Share via

How to set up a multi tenant application so my users can authorize Azure DevOps apis to be called

Sophie Higgins 0 Reputation points
2024-07-02T14:40:22.1766667+00:00

I've set up an application in Microsoft Entra Id following this documentation: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
I've then made changes to make it multi tenant following this: https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#multiple-tiers-in-multiple-tenants 

I've granted the following API permissionsScreenshot 2024-07-02 at 15.28.16

And I'm passing the scope into the authorize url scope parameter like so: scope=user.read%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.project%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.graph%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.work%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.work_full%20offline_access

When I try to use any user/organisation account to sign up there's always an error saying that the scope does not exist e.g. error=invalid_scope&error_description=The%20provided%20value%20for%20the%20input%20parameter%20%27scope%27%20is%20not%20valid.%20The%20scope%20%27user.read%20https://app.vssps.visualstudio.com/vso.code%20https://app.vssps.visualstudio.com/vso.graph%20https://app.vssps.visualstudio.com/vso.work%20https://app.vssps.visualstudio.com/vso.work_full%20offline_access%27%20does%20not%20exist.

I get the same error if I pass in completely invalid scope values. So I suspect I'm doing something wrong in the set-up of permissions in entra or the format of the parameter.

Anyone know what's going wrong?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,622 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 24,571 Reputation points Microsoft Employee
    2024-07-02T16:00:04.0033333+00:00

    Hi @Sophie Higgins , please refer to this document to make sure you have the right permissions. It does look like yours are correct though. Can you please check the following troubleshooting steps and let me know your results?

    1. Make sure that the scope values that you are passing in the authorize URL are valid and correspond to the permissions that your application needs to call the Azure DevOps APIs. You can find a list of valid scope values for Azure DevOps APIs in the Azure DevOps documentation.
    2. Make sure that the scope values are URL-encoded correctly. It looks like you are already URL-encoding the scope values, but you might want to double-check to make sure that the encoding is correct.
    3. Make sure that your application is registered in the Azure portal with the correct permissions to call the Azure DevOps APIs. You can check the application's permissions in the Azure portal under "API permissions".
    4. Make sure that your application is authorized to call the Azure DevOps APIs on behalf of users from different tenants. You can check this in the Azure portal under "Authentication" and make sure that the "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option is selected.

    Please let me know and I can help you further.

    Best,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.