This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 57.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
I have registered an application in my organization's Azure and I have set up OAuth using Angular/ASP.NET to use that application. There are two things I'm trying to achieve:
On the second item, my guest users are able to log in and retrieve access tokens, but the access tokens they retrieve only seem to be usable on their own organization's DevOps. So, I'm Org A, and my guest is from Org B. When my guest logs into my application, they can only access Org B's API. If they attempt to access Org A's API, they will get a 203 response with the "Azure DevOps Services Sign In" screen returned. I want them to access Org A's API.
I have been following this "Authenticate with Azure Active Directory (Azure AD) tokens" (https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?view=azure-devops#authenticate-with-azure-active-directory-azure-ad-tokens).
Where am I going wrong here? Please send help.
@Andrew Tarr
Thank you for the detailed post!
From the Azure AD side of things, it sounds like users in your DevOps Org/ Azure AD tenant aren't having any issues retrieving an access token and using it to access your DevOps org via REST API. However, guest users that are invited to your Azure AD tenant aren't able to perform the same operations via REST API.
Additional Links:
Access Azure DevOps REST API with oAuth - The answer on this Stack Overflow thread is very detailed and will hopefully help point you in the right direction.
Authorize access to REST APIs with OAuth 2.0
Choose the right authentication mechanism
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
@Andrew Tarr
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
I have been following this tutorial: "Authenticate with Azure Active Directory (Azure AD) tokens" (https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?view=azure-devops#authenticate-with-azure-active-directory-azure-ad-tokens). I also followed the answer from this question on this forum: https://learn.microsoft.com/en-us/answers/questions/769153/authenticate-azure-devops-build-rest-api-through-a.html.
Guest users to my organization receive a 203 response with the "Azure DevOps Services Sign In" screen returned.
Regarding the links you shared: I previously had things set up using the DevOps OAuth sign in as you shared, but this didn't work for guest users. They got 203 responses. So I moved away from the DevOps app registration and put it in an Azure app registration. But, it seems as though I ended up with the exact same result.
@Andrew Tarr
Thank you for following up on this!
HTTP 203: Partial Information
When received in the response to a GET command, this indicates that the returned metainformation is not a definitive set of the object from a server with a copy of the object, but is from a private overlaid web. This may include annotation information about the object, for example.
From your error message, can you share a screenshot of how you're sending your requests?
#Here's how to get a list of team projects in a Azure DevOps Services organization:
curl -u {username}[:{personalaccesstoken}] https://dev.azure.com/{organization}/_apis/projects?api-version=2.0
#If you provide the personal access token through an HTTP header, you'll have to convert it to a Base64 string
#Please make sure to include a leading colon on the PAT, before base64 encoding.
Authorization: Basic BASE64PATSTRING
Additional Links:
Assemble the request
Azure DevOps REST API: Keep Getting HTTP 203
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
This is how I'm sending a request:
curl --location --request GET 'https://vsaex.dev.azure.com/{organizationName}/_apis/userentitlements?api-version=6.0' --header 'Authorization: Bearer <Access Token>'
This only works if the "organizationName" in the URL is the organization that the owner of the access token belongs to (in my example above, this would be Organization B).
I want the owner of the access token, who is a "Guest" user and stakeholder in my organization, to get a token that will allow them to access my organization's API with (Organization A).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Devops / TFS is not currently supported here on Q&A. The product group for Azure DevOps / TFS actively monitors questions over at
https://developercommunity.visualstudio.com/report?space=21&entry=problem
https://developercommunity.visualstudio.com/report?space=22&entry=problem
https://azure.microsoft.com/en-in/support/devops/
--please don't forget to upvote and Accept as answer if the reply is helpful--
This question refers to an Azure App registration, which has permissions configured for Azure DevOps (user_impersonation). The whole thing is set up in the Azure portal, not in Azure DevOps. Is that not applicable here?
@Andrew Tarr
Thank you for following up on this!
I'm not too familiar with curl requests or the DevOps REST API, but from the doc that you followed, it shares an example of how to make the curl request. Can you see if a Guest user can make a call using the same format for the curl or GET request?
Example: Use Azure AD access token to make the List PATs request:
# The example doesn't contain a the --locaiton or --request GET parameter.
curl -H "Authorization: Bearer <Azure AD token>" "https://vssps.dev.azure.com/{organization}/_apis/Tokens/Pats?api-version=6.1-preview"
#This doc describes how to use the Access Token. Since the request is specifically a GET, curl isn't used.
GET https://dev.azure.com/myaccount/myproject/_apis/build-release/builds?api-version=3.0
Authorization: Bearer {access_token}
I'd also make sure that your Access Token is valid and decodes correctly - https://jwt.ms/.
As shared by @Anonymous , since the issue is with the DevOps REST API, I'd also recommend reaching out to our DevOps experts via their Developer Community.
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.