Azure Pipelines "TF400813: resource not authorized"
TF400813 means the identity running the pipeline lacks permission for a resource it tried to access - usually the project build service account missing rights on a repo, work item, or another project.
What this error means
A step (git push back to the repo, a REST/API call, a cross-project access) fails with TF400813: The user <id> is not authorized to access this resource. The pipeline runs, but the identity is denied at the resource.
##[error]TF400813: The user 'Project Collection Build Service (org)'
is not authorized to access this resource.Common causes
Build service identity lacks permission
The pipeline runs as the project/collection Build Service account. If that identity has not been granted access to the target repo, area, or project, the resource denies it.
Insufficient job authorization scope or token
A restricted job authorization scope, or a System.AccessToken not exposed to the script, can leave the call without rights to a cross-project or protected resource.
How to fix it
Grant the build service the needed permission
- Identify the resource (repo, project, area path) and the failing identity from the error.
- In the resource’s Security settings, grant the Build Service account the required permission (e.g. Contribute for a git push-back).
- For cross-project access, set the pipeline’s job authorization scope to project collection if intended.
Expose the access token to the script
Map System.AccessToken into the step so authenticated calls use the pipeline identity.
steps:
- script: |
git push https://$(System.AccessToken)@dev.azure.com/...
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)How to prevent it
- Grant the Build Service only the specific permissions each pipeline needs.
- Set job authorization scope deliberately (project vs collection).
- Expose
System.AccessTokenexplicitly when scripts call Azure DevOps APIs.