Azure DevOps Accounts List won't work for Service Principals

[EmilienCourt]

Hi !

I'm using Azure DevOps REST API version 7.1-preview.

I'm logging in using a Service Principal, which is a member of an Azure Dev Ops Organization.

Connect-AzAccount -CertificatePath $certificatePath -CertificatePassword $certificateSecurePassword -ServicePrincipal -Tenant $tenant -ApplicationId $appId -ErrorAction Stop

Once logged in, I'm requesting an Access Token for Azure DevOps :

$token = Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798" -ErrorAction Stop

I'm then getting my profile id :

$me = Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method Get -ContentType "application/json" -ErrorAction Stop -Uri "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.1-preview.1"
$me
coreAttributes : @{DisplayName=; PublicAlias=; EmailAddress=; CountryName=; Avatar=}
coreRevision   : 454689571
timeStamp      : 5/29/2024 2:39:31 PM
id             : 6b28f906-cb6c-6ef0-af0f-6d1a4d3444c7
revision       : 454689571
profileState   : custom

When I try to get the list of Organizations attached to this member, I get an empty array :

Invoke-RestMethod -Headers @{Authorization = "Bearer $($token.Token)"} -Method Get -ContentType "application/json" -ErrorAction Stop -Uri "https://app.vssps.visualstudio.com/_apis/accounts?memberId=$($me.id)&api-version=7.1-preview.1"

count value
----- -----
    0 {}

I've tried changing the permissions associated with the Service Principal in Azure DevOps, unsuccessfully.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 65cae80b-50d4-3cfc-ddeb-8524c72af6b6
• Version Independent ID: 7cb46f2c-d14a-1e97-7203-4b9183511e60
• Content: Accounts - List - REST API (Azure DevOps Accounts)
• Content Source: docs-ref-autogen/7.1/account/Accounts/List.yml
• Service: azure-devops
• Sub-service: azure-devops-ref
• GitHub Login: @wnjenkin
• Microsoft Alias: whjenkin

[carusyte]

+1
Impacted by the same issue

[roybh1]

any workaround for this?

[divdavem]

The same issue happens for us with version 7.2-preview.1.
With a personal access token, it works fine, but, with a service principal, it always returns an empty array, which is obviously wrong because the service principal is a member of some Azure DevOps organizations.

If we try passing the service principal Application (client) ID in the memberId parameter instead of the id returned by https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.2-preview.3, then we get an error:

{
    '$id': '1',
    innerException: null,
    message: 'Access Denied: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx needs the following permission(s) on the resource /UserAccountMappings to perform this action: Read User Mapping resources',
    typeName: 'Microsoft.VisualStudio.Services.UserMapping.UserMappingServiceSecurityException, Microsoft.VisualStudio.Services.WebApi',
    typeKey: 'UserMappingServiceSecurityException',
    errorCode: 0,
    eventId: 3000
}

In this error message, the guid I replaced with xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is the same id as the one returned by https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.2-preview.3.

We need a simple way to get the list of Azure DevOps organizations that the currently connected service principal has access to. How can we do that?

[divdavem]

cf also this comment in the discussion on developercommunity.visualstudio.com, this ticket and this one

[carusyte]

If you're facing the same issue, kindly upvote this ticket 10713328 as it seems this is the only one not yet closed and being tracked by Microsoft.

cf also this comment in the discussion on developercommunity.visualstudio.com, this ticket and this one

[drk-mtr]

Same issue here, but I'm using a user as opposed to a service principal. Does anyone know where the Read User Mapping permission should be applied?

EDIT: I've realised that if I remove the API version from the request URL, this works - for the "user" case (I haven't tried service principal). Leaving this comment here rather than deleting, just in case anyone else stumbles across this.