Why a migrated AzDo pipeline stopped working (hint: scoped-tokens)

A customer pinged me on Teams with an issue: a maintenance pipeline that ran on a cron job suddenly stopped doing its thing since a recent Azure DevOps project migration. They used AzDo Project A before and I helped them setting up project B.

Cause

The pipeline used a script that looped over all repos in a project via REST API. But under the new project, the automatically-assigned job token only had permissions to the repository it was currently checking out (or those explicitly defined). Repos that weren’t referenced simply vanished from the API results. Even though the build service identity had read permissions on all repos, the token’s scope restriction meant the script saw only a subset.

The reason was actually kind of simple: the new project had much stricter security defaults. Turns out, Microsoft enabled a more restrictive default for new projects created since May 2020. Since we migrated from a pre-2020 project, this setting in the new project blocked all acccess to repos that weren’t checkedout by the pipeline.

Fix

A solution is that you either explicitly declare all repos in your YAML under resources/repositories and add a checkout for each repo before using REST.

resources:
  repositories:
    - repository: SpaceGameWebReact
      name: SpaceGameWeb/SpaceGameWebReact
      type: git
    - repository: FabrikamFiber
      name: FabrikamFiber/FabrikamFiber
      type: git
    - repository: FabrikamChat
      name: FabrikamFiber/FabrikamChat
      type: git

  - checkout: SpaceGameWebReact
  - checkout: FabrikamFiber
  - checkout: FabrikamChat

And give permission at the first usage via the AzDo UI:

Or, easier but riskier: if you don’t want to list everything: you can disable the “scoped-token” setting by going to Project Settings > Pipelines > Settings and turning off Protect access to repositories in YAML pipelines. Then all pipelines (!) gets a token with broader scope.

References
Check out this how-to on Microsoft Learn and discover details about job access tokens.

TL;DR

Scoped tokens are great for security, but blocking if you ever rely on “give me all repos” scripts. If you depend on full repo-list introspection or mass-maintenance jobs, make sure your pipeline explicitly references every repo, or disable scoped-token mode (with consent from security team, ideally).