Azure DevOps API responds with "Object moved" page using access token obtained with OAuth 2.0 flow with Azure Entra ID app

Question

MY SETUP:

1. I have created a multi-tenant app in Azure Active Directory. I have added two scopes in "API permissions" tab for this App registration for Azure DevOps API: user_impersonation and vso.profile.

   

2. I have implemented the OAuth2 auth code flow:

   1. I use the next URL for authorization:

      https://login.microsoftonline.com/common/oauth2/v2.0/authorize? 
      response_type=code
      &client_id=<MY_APP_CLIENT_ID>
      &scope=offline_access%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fuser_impersonation%20https%3A%2F%2Fapp.vssps.visualstudio.com%2Fvso.profile
      &redirect_uri=<MY_REDIRECT_URI>
      

      Note, I use the same scopes in query params as I have configured in the app: https://app.vssps.visualstudio.com/user_impersonation
https://app.vssps.visualstudio.com/vso.profile

      And additional offline_access scope to receive refresh_token in /token response.

   2. I use the next URL for code (to token) exchange: https://login.microsoftonline.com/common/oauth2/v2.0/token

   3. After exchanging the code for a token, I receive a pair of access/refresh tokens with the next scopes:

       https://app.vssps.visualstudio.com/vso.code_full
       https://app.vssps.visualstudio.com/vso.code_status
       https://app.vssps.visualstudio.com/vso.code_write
       https://app.vssps.visualstudio.com/vso.profile 
       https://app.vssps.visualstudio.com/vso.project
      

PROBLEM:

I am trying to fetch Profile API and other Azure DevOps Repos API like Repositories List or Commit details. But I always receive a response with status 302 and an HTML page with the title Object moved.

QUESTIONS:

1. Have I missed something during app registration, or have I missed some parameters in OAuth2 flows?

2. When I try to do the same flow, but use this scopes instead:
   offline_access 499b84ac-1321-427f-aa17-267ca6975798/.default
   I can make API calls and retrieve data from Azure API with 200 status code. Is it some bug? As I can see numbers 499b84ac-1321-427f-aa17-267ca6975798 means resource id https://app.vssps.visualstudio.com.

3. When I use credentials for users from another tenant - I get the error right after typing the user email and hitting the Next button:
   This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin. How can I make it work with users from another tenant?

4. Should I use legacy Azure DevOps OAuth 2.0 to access Azure DevOps API instead of Microsoft Entra ID app?

Answer 1

For Q1&Q2: “499b84ac-1321-427f-aa17-267ca6975798” is a unique scope identifier of Azure DevOps API resource. The scope for the token should be 499b84ac-1321-427f-aa17-267ca6975798/.default which provides access to Azure DevOps Services REST API. It's not a bug.

For Q3: According to the error message, it seems that there’s a problem with your account and license. Please check if you can access your Azure Entra ID using this affected account and if there is any MFA.

For Q4: It's suggested that new app developers should use Microsoft Entra ID OAuth to integrate with Azure DevOps, according to his doc.