Monthly Archives: April 2026

Azure DevOps

Enumerating organizations and projects in Azure DevOps using a Service Principal

Leave a comment

Azure DevOp’s API’s still have a slight preference for delegated api calls (calls from users). For M365permissions scans run through a managed identity, which as a type of service principal cannot normally enumerate the organizations in a tenant. Not knowing the orgs, you also can’t enumerate projects etc.

I tried a year ago and failed. Coming back to it now in some spare time, after struggling a lot with Fiddler & PowerShell, I finally figured out how to get orgs without delegated authentication.

It was actually quite simple, as always…just a single GET to:

https://vsaex.dev.azure.com/_apis/EnterpriseCatalog/Organizations?tenantId=YOURTENANTIDHERE&api-version=7.1-preview.1

This returns a csv type formatted string with all orgs your SPN has permissions to! Isn’t that cool?

Oh and don’t forget, the token you get should be for the audience 499b84ac-1321-427f-aa17-267ca6975798

Office 365, Security

Phone number used too many times

1 Comment

Recently ran into a new one when setting up MFA for Microsoft 365:

{"Type":6,"VerificationState":0,"Data":null,"VerificationContext":null,"ErrorCode":29,"ErrorType":null}

I can’t prove, but strongly suggest this means the phone number you’re trying to register is in use for too many accounts and/or tenants.