Unable to list Azure DevOps Organization by Azure DevOps REST API using Service Principal returns empty list

Question

Unable to list Azure DevOps Organization by Azure DevOps REST API using Service Principal returns empty list

Gopalakrishnan G 0

Issue Summary:

I am trying to access Azure DevOps resources using the REST API with authentication via a Service Principal (SPN) created under the same Azure Tenant. Despite granting all necessary permissions, I am unable to retrieve the list of Azure DevOps organizations the Service Principal is a member of. Instead, the API returns an empty list.

Steps Taken

Added Service Principal as a User in Azure DevOps: The Service Principal has been successfully added as a user in my Azure DevOps organization.
Obtained Access Token for the Service Principal: I generated an access token for Azure DevOps using the Service Principal credentials.
Fetched memberID from the Profile API: I called the following API to retrieve the memberId: GET https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.1 Reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/profile/profiles/get?view=azure-devops-rest-7.1&tabs=HTTP The API successfully returned a valid memberId.
Tried Listing Azure DevOps Organizations: Using the retrieved memberId, I called the following API to list all organizations associated with the Service Principal: GET https://app.vssps.visualstudio.com/_apis/accounts?memberId={memberId}&api-version=7.1 Reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/account/accounts/list?view=azure-devops-rest-7.1&tabs=HTTP Issues: The API returns an empty list ([]) even though the Service Principal is a user in Azure DevOps. I've given all the permission associated with the Service Principal even though it fails. And I have tried with the Personal Access Token, it works fine. but, with Service Principal it always returns an empty array.
1. Why does the Service Principal fail to list the Azure DevOps organizations, while a Personal Access Token works? Are there additional permissions or configurations required for a Service Principal to access this API successfully?
2. How can I list the Azure DevOps organizations that my Service Principal has access to or is a member of using the REST API?
Any insights or solutions would be greatly appreciated!

Madugula Jahnavi 495 Reputation points Microsoft External Staff Moderator

2025-03-21T16:44:04.8433333+00:00

Gopalakrishnan G, Service Principals will not have a proper "membership" in Azure DevOps organizations in the same way as user accounts even though you added the SPN as a user. Have you performed any troubleshooting here initially?
Gopalakrishnan G 0 Reputation points

2025-03-24T04:52:56.2033333+00:00

"Answer removed as it was unknowingly posted as an answer instead of a comment."
Gopalakrishnan G 0 Reputation points

2025-03-24T04:58:08.52+00:00
Hi @Madugula Jahnavi , Thanks for your response. Yes, I have performed some troubleshooting steps:

Checked Permissions:

I have added the Service Principal (SPN) to the Project Collection Administrators group at the organization level.

Despite this, the API call to list organizations still returns an empty list.

Tested Different API Calls:

GET https://app.vssps.visualstudio.com/_apis/accounts?memberId={memberId}&api-version=7.1

I called the following API. Initially, I used memberId, but since that didn’t work, I also tried using ownerId with the SPN’s Service Principal ID or Object ID.

Instead of an empty response, I now receive the following error:

This suggests that the Service Principal lacks permission to access UserAccountMappings for retrieving organization details.

Could you clarify whether listing organizations via this API is supported for Service Principals? If not, what alternative approach would you recommend for achieving this functionality?
Anonymous

2025-03-24T10:32:04.3733333+00:00

Hi @Gopalakrishnan G,

Can you also share details about how did you generate access token? and the API permissions blade screenshot of Microsoft Entra ID application?
Anonymous

2025-03-24T11:29:54.5833333+00:00
Hello @Gopalakrishnan G,

I added Service Principal as Project Contributors under the Organization settings:

Generated access token like below:

When called the List accounts API, got empty response:

Unfortunately, Service Principal is not supported for calling the list Accounts API.

Alternatively, you can make use of below API to call Azure DevOps Organizations using a Microsoft Entra ID application:

GET https://aexprodweu1.vsaex.visualstudio.com/_apis/EnterpriseCatalog/Organizations?tenantId=TenantID

Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Anonymous

2025-03-25T03:35:08.6833333+00:00

Hello Gopalakrishnan G,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help. Thank you for your response.
Gopalakrishnan G 0 Reputation points

2025-03-25T05:34:09.7633333+00:00

Hi @Rukmini Sorry for the Delayed response,

I have configured the Service Principal (SPN) as you described. Instead of adding it as a Project Contributor, I have assigned it to the Project Collection Administrator group, which has the highest level of permissions in the Azure DevOps organization.

Additionally, I am generating the access token using the same method you demonstrated. However, when calling the Get List Accounts API, I am still receiving an empty response.

When I called the list accounts API call, still getting an empty list.

Additionally, I have also attempted to retrieve Azure DevOps organizations using a Microsoft Entra ID application via the EnterpriseCatalog API you had mentioned. But still the response seems to be not clear.

