2

We're working in a shared repository where we're not the owner. Our AAD accounts have been invited - username@domain.com. We have no issues accessing the Git repo.

THE ISSUE: We can't access the NuGet repo. We can access it in ADO and see all the artifacts. However, when we try to pull the repo in VS, we get a 401 Unauthorized.

The workaround is to use a personal Microsoft Account (MSA). That's understandably not a good idea - it's customer work.

THE QUESTION: Is ADO's NuGet feature only supported by MSA and not AAD accounts when the invited AAD account isn't part of the owner organization? Is this a hard limit?

Thanks!

Auri Rahimzadeh
  • 2,133
  • 15
  • 21
  • Are you logged into VS with your AAD account, or only your MSA? Azure DevOps certainly does support AAD, so it's either a permissions issue or an authentication issue. Have you followed Azure DevOps' documentation on using private NuGet feeds? Although I think it should work automatically from Visual Studio, there is a nuget authentication provider you can download and try as well. – zivkan Mar 23 '19 at 06:40
  • Logged in with AAD. If I connect with an MSA, it works. If I connect with my AAD, it doesn't (401). Checked with multiple devs in our org, same issue. Add an MSA to the team, and boom, it works. Remove it, and it's broken again. Seems to work fine if the AAD tied to the NuGet repo is the same as those accounts invited to it. However, I feel the issue is with external AAD. Visual Studio doesn't support PATs when authenticating. Maybe a bug in ADO's auth? – Auri Rahimzadeh Mar 23 '19 at 12:52
  • are you sure your aad accounts have read/download permissions on the feed? you can try manually creating a PAT on VSTS's website (sorry, to me ADO is the database API) and try restoring using nuget.exe with the PAT, or put the token in a nuget.config to restore with dotnet cli or VS. You can also download the nuget.exe with authentication plugin from the azure feeds "connect to feed" page, and try restoring using that. – zivkan Mar 23 '19 at 13:35
  • @zivkan It wouldn't be ideal, although I'll try it... I didn't see a way to put the PAT in the nuget.config, but I'll look for some documentation around that. Still seems like there's a bug. – Auri Rahimzadeh Mar 24 '19 at 21:54
  • [Here are how to store an api key in nuget.config](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#apikeys). I'm not suggesting this is a permanent solution, but it's about isolating exactly where the problem to find out if it's really a bug or not. if it is a bug, then you can report it with precise and detailed reproduction steps, and if it's not a bug, you can figure out what the configuration issue is/was. So far evidence is that your AAD doesn't have permissions to the private feed. these steps can prove me wrong. – zivkan Mar 24 '19 at 22:18
  • however, I don't know if Azure Artifacts supports api key or authentication though nuget.exe's default protocol. it might be that the only possible way to authenticate to Azure Artifacts is using their supplied credential provider, which both I and Alex AIT suggested you try. – zivkan Mar 24 '19 at 22:20

1 Answers1

0

Authentication with Azure Artifacts can be a bit of a pain... but it works (even with guest AAD accounts). I am using it like this every day. If you can download the file from the feed via the UI, you will also be able to download it via VisualStudio or other tools.

VisualStudio should have no issue at all when talking to the feed, at least if it is a somewhat current version. For VSCode and others you should try the Azure Artifacts Credential Provider and run something along these lines: dotnet restore --interactive

Alex AIT
  • 17,361
  • 3
  • 36
  • 73
  • I can download the JSON feed from the URI ADO provides. However, when I'm in Visual Studio, it prompts for credentials, then fails with a 401. If I use a regular ol' MSA account, it works flawlessly. You're using a guest account every day? – Auri Rahimzadeh Mar 24 '19 at 21:50
  • My AAD account is my main account in VisualStudio. My MSA account is only added as a secondary account. Yes, I am a guest in the tenant of another company. – Alex AIT Mar 25 '19 at 15:31
  • Thanks, Alex. I'll review. If I find an answer, I'll post it here. Thanks, all, too! – Auri Rahimzadeh Mar 26 '19 at 12:55