Azure DevOps PAT Authentication Issue - 403/203 Errors
I’m working with Azure DevOps and using a Global FULL Personal Access Token (PAT) across multiple organizations. This PAT is integrated into several Azure-hosted workflows to perform various API requests.
Problem: I’ve noticed that if I don’t log into the associated account via a browser for a certain period (sometimes as short as a day), I start receiving 403 or 203 errors when the workflows try to perform API requests on Azure DevOps. Interestingly, once I log into the account through the browser, the workflows resume normal operation without any errors.
What I’ve tried: So far, I’ve been manually logging into the account through the browser to resolve the issue, but this is not a sustainable solution.
Expected Outcome: I’m looking for a way to prevent these errors from occurring, even if I don’t log into the account via a browser for extended periods.
Any insights or suggestions would be greatly appreciated. Thank you!
For organizations backed by Microsoft Entra ID, you have 90 days to sign in with your new PAT, otherwise it's considered inactive. Besides, you can check whether you have enabled Sign-in frequency policy in your Microsoft Entra ID.
In addition to using a PAT, you can use a service principal to call REST API via a Microsoft Entra token. You don't need to rotate it like a PAT, which must be laboriously rotated every so often (minimum 180 days). Besides, Microsoft Entra tokens expire every hour and must be regenerated with a refresh token to get a new access token, which limits the overall risk factor when leaked.
- Create an application service principal in Azure portal.
- Add the service principal to each of your organizations and assign it with a license and specific permissions.
- Acquiring an access token for the service principal and use this token to access Azure DevOps resources. There is a PowerShell example for your reference.
$tenantId = '{Tenant ID}'
$clientId = '{Application (client) ID of your service principle} '
$clientSecret = '{The secret value of your service principle}'
$scope = "499b84ac-1321-427f-aa17-267ca6975798/.default"
#Format web request body
$body = @{
'grant_type' = 'client_credentials'
'client_id' = $clientId
'client_secret' = $clientSecret
'scope' = $scope
}
#Send request for OAuth authentication to receive token
$Response = Invoke-RestMethod https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token -ContentType 'application/x-www-form-urlencoded' -Method POST -Body $body
# Format Auth token into useable header
$accessHeader = @{
'Authorization' = 'Bearer ' + $Response.access_token
'Accept' = "application/json"
}
# Test connection/get project
$requestUrl = "https://dev.azure.com/{Orgname}/_apis/projects/{Projectname}?api-version=7.1-preview.4"
Invoke-RestMethod -uri $requestUrl -Method GET -Headers $accessHeader
See the detailed info about using service principals to authenticate from Use service principals & managed identities.
- Azure yaml trigger pipeline every 14 days on a Saturday
- How can I give a containerRegistry to a DevcontainersCi task in an Azure DevOps YAML Pipeline?
- How to assign organization-level permissions to create repositories across all projects in organization in Azure DevOps?
- Updating Node js on internal windows ADO build agent
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- DotNetCLI@2 pack seems to be ignoring configuration inputs
- Build a pipeline in AzureDevOps for Sql Server on prem to run sql scripts
- How to format Azure DevOps console Logs
- How to follow the entire wiki in Azure DevOps?
- Issue with Azure key vault and Azure storage account deployment
- Publishing external POM Package to Azure Artifacts Feed Error
- lionbridge-connector on Azure Artifacts gives Dependency Error
- How to allow an empty string for a runtime parameter?
- Azure - RBAC to Management Group
- Python (Dash) web app deployment on Azure with pipeline running too long with message Building wheel for pandas still running. How to optimize?
- No 'Import a pipeline' button in Azure DevOps
- ASP.NET Azure Web App Pipeline: No package found with specified pattern: D:\a\1\s\**\*.zip
- Error when creating a pipeline. "You don’t appear to have an active Azure subscription."
- ADO YAML Pipelines | How to get secret variable from a variable group based on the value of another variable
- Azure Devops - Get release definitions by agent pool ID
- Azure Pipelines using YAML for multiple environments (stages) with different variable values but no YAML duplication
- How to specify which version of nuget.exe to use with self-hosted agent in Azure DevOps?
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- Azure DevOps - JFrogNuget Error - Error occurred while executing task: Error: Command failed
- Access Azure DevOps Pipeline Artifacts from different organization
- Initiate Azure DevOps Release Pipeline from Logic App and Retrieve Environment Variable Output from the pipeline
- Is it necessary to switch from the Hosted XML to the Inheritance Process Model after a migration
- Why is Azure Pipelines installing the wrong .NET SDK version (according to global.json)
- Azure pipeline does't allow to git push throwing 'GenericContribute' permission is needed
- Azure Devops - How to START one stage before parallel stages?