1

I'm using DevOps REST API via OAuth 2.0 to populate the fields of work item types.

For identity fields, such as System.AssignedTo, I'm having a hard time trying to figure out the best API that allows to retrieve a searchable list of users that mirrors what users see on DevOps website.

From the browser inspector I saw the website calls this API, which is not documented:

[POST] https://dev.azure.com/MY_ORGANIZATION/_apis/IdentityPicker/Identities

as also noted in a discussion on Azure Tech Community.

But when I call this API (with the very same request body) from my local server, I get a 401 response status code, and HTML content instead of the anticipated JSON.

In Microsoft Entra Admin Center, I made sure to include vso.identity API permission for my app registration.

What am I missing here?

If I cannot use this API, what's the best alternative?

I saw the Read Identities API, but when I try to load it on the browser I always get zero results.

E.g.

https://vssps.dev.azure.com/MY_ORGANIZATION/_apis/identities?api-version=7.0&searchFilter=DisplayName&filterValue=SEARCH_TERM

{
  "count": 0,
  "value": []
}

Also, all the REST APIs I used so far are on https://dev.azure.com. How is https://vssps.dev.azure.com any different? Can I call APIs on a different host with the same OAuth access token?

Thanks in advance for any suggestion!

Improve this question

2 Answers 2

Reset to default
2

You can use the Azure DevOps Services Graph API to list users:

GET https://vssps.dev.azure.com/{org}/_apis/graph/users?api-version=7.2-preview.1

To do some basic filtering, you can use the subject query API, for example:

POST https://vssps.dev.azure.com/{org}/_apis/graph/subjectquery?api-version=7.2-preview.1

{
  "subjectKind": ["User"],
  "query": "bob"
}

You will need the vso.graph delegated permission for these APIs.

Yes, the same access token can be used for APIs under https://dev.azure.com and APIs under https:// vssps.dev.azure.com.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank you for your suggestion! This API definitely works for searches by user/group display name. Is there a way to search users/groups by their ID (in the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX)? I've just been made aware that we have some legacy data storing only user IDs (no display name, no email address, etc.)
graph is deprecated
@pf12345678910 As far as I understand, I'm not using any Graph APIs, as all my requests point to dev.azure.com or vssps.dev.azure.com. Am I correct? I checked here: Request differences between Azure AD Graph and Microsoft Graph
Azure DevOps Services Graph API is different from Azure AD Graph API and Microsoft Graph API. Azure AD Graph is deprecated. Microsoft Graph is definitely not deprecated. I see nothing in the API reference docs saying Azure DevOps Services Graph API is deprecated.
0

In Azure DevOps, the Identity type fields of work items can accept the following identities:

  1. For the built-in Assigned To (System.AssignedTo) field, it can only accept the identities of the actual users who have the exact email addresses. It cannot accept Applications (formerly Service Principals), Managed Identities, Service Accounts or groups/teams, even though these identities can appear in the searchable list of the field on web UI.

  2. For the custom Identity type fields, can accept the identities of the actual users who have the exact email addresses, and the groups/teams if the option "Allow assigning to groups" is enabled for the custom fields. Similarly, cannot accept Applications, Managed Identities or Service Accounts. enter image description here

For your case, if you want to populate the Assigned To field, you just need to to get the users who are listed on "Organization Settings" > "Users" page, and exclude the Applications and Managed Identities listed on the page.

To do so, you can use the Azure DevOps REST API "User Entitlements - Search User Entitlements" to list all the users you can see from the "Organization Settings" > "Users" page, then based on the user type (metaType) to exclude the Applications, Managed Identities:

  • For an actual user who has the exact email address, the metaType is 'member' or 'guest'. enter image description here

  • For an Application, the metaType is 'application'. enter image description here

  • For a Managed Identity, the metaType is 'managedIdentity'. enter image description here

If you want to populate other custom Identity type fields which have "Allow assigning to groups" enabled, you need to use the API "User Entitlements - Search User Entitlements" and "Group Entitlements - List".

Improve this answer

2 Comments

Thanks for the detailed explanation! It looks like a viable solution, even though there are 2 distinct APIs for users and groups specifically. On a side note, how can I discern which identity fields support query on groups as well? To pull fields config I'm currently using a combination of /{organization}/{project}/_apis/wit/fields and /{organization}/{project}/_apis/wit/workitemtypes/{workItemType}/fields
@ilPittiz, You can try with the API "Fields - List".

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.