Logic App Unauthorized to Send HTTPS request to DevOps

Question

Logic App Unauthorized to Send HTTPS request to DevOps

Andre 45

I am trying to setup a recurring logic app that gets a snapshot of our DevOps wiki and saves it into our Storage Container. When I trigger the Logic app to run it fails when trying to send an HTTP Request to the Azure DevOps API.

The error is...

{
  "status": 401,
  "message": "TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\r\nAzure DevOps ActivityId: 21840274-6bb7-4422-a630-286ead7d9440\r\nDetails: {\"$id\":\"1\",\"innerException\":null,\"message\":\"TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\",\"typeName\":\"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server\",\"typeKey\":\"UnauthorizedRequestException\",\"errorCode\":0,\"eventId\":3000}\r\nclientRequestId: 1b08f899-0332-4658-9387-73e9762a7f03",
  "error": {
    "message": "TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\r\nAzure DevOps ActivityId: 21840274-6bb7-4422-a630-286ead7d9440\r\nDetails: {\"$id\":\"1\",\"innerException\":null,\"message\":\"TF400813: The user 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' is not authorized to access this resource.\",\"typeName\":\"Microsoft.TeamFoundation.Framework.Server.UnauthorizedRequestException, Microsoft.TeamFoundation.Framework.Server\",\"typeKey\":\"UnauthorizedRequestException\",\"errorCode\":0,\"eventId\":3000}"
  },
  "source": "vsts-eus2.azconn-eus2-004.p.azurewebsites.net"
}

I feeel like I have everything setup correctly. The basic auth in the header is the PAT in base64. Any ideas?

User's image

send an http req to azure devops step

Andre 45 Reputation points

2023-07-06T21:47:12.86+00:00

@Pramod Valavala I have confirmed that the PAT has full access. I also tried using the HTTP step but I only get application/json response type. I need it to be a zip file.

Answer accepted by question author

0 additional answers

Your answer

Andre 45 Reputation points

2023-07-06T21:47:12.86+00:00

@Pramod Valavala I have confirmed that the PAT has full access. I also tried using the HTTP step but I only get application/json response type. I need it to be a zip file.

Answer 1

Pramod Valavala 20,656 Microsoft Employee Moderator

UPDATE: There is a limitation in the connector as mentioned in the docs for the Send an HTTP request to Azure DevOps action which prevents it from working with the Wiki APIs.

@Andre Could you confirm if the user, for whom you've created the person access token, can access the wiki?

Instead, you should directly use the HTTP Action if you would like to use a PAT instead of the connector. If so, make sure the user for whom you've created the PAT for has access to the wiki.

If you are using a different account for the logic app, check the wiki permissions to ensure this user has access.

Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator

2023-07-06T22:07:11.1866667+00:00

@Andre To get the response as a zip file, you need to set the Accept header to application/zip in the request.
Andre 45 Reputation points

2023-07-07T13:12:11.9433333+00:00

@Pramod Valavala Thank you. It's now in Azure storage as content type "zip". However, when I download it, it's of type "file". It's not like a traditional zip folder that I can extract. The blob type is "Block Blob".
Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator

2023-07-13T22:00:27.4566667+00:00
@Andre You should be able to still open it using a zip application or simply just rename the file to have the .zip extension.

I've confirmed this works by running the following curl command for reference

curl --request GET \ --url 'https://dev.azure.com/org/project/_apis/wiki/wikis/wiki/pages?recursionLevel=full&path=%2Fpath' \ --header 'Accept: application/zip' \ --header 'Authorization: Basic ...' > data.zip

Then I was able to open the zip file.
Andre 45 Reputation points

2023-07-14T17:30:12.7933333+00:00

@Pramod Valavala Does what comes after basic need to be base64 encoded?
Andre 45 Reputation points

2023-07-14T17:50:24.4233333+00:00

you should directly use the HTTP Action if you would like to use a PAT instead of the connector

I got it working with the HTTP action but I would like to use it with the Azure DevOps action. Why won't it work?
Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator

2023-07-14T18:47:48.51+00:00
@Andre You should be able to use the DevOps Actions as well but in that case you shouldn't use the PAT, just setup the account connection with the connector instead. You can click the "Change connection" link at the bottom of the action for the same.

After Basic, it's the same as what you already have in your request. For reference, it would be of the form

Basic <base64 of username>:<pat>
Andre 45 Reputation points

2023-07-14T20:23:40.0966667+00:00
@Pramod Valavala I'm connected using my log in. I have access because I can go into DevOps with my org and do anything as an admin. I did this request with the Authorization header and still got a 401:

TF400813: The user is not authorized to access this resource.
Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator

2023-07-20T13:45:52.9633333+00:00

@Andre Just to confirm, this works with the HTTP Action, right?

As for the Dev Ops Action, you don't need to set the Authorization Header, it is set by the action automatically. Could you confirm if the action fails even without the header set?
Andre 45 Reputation points

2023-07-20T14:02:50.69+00:00

@Pramod Valavala Yes, HTTP works. No DevOps doesn't working without the Auth header. The below fails for me.
Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator

2023-07-20T14:49:57.2866667+00:00

@Andre You will have to use the HTTP Action directly instead.
Andre 45 Reputation points

2023-07-20T14:51:24.8533333+00:00

@Pramod Valavala So no idea why it's not working?
Pramod Valavala 20,656 Reputation points Microsoft Employee Moderator

2023-07-20T14:56:31.39+00:00

@Andre Sorry about that. Looks like I accidentally removed a line from my last comment without realizing.

There is a limitation in the connector as mentioned in the docs for the Send an HTTP request to Azure DevOps action which prevents it from working with the Wiki APIs.

Share via

Logic App Unauthorized to Send HTTPS request to DevOps

0 additional answers

Your answer