Does the Service Principal require any additional Azure permissions or API permissions in Microsoft Entra ID (Azure AD) to successfully retrieve the list of Azure DevOps organizations? If so, what specific roles or API permissions need to be assigned?
Anonymous

2025-03-25T05:40:19.04+00:00

Hi @Gopalakrishnan G,

I also added API permission in the Microsoft Entra ID application like below:

Please try doing the same again by adding the API permission and check if you can call the EnterpriseCatalog API. Let me know if this helps.
Gopalakrishnan G 0 Reputation points

2025-03-25T06:03:32.8033333+00:00

Hi @Rukmini

I have added the User Impersonation API permission as suggested, but the EnterpriseCatalog API still returns an empty response.

Is there any additional permission I need to provide or any further configuration required?
Anonymous

2025-03-25T06:25:15.65+00:00

@Gopalakrishnan G No other permission is required can you confirm what is the tenant ID you are passing?
Gopalakrishnan G 0 Reputation points

2025-03-25T06:36:40.2766667+00:00

@Rukmini I am using the same tenant ID where the application is registered.
Anonymous

2025-03-25T08:30:58.3866667+00:00

Hi @Gopalakrishnan G, Let's continue the discussion in private messages for further clarity.
Anonymous

2025-03-26T03:07:44.7066667+00:00

Hello Gopalakrishnan G,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help. Thank you for your response.

1 answer

Your answer

Madugula Jahnavi 495 Reputation points Microsoft External Staff Moderator

2025-03-21T16:44:04.8433333+00:00

Gopalakrishnan G, Service Principals will not have a proper "membership" in Azure DevOps organizations in the same way as user accounts even though you added the SPN as a user. Have you performed any troubleshooting here initially?
Gopalakrishnan G 0 Reputation points

2025-03-24T04:52:56.2033333+00:00

"Answer removed as it was unknowingly posted as an answer instead of a comment."
Gopalakrishnan G 0 Reputation points

2025-03-24T04:58:08.52+00:00

Hi @Madugula Jahnavi , Thanks for your response. Yes, I have performed some troubleshooting steps:

Checked Permissions:

I have added the Service Principal (SPN) to the Project Collection Administrators group at the organization level.

Despite this, the API call to list organizations still returns an empty list.

Tested Different API Calls:

GET https://app.vssps.visualstudio.com/_apis/accounts?memberId={memberId}&api-version=7.1

I called the following API. Initially, I used memberId, but since that didn’t work, I also tried using ownerId with the SPN’s Service Principal ID or Object ID.

Instead of an empty response, I now receive the following error:

This suggests that the Service Principal lacks permission to access UserAccountMappings for retrieving organization details.

Could you clarify whether listing organizations via this API is supported for Service Principals? If not, what alternative approach would you recommend for achieving this functionality?
Anonymous

2025-03-24T10:32:04.3733333+00:00

Hi @Gopalakrishnan G,

Can you also share details about how did you generate access token? and the API permissions blade screenshot of Microsoft Entra ID application?
Anonymous

2025-03-24T11:29:54.5833333+00:00

Hello @Gopalakrishnan G,

I added Service Principal as Project Contributors under the Organization settings:

Generated access token like below:

When called the List accounts API, got empty response:

Unfortunately, Service Principal is not supported for calling the list Accounts API.

Alternatively, you can make use of below API to call Azure DevOps Organizations using a Microsoft Entra ID application:

GET https://aexprodweu1.vsaex.visualstudio.com/_apis/EnterpriseCatalog/Organizations?tenantId=TenantID

Hope this helps!

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Anonymous

2025-03-25T03:35:08.6833333+00:00

Hello Gopalakrishnan G,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help. Thank you for your response.
Gopalakrishnan G 0 Reputation points

2025-03-25T05:34:09.7633333+00:00

Hi @Rukmini Sorry for the Delayed response,

I have configured the Service Principal (SPN) as you described. Instead of adding it as a Project Contributor, I have assigned it to the Project Collection Administrator group, which has the highest level of permissions in the Azure DevOps organization.

Additionally, I am generating the access token using the same method you demonstrated. However, when calling the Get List Accounts API, I am still receiving an empty response.

When I called the list accounts API call, still getting an empty list.

Additionally, I have also attempted to retrieve Azure DevOps organizations using a Microsoft Entra ID application via the EnterpriseCatalog API you had mentioned. But still the response seems to be not clear.

Does the Service Principal require any additional Azure permissions or API permissions in Microsoft Entra ID (Azure AD) to successfully retrieve the list of Azure DevOps organizations? If so, what specific roles or API permissions need to be assigned?
Anonymous

2025-03-25T05:40:19.04+00:00

Hi @Gopalakrishnan G,

I also added API permission in the Microsoft Entra ID application like below:

Please try doing the same again by adding the API permission and check if you can call the EnterpriseCatalog API. Let me know if this helps.
Gopalakrishnan G 0 Reputation points

2025-03-25T06:03:32.8033333+00:00

Hi @Rukmini

I have added the User Impersonation API permission as suggested, but the EnterpriseCatalog API still returns an empty response.

