Greetings my fellow Technology Advocates and Specialists.
In this Troubleshooting Session, I will demonstrate, how I resolved the encountered error - "Full Scoped PAT is restricted by your Organisation".
One day, in hour of need, I encountered the above error, when I tried creating a full scoped PAT (Personal Access Token) in my DevOps Organisation.
Details of my DevOps Organisation follows below:-
| KEY | VALUE |
|---|---|
| DevOps Organisation URL | https://dev.azure.com/AM0704 |
| DevOps Organisation Owner | AM@mitra008.onmicrosoft.com |
| DevOps Project | AMCLOUD |
| DevOps Service Connection | amcloud-cicd-service-connection |
Generate a Full Scoped PAT in DevOps Organisation:-
 |
|---|
 |
Below is how the error looks like with "Full Access" Scope option greyed out:-
 |
|---|
The User Account/Identity in reference is:-
- Owner of DevOps Organisation.
- Global Administrator of the Directory.
 |
|---|
 |
Also, DevOps Organisation policies CANNOT be viewed from the same User Account/Identity:-
 |
|---|
When referred to Microsoft documentation Use policies to manage personal access tokens for users, it clearly states that the User Account/Identity must be an "Azure DevOps Administrator" in Azure AD to manage DevOps Organisation Policies.
 |
|---|
We now proceed to Assign "Azure DevOps Administrator" Role to the reference User Account/Identity:-
 |
|---|
 |
 |
 |
As observed,
We are able to successfully view the DevOps Organisation policies using the same reference User Account/Identity.
The Policy "Restrict full-scoped personal access token creation" is enabled with No users in allow list. Hence the above error.
 |
|---|
In order to be able to create Full Scoped PAT, below actions should be taken:-
- Keep the Policy enabled but add one or more User account/Identity in the allow list; OR
- Disable the Policy.
 |
|---|
 |
In both cases, User will be allowed to create Full Scoped PAT.
 |
|---|
Hope You Enjoyed the Session!!!
Stay Safe | Keep Learning | Spread Knowledge
Top comments (0)