing of personal privacy information.
Sorry for the delay. If organization OnLineO is backed up to AAD "OnLineO", this is a great info, but I don't understand what it means... ?
On my DevOps profile page in an Invited session in Chrome (more isolated than incognito in other browsers), I am switched to OnLineO
DevOps profile page
It's when I try to create OnLineO as a New Organization that I get this message :
New Organization
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
I want my VSTS extension (installed on-prem TFS2015.3) to be able to do specific requests on behalf of a admin/service account ("Make requests on behalf of others")
Background: I manipulate (WorkItem) Process Template, specifically the GLOBALWORKFLOW (only on team-project level) in my extensions typescript, but the user of the extension in Web Access is NOT a project-admin so he is not allowed to use the function updateWorkItemTypeDefinition() - Non-Project-Admins get "Access denied" even if I gave that custom group every permission available ("Edit project-level-information" permissions for project-level GLOBALWORKFLOWs? Still didn't work for custom groups, only for Project Admin Accounts).
It seems I'm forced to impersonate a project admin /service account which is allowed to change the global workflow in the project
How do I impersonate in extension typescript code on-prem TFS and REST (1. not .NET and 2. without changing to basic auth, saw that solution already somewhere else - but I'm very sure I cannot request that change in my organization)
Thanks for your help
You can impersonate user through vsts-node-api.
There are many function to impersonate user, such as Basic, NTLM, PWA (VSTS) etc..., you can check these function here.
import * as vm from 'vso-node-api';
// your collection url
var collectionUrl = "XXX";
let authHandler = vm.getNtlmHandler("[user name]","[password]","[workstation optional]","[domain optional]");
var connect = new vm.WebApi(collectionUrl, authHandler);
There is the sample that you could refer to.
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes