3

When accessing Azure DevOps via REST API through PowerShell, the Personal Access Token (PAT) used for authentication needs Full access.

PAT scope setting

When the PAT is set to Custom defined access with every scope enabled, some requests fail:

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

Why is Full access not equal to Custom defined access with every scope enabled and maximal permissions? Is it not possible to limit the PAT to the scopes actually concerned by the request?

Edit: The concerned REST API request:

GET https://dev.azure.com/{organization}/{project}/_apis/build/latest/{definition}?api-version=5.1-preview.1
millokeller
  • 252
  • 2
  • 12
  • 2
    Might be helpful to provide the API request you are sending – Anthony Klotz Jan 22 '20 at 18:56
  • I have the same issue. Even with all permissions enabled, I am unable to use a specific endpoint. If I select the Full Access instead, it works. Endpoint in my case: "https://dev.azure.com/{org}/{projectguid}/_api/_identity/AddTeamAdmins?api-version=5.1-preview.1" I do a post to add an administrator to a project team. Did you figure out why this was the case? – JakeUT May 28 '21 at 14:58
  • Btw, this worked with a custom defined scope until about a week ago. Now it requires full access. Any idea? – JakeUT May 28 '21 at 14:59
  • I've never figured out the reason for this odd behavior. I started to use default credentials to authenticate the REST requests whenever possible to avoid to deal with PATs. – millokeller May 30 '21 at 19:56

2 Answers2

0

For this issue, I tested the api you listed. I try to only select Read access in the Build Scope, the PAT works fine.

enter image description here

enter image description here

Also I tried setting Custom defined access with every scope enabled, obviously this also works fine.

In some special apis, we can only use Full access, because not all scopes will be listed in Custom defined access. The scopes of some special case apis are not defined in Custom defined access. For example, the api is tracked from the browser's Network and is not documented in the official documentation . You can refer to this case.

The api you use is documented in the documentation, you can try to test in Postman to see if the same result.

Hugh Lin
  • 17,829
  • 2
  • 21
  • 25
  • I tried again. Enable Read access in the Build scope for the PAT is not working for me and this particular request. For other requests it works. For example I can get build definitions. (https://learn.microsoft.com/en-us/rest/api/azure/devops/build/definitions/list?view=azure-devops-rest-5.1) – millokeller Jan 24 '20 at 13:57
  • You can try to revoke the previous PAT and recreate a new one. – Hugh Lin Feb 05 '20 at 16:31
0

I was trying to download a file using curl and this needed a PAT. in GitHub it worked without a PAT. When I set Personal Access Token to Full Access in Azure DevOps Settings it worked fine. So I set Custom then enabled all of the custom defined access scopes.

I had to click the button at the bottom:

Show all scopes in PAT settings

This listed all of the scopes when I enabled all of them authentication worked. I then disabled 5 at a time and retested and found the one I needed was Token Administration [Read & Manage] only.

Token Administration Scope Image

Ardent Coder
  • 3,777
  • 9
  • 27
  • 53
imran3501
  • 1
  • 1