Why does a Personal Access Token (PAT) need full access to serve the Azure DevOps REST API?

1
votes

When accessing Azure DevOps via REST API through PowerShell, the Personal Access Token (PAT) used for authentication needs Full access.

PAT scope setting

When the PAT is set to Custom defined access with every scope enabled, some requests fail:

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

Why is Full access not equal to Custom defined access with every scope enabled and maximal permissions? Is it not possible to limit the PAT to the scopes actually concerned by the request?

Edit: The concerned REST API request:

GET https://dev.azure.com/{organization}/{project}/_apis/build/latest/{definition}?api-version=5.1-preview.1
2
powershellazure-devopsazure-devops-rest-apiazure-devops-server-2019
Might be helpful to provide the API request you are sendingAnthony Klotz
I have the same issue. Even with all permissions enabled, I am unable to use a specific endpoint. If I select the Full Access instead, it works. Endpoint in my case: "dev.azure.com{org}/{projectguid}/_api/_identity/AddTeamAdmins?api-version=5.1-preview.1" I do a post to add an administrator to a project team. Did you figure out why this was the case?JakeUT
Btw, this worked with a custom defined scope until about a week ago. Now it requires full access. Any idea?JakeUT
I've never figured out the reason for this odd behavior. I started to use default credentials to authenticate the REST requests whenever possible to avoid to deal with PATs.millo

2 Answers

0
votes

For this issue, I tested the api you listed. I try to only select Read access in the Build Scope, the PAT works fine.

enter image description here

enter image description here

Also I tried setting Custom defined access with every scope enabled, obviously this also works fine.

In some special apis, we can only use Full access, because not all scopes will be listed in Custom defined access. The scopes of some special case apis are not defined in Custom defined access. For example, the api is tracked from the browser's Network and is not documented in the official documentation . You can refer to this case.

The api you use is documented in the documentation, you can try to test in Postman to see if the same result.

0
votes

I was trying to download a file using curl and this needed a PAT. in GitHub it worked without a PAT. When I set Personal Access Token to Full Access in Azure DevOps Settings it worked fine. So I set Custom then enabled all of the custom defined access scopes.

I had to click the button at the bottom:

Show all scopes in PAT settings

This listed all of the scopes when I enabled all of them authentication worked. I then disabled 5 at a time and retested and found the one I needed was Token Administration [Read & Manage] only.

Token Administration Scope Image