Skip to content

Title: Authentication fails with TF400813 error for personal Azure DevOps accounts using PAT #892

New issue
New issue
Closed as not planned
Closed as not planned
Title: Authentication fails with TF400813 error for personal Azure DevOps accounts using PAT#892
Assignees
danhellem
Labels
Auth and Identity 🔐
@ravikaanthe

Description

@ravikaanthe
ravikaanthe
opened on Feb 8, 2026

Here's a write-up for the GitHub issue:

Title: Authentication fails with TF400813 error for personal Azure DevOps accounts using PAT

Description:

I'm unable to authenticate to Azure DevOps using the @azure-devops/mcp server despite having a valid Personal Access Token (PAT) with full access permissions. All MCP tools consistently fail with authorization error TF400813.

Environment:

  • Package: @azure-devops/mcp@next
  • VS Code: Latest version with GitHub Copilot
  • Azure DevOps: Personal account (outlook.com)
  • Organization: https://dev.azure.com/ravikaanthe
  • OS: Windows with PowerShell

Configuration:

{
  "servers": {
    "ado": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@azure-devops/mcp@next", "ravikaanthe", "--authentication", "env"],
      "env": {
        "AZURE_DEVOPS_AUTH_METHOD": "pat",
        "AZURE_DEVOPS_ORG_URL": "https://dev.azure.com/ravikaanthe",
        "AZURE_DEVOPS_PAT": "<valid-pat-token>"
      }
    }
  }
}

Error:

Error fetching projects: TF400813: The user '319ead2a-2e05-6050-ae9c-ad455c2808d3' is not authorized to access this resource.

What I've tried:

  1. ✅ Created multiple new PAT tokens with full access
  2. ✅ Verified PAT works perfectly via direct Azure DevOps REST API calls
  3. ✅ Tried both @azure-devops/mcp and @azure-devops/mcp@next versions
  4. ✅ Tested with AZURE_DEVOPS_AUTH_METHOD set to both "pat" and "azcli"
  5. ✅ Logged in via Azure CLI (az login) and confirmed account access
  6. ✅ Restarted VS Code multiple times after configuration changes
  7. ✅ Verified the organization and PAT have proper permissions

Verification:
Direct REST API call works perfectly:

$pat = "<my-pat-token>"
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$pat"))
$headers = @{Authorization = "Basic $base64AuthInfo"}
Invoke-RestMethod -Uri "https://dev.azure.com/ravikaanthe/_apis/projects?api-version=7.1" -Method Get -Headers $headers

This returns all 17 projects successfully.

Affected MCP Tools:

  • mcp_ado_core_list_projects - ❌ Fails
  • mcp_ado_repo_list_repos_by_project - ❌ Fails
  • mcp_ado_testplan_list_test_plans - ❌ Fails
  • All other Azure DevOps MCP tools - ❌ Fail with same error

Expected Behavior:
The MCP server should authenticate successfully using the PAT token from environment variables and allow access to Azure DevOps resources.

Actual Behavior:
All MCP tools fail with TF400813 authorization error, despite the PAT token being valid and working via direct REST API calls.

Additional Context:

  • Using personal Microsoft account (outlook.com) with Azure DevOps
  • Interactive authentication prompts for work/school account which doesn't apply to personal accounts
  • The MCP server appears to not be properly using the PAT from environment variables

This issue is blocking my ability to use the Azure DevOps MCP server for automation and demonstration purposes. Any guidance or fix would be greatly appreciated.

You can post this to: https://github.com/microsoft/azure-devops-mcp/issues

Metadata

Metadata

Assignees

Labels

Auth and Identity 🔐

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions