Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,351 questions
How to set up a multi tenant application so my users can authorize Azure DevOps apis to be called
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 5%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Sophie Higgins
0
Reputation points
I've set up an application in Microsoft Entra Id following this documentation: https://video2.skills-academy.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
I've then made changes to make it multi tenant following this: https://video2.skills-academy.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant#multiple-tiers-in-multiple-tenants
I've granted the following API permissions
And I'm passing the scope into the authorize url scope parameter like so: scope=user.read%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.project%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.graph%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.work%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.work_full%20offline_access
When I try to use any user/organisation account to sign up there's always an error saying that the scope does not exist e.g. error=invalid_scope&error_description=The%20provided%20value%20for%20the%20input%20parameter%20%27scope%27%20is%20not%20valid.%20The%20scope%20%27user.read%20https://app.vssps.visualstudio.com/vso.code%20https://app.vssps.visualstudio.com/vso.graph%20https://app.vssps.visualstudio.com/vso.work%20https://app.vssps.visualstudio.com/vso.work_full%20offline_access%27%20does%20not%20exist.
I get the same error if I pass in completely invalid scope values. So I suspect I'm doing something wrong in the set-up of permissions in entra or the format of the parameter.
Anyone know what's going wrong?
{count} votes
-
James Hamil 22,976 Reputation points Microsoft Employee2024-07-02T16:00:04.0033333+00:00 Hi @Sophie Higgins , please refer to this document to make sure you have the right permissions. It does look like yours are correct though. Can you please check the following troubleshooting steps and let me know your results?
- Make sure that the scope values that you are passing in the authorize URL are valid and correspond to the permissions that your application needs to call the Azure DevOps APIs. You can find a list of valid scope values for Azure DevOps APIs in the Azure DevOps documentation.
- Make sure that the scope values are URL-encoded correctly. It looks like you are already URL-encoding the scope values, but you might want to double-check to make sure that the encoding is correct.
- Make sure that your application is registered in the Azure portal with the correct permissions to call the Azure DevOps APIs. You can check the application's permissions in the Azure portal under "API permissions".
- Make sure that your application is authorized to call the Azure DevOps APIs on behalf of users from different tenants. You can check this in the Azure portal under "Authentication" and make sure that the "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option is selected.
Please let me know and I can help you further.
Best,
James
Sign in to comment