The azuredevops_user_entitlement resource doesn't work with the System Token provided in an Azure DevOps pipeline

[JustinDroege]

Terraform (and Azure DevOps Provider) Version

Terraform Version: 1.8
Azure Devops Provider Version: 1.1.1
Azure Devops Services & Managed Build Agents

Affected Resource(s)

• azuredevops_user_entitlement

Terraform Configuration Files

resource "azuredevops_user_entitlement" "this" {
  principal_name       = 'user@user.de'
}

Expected Behavior

Currently, we are using the Terraform provider in the context of an Azure DevOps Services pipeline. We are using the $System.AccessToken to set the environment variable AZDO_PERSONAL_ACCESS_TOKEN. In the provider configuration, we apply the Azure DevOps Organization ID. When the pipeline is executed, we expect to be able to authorize users from the same Entra instance, which is also used by the Azure DevOps Organization, to be part of the Organization.

Actual Behavior

We receive an error stating that it is not possible and that the users are not part of the directory. The output looks like this:
Error: Creating user entitlement: Adding user entitlement: (5102) You are trying to invite a user from outside your directory, but something went wrong. Please contact Azure DevOps support.

With a personal token (PAT), everything works fine, so the user is part of the directory. We also tried giving the Build Service account all permissions.

Steps to Reproduce

1. Use the azure_devops_entitlement resource and set a valid UPN.
2. Set the organization ID in the provider configuration block:

provider "azuredevops" {
  org_service_url = 'bla'
}

3. Execute the apply in an Azure DevOps Pipeline with the given $System.AccessToken: AZDO_PERSONAL_ACCESS_TOKEN=$(System.AccessToken) terraform apply

References

• azuredevops_user_entitlement not working when using Service Principal authentication #1026

[xuzhang3]

PAT is a bit different from the System.AccessToken, they have different permission scopes
More details:
https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/guides/authenticating_using_the_personal_access_token

[JustinDroege]

@xuzhang3 Thx for the fast answer. We already knew that and therefore tried adding the Build Service to the Project Collection Administrators and disabled the feature "Limit job authorization scope to current project for non-release pipelines", but this didn’t help us. Do you know if it’s even possible to set the scope for inviting users on a System Token?

[xuzhang3]

@JustinDroege you may need to update the permission for collection build service accounts
More details:
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens?view=azure-devops&tabs=yaml

The token's permissions are derived from (a) job authorization scope and (b) the permissions you set on project or collection build service account.

[JustinDroege]

Hey, I did some research and it seems that Azure DevOps currently doesn't support this use case. I tried all the different configurations mentioned in your link. I also tried the same with the CLI and got the same error. I guess our solution will be to use a technical user with the correct permissions and use the PAT from that user. Thanks for your help. I think we can close this now :)

@xuzhang3