DEV Community

Cover image for Error: Full scoped PAT is restricted by your organisation
Arindam Mitra
Arindam Mitra

Posted on • Edited on

Error: Full scoped PAT is restricted by your organisation

Greetings my fellow Technology Advocates and Specialists.

In this Troubleshooting Session, I will demonstrate, how I resolved the encountered error - "Full Scoped PAT is restricted by your Organisation".

One day, in hour of need, I encountered the above error, when I tried creating a full scoped PAT (Personal Access Token) in my DevOps Organisation.

Details of my DevOps Organisation follows below:-

KEY VALUE
DevOps Organisation URL https://dev.azure.com/AM0704
DevOps Organisation Owner AM@mitra008.onmicrosoft.com
DevOps Project AMCLOUD
DevOps Service Connection amcloud-cicd-service-connection

Generate a Full Scoped PAT in DevOps Organisation:-

Image description
Image description

Below is how the error looks like with "Full Access" Scope option greyed out:-

Image description

The User Account/Identity in reference is:-

  1. Owner of DevOps Organisation.
  2. Global Administrator of the Directory.
Image description
Image description

Also, DevOps Organisation policies CANNOT be viewed from the same User Account/Identity:-

Image description

When referred to Microsoft documentation Use policies to manage personal access tokens for users, it clearly states that the User Account/Identity must be an "Azure DevOps Administrator" in Azure AD to manage DevOps Organisation Policies.

Image description

We now proceed to Assign "Azure DevOps Administrator" Role to the reference User Account/Identity:-

Image description
Image description
Image description
Image description

As observed,

  1. We are able to successfully view the DevOps Organisation policies using the same reference User Account/Identity.

  2. The Policy "Restrict full-scoped personal access token creation" is enabled with No users in allow list. Hence the above error.

Image description

In order to be able to create Full Scoped PAT, below actions should be taken:-

  1. Keep the Policy enabled but add one or more User account/Identity in the allow list; OR
  2. Disable the Policy.
Image description
Image description

In both cases, User will be allowed to create Full Scoped PAT.

Image description

Hope You Enjoyed the Session!!!

Stay Safe | Keep Learning | Spread Knowledge

Top comments (0)