Azure Function cannot authentication to Azure DevOps API

Question

Initially we had an anonymous Azure Function using System Assigned Managed Identity, that managed identity was added to Azure DevOps API and was able to call the API from the function. But later I wanted to call this function from SPFx app, so I added Microsoft identity provider in function's authentication for secure calls. After adding that authentication, I get a TF401444 error while calling the api and asking to login to Azure DevOps.

I think the app registration needs to have user_impersonation for Azure DevOps added in API permissions section of app registration.

Would you believe there are additional changes to this?

var token = new DefaultAzureCredentials().GetTokenAsync(....

var token = new DefaultAzureCredentials().GetTokenAsync(....) That's the C# code I used to get token. I think that error above is due to authentication issue with Azure DevOps.

I checked that token and I see the oid from the token is the same as the one in the error asking for azure devops authentication after the tenant id.

How do I resolve that error?

I read this article and trying to understand which would be my scenario. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops

I know the old one before adding the authentication would be in the managed identity section. Is there a new one to get Entra token?

Answer 1

Thank you for your answers, resolved the issue through extra research a while ago but adding an answer now. I had to add authentication in Azure function using the app registration (from Answer 1) and also add the service principal of app registration (usually with the same name) in Azure DevOps's project under Users section with appropriate permissions which resolved the issue (Answer 2). thanks

Answer 2

Hi dotnet_guy,

Issue: Customer's Azure Function cannot authentication to Azure DevOps API

Error Message: TF401444 while calling the API and asking to login to Azure DevOps.

Solution: Customer have already tried all the above stated by @Sina Salam Then, adding the app registration's service principal to Azure DevOps's org and project. This resolved the issue.

Answer 3

Hello dotnet_guy,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your Azure function cannot authenticate to Azure DevOps API, and critical issue I can see from the information you posted are the followings:

1. Since you are using the Microsoft identity provider, you need to ensure that your Azure Function is correctly configured to use OAuth 2.0 for authentication. This involves setting up the correct scopes and ensuring that the tokens are valid for Azure DevOps API calls.
2. The TF401444 error indicates that app/user needs to authenticate. This can happen if the token does not have the necessary permissions or if the token is not being recognized by Azure DevOps. Double-check the permissions and ensure that the token is valid.
3. If you are transitioning to using Microsoft Entra tokens, ensure that your app is registered correctly in the Microsoft Entra ID and that you are requesting tokens with the appropriate scopes for Azure DevOps - https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/entra?view=azure-devops and https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/entra-oauth?view=azure-devops and for more detailed guidance, you can refer to the documentation https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops

Things you will need to do:

1. Make sure your app registration in Azure AD has the user_impersonation permission for Azure DevOps. In your API permissions add the user_impersonation permission under Azure DevOps. https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
2. Use the Azure.Identity library to acquire a token with the required scopes. This is an updated code snippet:

           var credential = new DefaultAzureCredential();
           var tokenRequestContext = new TokenRequestContext(new[] { "https://dev.azure.com/.default" });
           var token = await credential.GetTokenAsync(tokenRequestContext);
   

3. Azure Function's authentication settings should be configured to accept tokens from the Microsoft identity provider. This includes setting the correct audience and issuer in the authentication settings.
4. If transitioning to Microsoft Entra tokens, your app should be registered correctly in Microsoft Entra ID and request tokens with the appropriate scopes for Azure DevOps - as discussed in these links: https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/entra?view=azure-devops and https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/entra-oauth?view=azure-devops to follow the guidance on Microsoft Entra authentication for Azure DevOps
5. About troubleshooting TF401444 Error, the token should include the necessary permissions and make sure it is valid for Azure DevOps - https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops

I hope this is helpful! And you will be able to solve the issue. Do not hesitate to let me know if you have any other questions or clarifications.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.