dotnet
Somes users cannot use Helix artifacts tab
I've been looking at helping V-WEXU, who is unable to access our service.
When I trace through the logs, we are trying to make this call: https://vssps.dev.azure.com/dnceng/_apis/graph/descriptors/d32a9dfa-d10f-421d-aecd-786ddf108789?api-version=5.0-preview.1, and it's returning 404, even though it definitely, definitely should not. The user in question is logged in and present in AzDO, so they should be returning a user.
@mmitche or @MattGal: I vaguely recall something about users "not existing" in AzDO and needed to be added... somewhere... could this be an example of that? Do we need to add this persons identity somewhere?
I dunno...if they are internal msft, then it's possible we needed to add them to the dnceng-public Readers group?
It's on internal (public is totally anonymous). If it doesn't sound like something familiar, I'll open an IcM to figure out why she's getting "not found".
Created https://portal.microsofticm.com/imp/v3/incidents/details/337671713
I dunno...if they are internal msft, then it's possible we needed to add them to the dnceng-public Readers group?
I don't see an update here, did you try adding them directly to the internal project? It wouldn't be dnceng-public though.
Is that a thing we need to do? I'm happy to try whatever might work, it's just odd she can view the all the information in internal... implying she's got some sort of user information... but it's only our extension that isn't working.
I didn't want to just create a bunch of noise in the project unnecessarily.
I also don't actually know how to "add a user"... There are no buttons on the user page.
The IcM has resolved, apparently there is some extra code we need to do that we are getting lucky most of the time:
If you want to convert the deployment level to the organization level you can make use of the Graph API. Read the bit about Storage Keys and Descriptors in the description. And then you can make use of the specific apis as follows:
Resolve the storage key (deployment level id) to a descriptor (notice there is no organization specified here) https://vssps.dev.azure.com/_apis/Graph/descriptors/ (e.g. https://vssps.dev.azure.com/_apis/Graph/descriptors/bbb0c9c1-704c-41a9-81fe-072f8da6f9ac)
You need to save the value "aad.*** " (the descriptor) and then use it in a call including the organization name you want to resolve to the organization level Storage Key: https://vssps.dev.azure.com/{organization}/_apis/Graph/StorageKeys/aad.**** and now you have the value of the organization level id returned which you can use for your request.
I'm going to unassign this and pop it back on the backlog, since it looks like we have a little work to do. It shouldn't be too hard to add these couple extra calls to the controller, I hope.
Darn it, the workaround doesn't work, because I can't create a PAT that has "deployment level" access. I reactivated the IcM.
@ChadNedzlek AzDO got back to us with this feedback: "they recomend you use PAT for your extension and for this particular API this PAT should have 'vso.Graph' scope."
Let me know if this is what we're already doing so I can follow up with them about it.
I... don't know what that means. I have no idea how to specify a scope, or get the PAT for an extension. @alexperovich doesn't either.
I replied to AzDO asking for guidance on how to specify scope for the PAT and how to get a PAT for that extension. (I recall you mentioning that there is a lack of documentation in this space.)
@ChadNedzlek can you pick this up again? I looked at the attached ICM and it appears to have been closed.
As we have not heard anything about this issue for several months, I am going to close it. If this is still a problem, please re-open it.