I have a .NET Web API that I use to interact with the Azure DevOps API for creating and updating Work Items on Azure DevOps Boards of various organizations and DevOps projects. Currently, I’m using a Personal Access Token (PAT) from my own account for authentication, but I want to eliminate the use of this PAT for obvious reasons.

I have registered an Application in Azure and given it the vso.work_full permissions. I have also added an Authentication Service to my application.

public class AzureDevOpsAuthService
{
    private readonly IConfidentialClientApplication _clientApp;

    public AzureDevOpsAuthService(string clientId, string clientSecret, string tenantId)
    {
        _clientApp = ConfidentialClientApplicationBuilder.Create(clientId)
            .WithClientSecret(clientSecret)
            .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
            .Build();
    }

    public async Task<string> GetAccessTokenAsync()
    {
        var result = await _clientApp.AcquireTokenForClient(new[] { "499b84ac-1321-427f-aa17-267ca6975798/.default" }).ExecuteAsync();
        return result.AccessToken;
    }
}

This failed to work, giving me the following error:

Microsoft.VisualStudio.Services.Common.VssServiceException: TF401444: Please sign-in at least once as {CENSORED TENANT ID} in a web browser to enable access to the service.
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.HandleResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync(HttpRequestMessage message, HttpCompletionOption completionOption, Object userState, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.SendAsync[T](HttpRequestMessage message, Object userState, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.GetConnectionDataAsync(ConnectOptions connectOptions, Int64 lastChangeId, CancellationToken cancellationToken, Object userState)

I’m not sure what the problem is. It seems I should add the Application as a User in the organizations?

Questions:

• Is using an Azure App with multi-tenants the best way, or is there a better method?
• How can I add the application as a user to different Azure Tenants, so that I can access their Azure DevOps Boards to create and update Work Items?