Issue with Listing Azure DevOps Organizations for a Service Principal

Question

Issue with Listing Azure DevOps Organizations for a Service Principal

Jai Garg 60

Hi,

Using the client credentials flow as a service principal to authenticate with Azure DevOps. The service principal is added to the Azure DevOps organization and is also a member of the PCA group.

Using the application ID, client secret, and tenant ID, we successfully generate an access token. However, when attempting to list the organizations that this service principal has access to, we encounter an issue.

We are following this approach:

Retrieve the member ID of the service principal using: GET https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=5.1
Use the extracted member ID to get the list of accessible organizations: GET https://app.vssps.visualstudio.com/_apis/accounts?memberId={memberId}&api-version=5.1

The issue arises in step 2: the API does not return the expected list of organizations for the service principal.

Is there an alternative API or recommended approach to retrieve the list of all Azure DevOps organizations that a service principal has access to?

Thanks in advance!

Arko 4,180 Reputation points Moderator

2025-03-21T15:33:34.4533333+00:00

So this happens because this API is user-context-specific – it expects a user object ID (OID) from Azure AD, not a service principal. memberId must be the Object ID of the user, not a service principal. If your goal is to list orgs available to an identity- use OAuth2 Authorization Code flow with a real use and https://app.vssps.visualstudio.com/_apis/accounts?memberId=<user-id> API or as a work around try using PAT for testing this API
Arko 4,180 Reputation points Moderator

2025-03-26T15:13:00.3966667+00:00

Following up on this. Please confirm if your issue is resolved.
Jai Garg 60 Reputation points

2025-03-26T15:21:34.75+00:00

Hi Arko

Yes, its resolved.

Thanks a lot!
Arko 4,180 Reputation points Moderator

2025-04-02T10:03:07.22+00:00

Thank you for confirmation Jai Garg. I am posting this as an answer for the community to reference to this case if anyone else is facing similar issues. Kindly accept the answer and feel free to add any additional pointers from your end if required for betterment of the community. Thanks

Answer accepted by question author

0 additional answers

Your answer

Arko 4,180 Reputation points Moderator

2025-03-21T15:33:34.4533333+00:00

So this happens because this API is user-context-specific – it expects a user object ID (OID) from Azure AD, not a service principal. memberId must be the Object ID of the user, not a service principal. If your goal is to list orgs available to an identity- use OAuth2 Authorization Code flow with a real use and https://app.vssps.visualstudio.com/_apis/accounts?memberId=<user-id> API or as a work around try using PAT for testing this API
Arko 4,180 Reputation points Moderator

2025-03-26T15:13:00.3966667+00:00

Following up on this. Please confirm if your issue is resolved.
Jai Garg 60 Reputation points

2025-03-26T15:21:34.75+00:00

Hi Arko

Yes, its resolved.

Thanks a lot!
Arko 4,180 Reputation points Moderator

2025-04-02T10:03:07.22+00:00

Thank you for confirmation Jai Garg. I am posting this as an answer for the community to reference to this case if anyone else is facing similar issues. Kindly accept the answer and feel free to add any additional pointers from your end if required for betterment of the community. Thanks

Answer 1

Hello Jai Garg, as discussed, the API https://app.vssps.visualstudio.com/_apis/accounts?memberId=<id> is intended to be used in a user context, specifically with a user Object ID (OID) from Azure AD (Entra). When using the client credentials flow with a service principal, this endpoint doesn't return the expected results because service principals aren't treated the same way as users in this context.

If your goal is to list Azure DevOps organizations for an identity, the supported way is to use the OAuth2 Authorization Code flow with a real user account. Alternatively, for testing purposes, you can use a Personal Access Token (PAT) tied to a user, which works reliably with this API.

As of now, there's no public API that supports listing organizations for a service principal via the client credentials flow. The service principal can still be used to access specific Azure DevOps organizations it’s been added to, but discovering all accessible orgs programmatically isn't supported in this flow.

Share via

Issue with Listing Azure DevOps Organizations for a Service Principal

0 additional answers

Your answer