Open Repository from Azure Repos, unable to specify tenant/DevOp organization

[andreabisiach]

Hello,

Setup:
My Azure Active Directory account (i.e. user@acme.onmicrosoft.com) has access to three AAD/Tenants.
The primary one, where I am registered (i.e. acme.onmicrosoft.com) and two secondaries where I am invited as a guest (ie:
acmecloud.onmicrosoft.com and acmecloud2.onmicrosoft.com

The same user has access two three DevOps organisations. Each one of these three organisations is connected to one of the AAD mentioned above/Tenant, ie:
dev.azure.com/Acme
dev.azure.com/AcmeCloud1
dev.azure.com/AcmeCloud2

Problem:
From VSCode I try:

• Remote Repositories: Open Remote Repository...
• Open Repository from Azure Repos

I can only choose repos from dev.azure.com/Acme

I try from VSCode

• Azure: Azure Select Tenant
• AcmeCloud1

I sign in and try again to open a remote repo

I can only choose repos from Acme

So there is no way to pick Repos from DevOps there are not connected to my primary AAD

[Ettores88]

+1, as a consultant I suffer from the same problem.
Also, in vscode.dev it is impossible to run the command: 'Azure: Azure Select Tenant'

[joyceerhl]

@TylerLeonhardt, it seems like we would require microsoft/vscode#115626 to support enumerating tenants for a given Microsoft auth credential--is that accurate?

[lszomoru]

My understanding based on my latest conversation with @TylerLeonhardt is that we will also have to make some configuration changes to the AAD application have is handling the Microsoft authentication provider requests.

[TylerLeonhardt]

Ok so here are the steps for us to light this up in the Azure Repos extension:

btw no work is needed in the auth extension

For the repo picker:

1. have getSession ask for just the scopes ['https://management.azure.com/user_impersonation']
2. query for tenants using https://learn.microsoft.com/en-us/rest/api/resources/tenants/list
3. if greater than 1 tenant, show a picker to choose a tenant
4. call getSession again this time without createIfNone, and with the Azure DevOps scope and VSCODE_TENANT:${tenantid}
5. use that session returned to list out the orgs and then repos

For vscode.dev:

maybe it could do the same as the repo picker but instead, it'll infer the org and repo as it does today. The annoying part is folks in multiple tenants will always get a tenant picker every time they access a different repo.

Maybe we can cache that somehow.

[joyceerhl]

The annoying part is folks in multiple tenants will always get a tenant picker every time they access a different repo.

Maybe have a gear icon on the quick pick item allowing users to configure a default/primary tenant in settings?

[TylerLeonhardt]

Yeah that wouldn't be so bad or a most recently used in the quick pick.... maybe even attempt to hit the API with the sessions we have accumulated/the last one and just see if it works.

I can't believe there's no AzDO API for "Organization details" to show what's on this page:

[TylerLeonhardt]

I guess we could try the perf on minting a token per-tenant and then just hit the API with whatever ... and maybe cut off at 5 or so tenants. something like that.

[lszomoru]

Thanks @TylerLeonhardt for your input. I think that everything is in place right now and next week I will try out the steps that were outlined in your comment - #241 (comment). That should hopefully address the scenario of using the picker, and then we can think of ways to address the issue when opening an Azure Repos repository using ..

[lszomoru]

@andreabisiach, @Ettores88, the latest version of the Azure Repos extension contains improvements to better handle identities that are members of multiple Azure Active Directory tenants. When connecting to an Azure Repos repository, only users that are members of multiple tenants, will be presented with a "tenant picker". Could you please download the latest pre-release version of the extension and let us know if that resolves your problem. Thank you!

[andreabisiach]

@lszomoru

Just tried with version v0.30.0 and I have the same problem.
I am prompted to login to my "Azure" azure tenant and afterwards I only see a list of the Azure DevOps organizations that use my "Azure" AAD as the backend.
There is no way to tell the extension to use the "AcmeCloud1" as AAD and list the Azure DevOps organizations connected to "AcmeCloud1"

[kjeske]

@lszomoru for me it works like a charm :) I just had to switch to insiders mode and it started to work. A tab restart might be needed in order to refresh the extensions.

[andreabisiach]

@lszomoru
I have tested again with these versions and it works:

VS Code
Version: 1.78.0-insider (Universal)
Commit: 3a69e153f6c68b2b855fb2f1e5bdb798a16a1ee4
Date: 2023-04-24T05:23:27.796Z (7 hrs ago)
Electron: 22.4.8
Chromium: 108.0.5359.215
Node.js: 16.17.1
V8: 10.8.168.25-electron.0
OS: Darwin arm64 22.3.0
Sandboxed: Yes

Azure Repos
v0.31.2023042401

[lszomoru]

There are still couple of paper cuts that I would like to address so I am keeping this issue opened for couple of more days.

[lszomoru]

Closing this issue and will track future work (ex: #333) as separate issues.