microsoft
azuredevops_user_entitlement not working when using Service Principal authentication
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and Azure DevOps Provider) Version
Terraform version: 1.8.0 (also happens with earlier versions) Azure DevOps provider tested with 1.0.0 and 1.0.1
Affected Resource(s)
azuredevops_user_entitlement
Terraform Configuration Files
provider "azuredevops" {
org_service_url = "https://dev.azure.com/dev-org-demo"
tenant_id = var.tenant_id
client_id = var.client_id
client_secret = var.client_secret
}
resource "azuredevops_user_entitlement" "add_external_maintainers" {
principal_name = [email protected]
}
Debug / Trace Output
2024-04-16T10:12:05.769+0200 [ERROR] provider.terraform-provider-azuredevops_v1.0.1: Response contains error diagnostic: @module=sdk.proto tf_req_id=760ca8d1-df95-2593-91b1-12991ce551c9 tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/microsoft/azuredevops @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail="" diagnostic_severity=ERROR diagnostic_summary="Creating user entitlement: Adding user entitlement: (5102) You are trying to invite a user from outside your directory, but something went wrong. Please contact Azure DevOps support." tf_resource_type=azuredevops_user_entitlement tf_rpc=ApplyResourceChange timestamp="2024-04-16T10:12:05.768+0200" 2024-04-16T10:12:05.791+0200 [ERROR] vertex "azuredevops_user_entitlement.add_external_maintainers["[email protected]"]" error: Creating user entitlement: Adding user entitlement: (5102) You are trying to invite a user from outside your directory, but something went wrong. Please contact Azure DevOps support. 2024-04-16T10:12:05.791+0200 [TRACE] vertex "azuredevops_user_entitlement.add_external_maintainers["[email protected]"]": visit complete, with errors
Expected Behavior
User should be added to the corresponding Azure DevOps organization.
Actual Behavior
User never get's created or entitled inside of Azure DevOps.
Steps to Reproduce
terraform apply
Important Factoids
I have tested when using a "normal" user-account with the same permissions as the Service Principal (Member of "Project Collection Administrators") with a PAT inside of the provider everything works as expected. As soon as I switch again to Service Principal authentication I am getting the error above. I am also using some other Azure DevOps with SP authentication which are working fine in the same code (e.g. azuredevops_group_entitlement) so for me this couldn't be a permission problem of the Service principal.
Interesting, we have been seeing the exact same error while trying to add a azuredevops_user_entitlement with PAT. Using provider 1.0.1 as well.
Interesting, we have been seeing the exact same error while trying to add a
azuredevops_user_entitlementwith PAT. Using provider1.0.1as well.
@jemag does the invitation works for you if you invite via the portal with the same user or not? If it isn't working in the portal maybe also check the Entra ID guest invitation settings.
please disregard my comment, the PAT used was of the wrong user without the proper permissions to create the user_entitlement. Not quite sure why it gave that message in this particular situation, either way, excuse my mistake.
We have essentially the same problem. With a PAT, everything works fine, but when we use the $System.AccessToken provided in a pipeline, we receive the same error. We also tried giving the Build Service Account, which is used for the pipeline, all permissions, but we were not successful. Is this a bug, or are we missing something?
