Azure-devops-docs: Guidance for Non-interactive Service

FYI. https://docs.microsoft.com/en-us/vsts/integrate/get-started/authentication/pats?view=vsts

+1 for a real non-interactive solution.
We would like to sync user stories from another application. PATs are not a good option because our corporate network prevents logging in interactively with service accounts, so we would be forced to use a real person's account. Is there a S2S way to do this, perhaps with an AAD Application?

Adding @willsmythe here to help answer. Will, if there is a doc change coming from this please reach out and I'll knock it out.

I'm on my personal laptop right now so I can post the code that we ended up writing. IIRC it was just a matter of creating a credential object with a blank username and the PAT in the password field. That isn't documented on MSDN but I found it through a blog or stackoverflow.

@rifuller
Would you be so kind to post your solution? Did you find a way to register a AzureAD service principal for a Azure DevOps project? For me service principals are not listed on the DevOps Security dialogs.
As ordinary user accounts are no longer granted to be used as technical/service accounts in our organization, PATs of user accounts aren't an option for authenticated headless services.

@rifuller Richard Fuller FTE
Would you be so kind to post your solution? Did you find a way to register a AzureAD service principal for a Azure DevOps project? For me service principals are not listed on the DevOps Security dialogs.
As ordinary user accounts are no longer granted to be used as technical/service accounts in our organization, PATs of user accounts aren't an option for authenticated headless services.

Hi @Michaelvsk, is your service account mail-enabled? What I've found is that mail and domain logon enabled service accounts _are_ visible in AAD whereas domain-logon only accounts are not. (My terminology may be inaccurate there but those are the kinds I have to choose from internally). I ran into a similar issue when trying to grant a domain account access to a key vault - one service account was in the AAD tenant and the other wasn't.

Though if the service account is present in AAD, then it should be possible for an administrator to then to grant it access to an AzureDevops Organization.

If you can do that, then it's possible to use the AAD ADAL library to request an OAuth token (using the account's username and password) to the Azure Devops API and use the TokenHttpClient library (in the Microsoft.VisualStudio.Services.DelegatedAuthorization namespace) to create a PAT for the service account that can then be used in a programmatic manner.

Does that help? I haven't gone through all the steps end to end but that's the guidance I've been given. In my earlier response I was able to do that with a PAT I created for my account:
c# string pat = keyvault.GetSecretAsync(patSecretIdentifier).Result; this._creds = new VssBasicCredential(string.Empty, pat);

I was hoping for a possibility to use service principals and not ordinary AAD accounts. But I couldn't find a way to give these principals permissions to DevOps projects.
I will try your solution using a AAD account with a PAT. Thanks for the code snippet.

All the authentication method for accessing Azure Devops service is interactive except one(which still needs interaction through user specific device like mobile). We are trying it access the azure devops rest api's using the Microsoft AADHttpClient by registering a AAD app and adding the azure devops service in the permissions(same as adal js). But as the services are interactive the rest api fails with 302 error stating non authorative. Is there any way to access the rest api's as we cannot give user the login pop up as he has already been logged in to the site which is protected by AAD authentication.

Hey everyone, there's a decent amount of history on this issue. I think for quicker answers, questions like these are better for Stack Overflow or the Azure DevOps Developer Community. You will get better answers there from the product team, and then if there is a docs consequence, please reach back out and we can coordinate making a change. Tagging @willsmythe again for awareness, and to also see if this guidance is something we want to document.

@elbatk It's next to impossible to navigate the link you sent. I'm in the same boat. Specifically, I'm caught in a position where I want to track Work item changes and have the following concerns:

1. I want a long-running service untied to a specific user (the service should run when I'm gone)
2. I want the service to run in an Azure Function (the service should run on an arbitrary machine)
3. I have no real control over how DevOps pushes WorkItemUpdates, except the built-in services & email
4. I need to reference other work items than what is pushed in the update.

Specifically, what I'm trying to accomplish is a hosted app that reads the Work Item Update output, and can add context to the work item via Pull Requests, Parent objects, etc; information that isn't included in the notification. I don't want this app to care who the user is.

I feel as if the developers above are having the same concerns.

I'm also stuck using PAT for an Azure function, however it is not practical to renew it, I tried getting a token with the Devops app registration data, but all I get is
{
"Error": "invalid_client",
"ErrorDescription": "Invalid client auth token."
}

Please accept our apology for the significant delay in addressing this issue.

It looks like you're working through an issue with the product itself, rather than an issue with the documentation. Here are a few options where you might consider asking your question:

• Azure DevOps on Stack Overflow
• Azure DevOps Support Bot

Thats not true. The problem is the documentation gives the impression that non-pat auth is possible, when it isnt.

Thanks for the additional context.

@willsmythe is this something you can look at soon?

@JimsonChalissery - can you help on this?

Since my comment triggered this, I thought I should perhaps clarify what I meant.

As far as I can tell, the following statements are correct

• Service Principals in Azure AD is the more common way to handle api access for services, since it doesn't require a specific service account.
• You can't use a Service Principal for auth to the devops api for a non-interactive service, because it requires a delegated permission which is always done on behalf of real, logged in user - thus requires interaction.
• You can use a Personal Access Token to auth the devops api. This token belongs to a specific user account. You can create a service account user, but it will cost you a license.
• There is no good way to do auth towards the devops api for a non-interactive service. They all require user interaction or a fake user service account or similar.

The documentation doesnt explicitly say this, which means anyone looking to find a way to authenticate a non-interactive service will search for how to do that, land on the documentation page for this issue, go through the matrix and find the one instance that says non-interactive, and then get confused. I think if the page just was update to say "The Azure DevOps API doesn't support non-interactive service access" everything would be clearer.

Hi @rifuller and @Zazcallabah, I've updated the documentation, adding the following note to this article: "The Azure DevOps API doesn't support non-interactive service access." This update should be live within the next few hours. Thank you!

@chcomley that statement isn't entirely accurate. It is possible to generate a PAT for a service account and call the APIs with it as the password. Other typical auth flows like app-only OAuth aren't supported as best I can tell.

Thank you, @rifuller, I've adjusted the statement, which should be live sometime this morning. We appreciate it!

For any others landing on this page I created a feedback item to request service principals be supported.

https://developercommunity.visualstudio.com/content/idea/696523/support-for-non-interactive-service-access-via-ser.html