Open wi5nia opened 12 months ago
To add more context, the issue that is described is exactly the same as https://developercommunity.visualstudio.com/t/build-agent-calling-azure-devops-rest-api-exceptio/660783
POST https://vssps.dev.azure.com/yyyyyyy/_apis/Graph/Groups HTTP/1.1
Host: vssps.dev.azure.com
User-Agent: go/go1.18.1 (windows amd64) azure-devops-go-api/7.1.220.1 (dev) terraform-provider-azuredevops/v0.9.1
Content-Length: 51
Accept: application/json;api-version=7.1-preview.1
Authorization: Bearer %jwt_token%
Content-Type: application/json;charset=utf-8
X-Tfs-Fedauthredirect: Suppress
X-Tfs-Session: xxxx-3a17-4496-bd80-7234bf7196b8
Accept-Encoding: gzip
{"originId":"xxxx-2b24-470a-abc2-f830687a354e"}
HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 2277
Content-Type: application/json; charset=utf-8; api-version=7.1-preview.1
Expires: -1
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
X-TFS-ProcessId: xxxx-c120-4883-85f7-2dc5f2438eca
Strict-Transport-Security: max-age=31536000; includeSubDomains
ActivityId: xxxx-f9e0-4f07-b9de-c7a59c53886b
X-TFS-Session: xxxx-3a17-4496-bd80-7234bf7196b8
X-VSS-E2EID: xxxx-f9e0-4f07-b9de-c7a59c53886b
X-VSS-SenderDeploymentId: xxxx-39e8-4313-9ff3-23ace0f8f4cf
X-VSS-UserData: xxxx-4f2c-4786-94db-625742a99ff0:xxxxx-8ff9-4ab2-9cdb-43ff960dd619
X-FRAME-OPTIONS: SAMEORIGIN
Request-Context: appId=cid-v1:xxxx-b90c-42de-941e-931f9b06ee5f
Access-Control-Expose-Headers: Request-Context
X-Content-Type-Options: nosniff
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 768AB29019B340FE9FAC30A63BEF4644 Ref B: BUH01EDGE0322 Ref C: 2023-10-12T10:49:33Z
Date: Thu, 12 Oct 2023 10:49:33 GMT
{"count":2167,"value":"Microsoft.VisualStudio.Services.Aad.AadAccessException: The requesting identity (CUID 00000000-0000-0000-0000-000000000000) does not have permission to access the tenant (76f33c20-5979-4408-adf7-8b3c4be95e52).\r\n at Microsoft.VisualStudio.Services.Aad.SharedAadService.AuthorizeRequest(IVssRequestContext context, AadServiceRequest request, String& tenantId, Boolean& application) in D:\\a\\_work\\1\\s\\Vssf\\Sdk\\CloudServer\\AzureActiveDirectory\\SharedAadService.cs:line 641\r\n at Microsoft.VisualStudio.Services.Aad.SharedAadService.ProcessRequest[T](IVssRequestContext context, AadServiceRequest request, IAadPerfCounter counter, String operation) in D:\\a\\_work\\1\\s\\Vssf\\Sdk\\CloudServer\\AzureActiveDirectory\\SharedAadService.cs:line 287\r\n at Microsoft.VisualStudio.Services.Aad.SharedAadService.GetGroupsWithIds[T](IVssRequestContext context, GetGroupsWithIdsRequest`1 request) in D:\\a\\_work\\1\\s\\Vssf\\Sdk\\CloudServer\\AzureActiveDirectory\\SharedAadService.cs:line 183\r\n at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadGroupUsingOriginIdAsObjectId.ReadAadObjectsInSingleTenant(IVssRequestContext requestContext, IEnumerable`1 ids, String tenantId) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadGroupUsingOriginIdAsObjectId.cs:line 39\r\n at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadObjectById`2.GetAadResponse(IVssRequestContext requestContext, IList`1 candidateMembers) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadObjectById.cs:line 119\r\n at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadObjectById`2.GetAadObjectsUnchecked(IVssRequestContext requestContext, IList`1 candidateMembers) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadObjectById.cs:line 96\r\n at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadObjectById`2.GetAadObjects(IVssRequestContext requestContext, IEnumerable`1 candidateMembers) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadObjectById.cs:line 47"}
Hi,
I am trying to write some code which will link and ADO Group to an AAD Group. When we run this code locally when being logged with an user who is in the Project Collection Administrators group and also a Global Admin of the tenant to which the ADO organisation is connected all is working just fine.
When I move my code and execution to ADO it starts to fail with this error.
Here is the Terraform code
And here is the ADO pipeline code
The project build account is part of the Project Collection Service Accounts group
Which is a part of the Project Collection Administrators group
The SPN which is used for the deployment has those permissions and we are using federated identity
Any ideas what could be the issue?