Azure DevOps CCP (CCF) Connects as User and not App Registration

[ChristopherMank]

We are attempting to connect Sentinel to ADO using the Azure DevOps Audit Logs (via Codeless Connector Platform). We are following the steps indicated here. It would seem that the App Registration you create and assign the vso.auditlog API permission is how the connector will connect. I also assume that this app should be added to ADO with the proper View Audit Log permission as mentioned in item 5 and item 6 in the prerequisite instructions. However, it actually seems that the connector is using the user account that is creating the connection to authenticate to ADO (the user logged into the Azure portal and clicking the Connect button).

1. How is this CCF data connector intended to authenticate? As the App or the logged-on user?
2. If via the logged-on user, this is definitely not very clear in the instructions, and can we get this updated to reflect what it actually is doing?
3. If via the logged-on user, why couldn't the connector simply authenticate as the App to remove the connection to the user all together? ADO supports service principal auth natively and can be added directly to orgs with permissions. We do this in many other places.
4. If it authenticates as the App, then we continue to get 403 Forbidden errors. This happens even if we add the App to ADO as a Collection Admin so it has full permissions. Everything works fine if we grant audit log view access to the logged-on user.

[v-utpalkumar]

Hello @ChristopherMank, thanks for flagging this issue. We will investigate this issue and get back to you with some updates. Thanks!

[andrewj-t]

Just to add some more context, I encountered the same issue when attempting to deploy in our environment. I ended up using the old method instead, as we did not want to tie the connector to an individual specific user

[v-rusraut]

Hi @ChristopherMank

The Azure app is used for authentication purposes and to grant permission to make API calls to the DevOps endpoint.

As there is no link between the Azure app and Azure DevOps, ADO is not aware of the app. In ADO, we do not provide any information about the azure app.

Therefore, in ADO, it is necessary to set the "View audit log" permission for the particular user. This requirement is also mentioned in our data connector prerequisites

[mti500]

Hi, @v-rusraut

I also want to add my issues regarding this Devops CCF connector.
I end up getting "Failed to retrieve auth token from provider"

I have created the app couple of times with the vso.auditlog permission, double checked the authorize and token endpoints are correct and using OAuth v2. My admin-account is "Allow (system)" permission in view audit log and this is greyed out not not editable because this organization was newly created by this same account I try to connect this solution.

I have tried API Endpoint: https://auditservice.dev.azure.com//_apis/audit/auditlog?api-version=7.2-preview

[ChristopherMank]

@v-rusraut - When you say you need to set the View audit log permission for "the particular user", do you mean the user creating the connection? It seems like yes. If so, then I come back to number 3 in the original post above:

If via the logged-on user, why couldn't the connector simply authenticate as the App to remove the connection to the user all together? ADO supports service principal auth natively and can be added directly to orgs with permissions. We do this in many other places.

By creating a connection dependent on a specific user, that creates maintainability issues down the road. Not to mention, how would anyone see what "user" an existing connection is using if/when issues arise? I would suggest the connector should authenticate as that service principal and require users add it to their ADO org with permissions.

[v-rusraut]

Hi @ChristopherMank ,
It uses the logged-on user’s permissions by design. If you need more information, please raise an Azure support case.

[v-rusraut]

Hi @mti500 ,
We successfully reproduced this issue. It occurred due to incorrect credentials being provided. Please verify all the values you entered.

In the App Client Secret textbox, you need to enter the value from the app, not the Secret ID.

[mti500]

HI @v-rusraut

Thank you and yes the app secret value was used. I created two apps and both did not work yesterday but now I configured it once again and seems that now it connected without errors.

The marketplace description for this solution states that "The streaming of Azure DevOps Audit logs to Azure Monitor must be configured to start ingesting audit events."

Is this still valid even for this CCP connector or is that only some old description text? For my understanding that streaming way is the legacy method and the CCP should be the new one without need of that old streaming with workspace ID and key.

[v-rusraut]

Hi @mti500, thank you for confirming that you are now able to connect, and for your observation regarding the solution description.
This text is no longer required for the CCF connector. This statement refers to the legacy streaming method, which is not applicable to the current CCF approach.
We have raised a PR - #13488 to remove this outdated text from the solution description. Once the changes are published, the solution will reflect the updated configuration requirements.
I am closing this issue for now,