Hosted agent for MSDyn365FO build lacks permission

I recently had the task, to setup the build automation for one of our new implementation projects. Because the included Tier1 offering for MSDyn365FO implementation projects will disappear, I ended up with setting up the build automation with hosted agents.

All in all, I managed to get everything working after round about 60 min. because with our proofed YAML I don’t have to care much about setting up the core build process. The only thing I had to do was adding the YAML to the Git repository, changing some project/customer specific settings and creating a pipeline based on the YAML file.

I could have been even faster than 60 min. but I had problems with the integration of the NuGets, again. During the first build I got some strange errors like: “Error MSB4019: The imported project “D:\a\1\NuGets\Microsoft.Dynamics.AX.Platform.CompilerPackage\DevAlm\Microsoft.Dynamics.Framework.Tools.BuildTasks.targets” was not found. Confirm that the path in the <Import> declaration is correct, and that the file exists on disk.”.

When I got deeper into the logs, I found some errors during the step for restoring the NuGets telling me:

Failed to authenticate to https://XYZ.pkgs.visualstudio.com/_packaging/D365BuildHostedAgent/nuget/v3/index.json from your project collection, prefix = https://XYZ.pkgs.visualstudio.com/

WARNING: Unable to find version ‘10.0.569.10005’ of package ‘Microsoft.Dynamics.AX.Application.DevALM.BuildXpp’.

  https://XYZ.pkgs.visualstudio.com/_packaging/D365BuildHostedAgent/nuget/v3/index.json: Unable to load the service index for source

  Response status code does not indicate success: 403 (Forbidden – User ‘2a0ebf1e-c216-40fe-8026-da33b0c0d7eb’ lacks permission to complete this action. You need to have ‘ReadPackages’. (DevOps Activity ID: 4E9C1FEF-D821-4845-8443-67316C7B214F)).

I thought that I had a similar problem before, but unfortunately couldn’t remember the solution. Maybe last time there was some uncoordinated try and error which fixed the problem after some time.

This time I tried to understand what step/setup is causing the error and I want to share with you what I found. As you can see in the screenshot below, when you create a feed in Azure DevOps artifacts, you have to specify the scope, to be project or organization wide.

Create new feed in Azure DevOps Artifacts

When you create a feed with scope organization, you have to allow project-scoped builds, which will add the project specific build service account to the permissions, as shown below.

Add permission to feed in Azure DevOps Artifacts

If you’re missing the setup of the permissions, you will see the previous mentioned error during restore of the NuGets. If you’re using a feed with scope project, you don’t have to add additional permissions because the project specific build service account has automatically been added to the feed during the creation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s