How to use Service Principal Authentication (Bearer Token) in Powershell for DevOps without being asked to sign in?

0
votes

I'm trying to use Powershell to create a bug in DevOps using Service Principal authentication (Bearer token). Using my Personal Access Token I'm able to do it. Using the Bearer token it is asking me to sign in. How can I use the Bearer token without being asked to sign in? I need the whole process to be automated, no interaction to sign in.

I'm successfully getting the Bearer token this way:

$AppID    = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
$Secret   = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
$TenantID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
$Resource = "https://management.azure.com/"
$TokenUri = "https://login.microsoftonline.com/$TenantID/oauth2/token/"
$Body     = "client_id=$AppId&client_secret=$Secret&resource=$Resource&grant_type=client_credentials"

$TokenResult = Invoke-RestMethod -Uri $TokenUri -Body $Body -Method "POST"
$AccesToken = $TokenResult.access_token

Is there a setting in the Azure Active Directory setup I'm missing? Maybe something in the Authentication section or API Permissions? Thanks!

1
powershellazure-devopsazure-devops-rest-api
I believe I have found the problem. According to the Microsoft Guidance for Authentication (docs.microsoft.com/en-us/azure/devops/integrate/get-started/…) "The Azure DevOps API doesn't support non-interactive service access via service principals." So I can't do this with a service principal, going back to the business to see if they are ok with a PAT.Rich Uchytil

1 Answers

1
votes

Yes, as mentioned in the doc,

The Azure DevOps API doesn't support non-interactive service access via service principals.

which means you could not Azure AD client credential flow get the token to call the DevOps API(the script you provided uses this flow), as there is no access control of service principal in Azure DevOps. The supported are the user-involved ways, e.g. auth code flow.

In this case, if you want to use a non-interactive way to call the DevOps REST API via powershell, there are two workarounds.

  1. Use the Azure AD ROPC flow in powershell, it is not recommended, because we need to expose the username and password in the request, it is not secure, and it will not work for MFA-enabled accounts.

  2. Use the PAT, just base64 encoded the token, then call the REST API with Invoke-RestMethod it is a recommended way.