Is there any additional permission I need to provide or any further configuration required?
Anonymous

2025-03-25T06:25:15.65+00:00

@Gopalakrishnan G No other permission is required can you confirm what is the tenant ID you are passing?
Gopalakrishnan G 0 Reputation points

2025-03-25T06:36:40.2766667+00:00

@Rukmini I am using the same tenant ID where the application is registered.
Anonymous

2025-03-25T08:30:58.3866667+00:00

Hi @Gopalakrishnan G, Let's continue the discussion in private messages for further clarity.
Anonymous

2025-03-26T03:07:44.7066667+00:00

Hello Gopalakrishnan G,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help. Thank you for your response.

Answer 1

Anonymous

Hi Gopalakrishnan G, collating the discussed steps in a single answer for ease of documentation.

As already discussed, in my case No other permission is required.

In my case I added Service Principal as Project Contributors under the Organization settings:

enter image description here

Generated access token like below:


GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id: ClientID

client_secret: Secret

scope: 499b84ac-1321-427f-aa17-267ca6975798/.default

grant_type: client_credentials

enter image description here

When called the List accounts API, got empty response:


GET https://app.vssps.visualstudio.com/_apis/accounts?memberId={memberId}&api-version=7.1

enter image description here

Unfortunately, Service Principal is not supported for calling the list Accounts API.

Alternatively, you can make use of below API to call Azure DevOps Organizations using call the EnterpriseCatalog API:


GET https://aexprodweu1.vsaex.visualstudio.com/_apis/EnterpriseCatalog/Organizations?tenantId=TenantID

enter image description here

I also added API permission in the Microsoft Entra ID application like below:

User's image

If you are still facing any issue, I have reached out to you over private message so that I can guide you better for the particular step where you are failing. We can connect offline to resolve the issue.

Anonymous

2025-03-27T03:17:49.2133333+00:00

Hi Gopalakrishnan G, Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Anonymous

2025-03-28T03:15:15.5166667+00:00

Hi Gopalakrishnan G, Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Gopalakrishnan G 0 Reputation points

2025-03-28T05:45:13.87+00:00

Hi @Rukmini

Sorry for the delayed response. The Enterprise Catalog API (/EnterpriseCatalog/Organizations) is not a suitable alternative because it only returns organizations tied to an Enterprise Agreement (EA) subscription. Since my organizations include personal and other non-EA subscription-based ones in my Tenant, this API returns an empty response. That’s why, even with all permissions granted to the SPN from Azure Devops Organization and API permissions from Azure, it still gets an empty result. Additionally, this API lists all organizations in the tenant, regardless of whether the SPN has access to them.

EnterpriseCatalog API:
https://aexprodweu1.vsaex.visualstudio.com/_apis/EnterpriseCatalog/Organizations?tenantId=TenantID
Anonymous

2025-03-28T08:39:25.15+00:00

Hi Gopalakrishnan G, I understand that you want to fetch only the organizations that SPN has access to. But based Microsoft Documentation it is not possible to fetch the desired output with SPN as SPN does not support calling the list Accounts API as of now.

As an alternative solution, I provided the Enterprise Catalog API which returns organizations tied to an Enterprise Agreement (EA) subscription. But since this is not suitable for you as your organizations include personal and other non-EA subscription you are getting empty response.

I would take this as a feedback and share it with our internal product group.
Gopalakrishnan G 0 Reputation points

2025-04-02T06:02:43.4133333+00:00

Hi @Rukmini , Good day!

Can you please confirm whether the EnterpriseCatalog API returns only organizations that are tied to an Enterprise Agreement (EA) subscription? I couldn't find solid documentation on this—my understanding is based on web sources.

Additionally, I assume that since my organization is not linked to an Enterprise Agreement subscription, the API is returning an empty response. Could you please confirm if this is the expected behavior?

Thank you!
Anonymous

2025-04-02T09:06:24.4266667+00:00

Hi Gopalakrishnan G, Yes the EnterpriseCatalog API returns only organizations that are tied to an Enterprise Agreement (EA) subscription**.** If your organization is not linked to an EA, the API will likely return an empty response
Anonymous

2025-04-09T04:35:26.4366667+00:00

Hi Gopalakrishnan G, Hope my suggestion was useful for you. Please feel free to ask if you have any additional query on this.
Anonymous

2025-04-09T07:20:18.5833333+00:00

Hello Gopalakrishnan G,

As discussed Service Principal is not supported for calling the list Accounts API and it is a product limitation. Hence the workaround is to use EnterpriseCatalog API but this API returns only organizations that are tied to an Enterprise Agreement (EA) subscription. Since your organizations are not tied to an Enterprise Agreement (EA) subscription you are getting empty response.

Hence I recommend to share your feedback on Ideas · Community with proper business justification for the feature request, as this is closely monitored by our team.
Gopalakrishnan G 0 Reputation points

2025-04-11T05:04:34.2466667+00:00

Sure @Rukmini Thank you for the response. I’ll go ahead and share the feedback on the Ideas forum with the necessary business justification.
Anonymous

2025-04-11T05:23:01.9766667+00:00

@Gopalakrishnan G, If you have any further questions, feel free to reach out. If the response was helpful, we’d appreciate it if you could click "Accept Answer", as it can help others in the community facing similar issue.

Share via

Unable to list Azure DevOps Organization by Azure DevOps REST API using Service Principal returns empty list

1 answer

Your answer