Greetings my fellow Technology Advocates and Specialists.
In this Troubleshooting Session, I will demonstrate, how I resolved the encountered error - "Full Scoped PAT is restricted by your Organisation".
One day, in hour of need, I encountered the above error, when I tried creating a full scoped PAT (Personal Access Token) in my DevOps Organisation.
Details of my DevOps Organisation follows below:-
|DevOps Organisation URL||https://dev.azure.com/AM0704|
|DevOps Organisation Owner||AM@mitra008.onmicrosoft.com|
|DevOps Service Connection||amcloud-cicd-service-connection|
Generate a Full Scoped PAT in DevOps Organisation:-
Below is how the error looks like with "Full Access" Scope option greyed out:-
The User Account/Identity in reference is:-
- Owner of DevOps Organisation.
- Global Administrator of the Directory.
Also, DevOps Organisation policies CANNOT be viewed from the same User Account/Identity:-
When referred to Microsoft documentation Use policies to manage personal access tokens for users, it clearly states that the User Account/Identity must be an "Azure DevOps Administrator" in Azure AD to manage DevOps Organisation Policies.
We now proceed to Assign "Azure DevOps Administrator" Role to the reference User Account/Identity:-
We are able to successfully view the DevOps Organisation policies using the same reference User Account/Identity.
The Policy "Restrict full-scoped personal access token creation" is enabled with No users in allow list. Hence the above error.
In order to be able to create Full Scoped PAT, below actions should be taken:-
- Keep the Policy enabled but add one or more User account/Identity in the allow list; OR
- Disable the Policy.
In both cases, User will be allowed to create Full Scoped PAT.
Hope You Enjoyed the Session!!!
Stay Safe | Keep Learning | Spread Knowledge
Top comments (0)