# Azure DevOps PAT Permissions for PBIP Extraction This article outlines the minimum required Azure DevOps Personal Access Token (PAT) permissions for extracting Microsoft Power BI PBIP project metadata using Azure DevOps REST APIs. It defines the required permission scopes, supported APIs, accessible file types, and additional access prerequisites required for successful metadata extraction. ### Prerequisites The following prerequisites must be completed before initiating PBIP extraction.

Requirements	Description
Azure DevOps Organization Access	The user or service account must have access to the Azure DevOps organization
Project Access	Access to the target Azure DevOps project is required
Repository Read Access	Read permission must be available for the target repositories
Personal Access Token (PAT)	A valid PAT token must be created with the required permission scope
Repository Availability	PBIP project files must exist within the configured repository

### PAT Token Configuration Perform the following steps to create and configure an Azure DevOps Personal Access Token (PAT) with the minimum required permissions for PBIP extraction. #### Step 1: Navigate to the Personal Access Tokens Page * Sign in to the **Azure DevOps** account. * Click the **profile** icon available in the upper-right corner of the Azure DevOps portal. * Select **Personal access tokens** from the drop-down menu. The Personal Access Tokens screen is displayed.

#### Step 2: Create a New Personal Access Token * Click **+ New Token**.

* The **Create a new personal** access token pop-up is displayed. * Enter the required token details.

Field	Description
Name	Enter a meaningful name for the PAT token
Organization	Select the required Azure DevOps organization from the drop-down list

#### Step 3: Configure Token Scope * Under **Scopes**, select the **Custom-defined** option. * From the available permission categories, navigate to the **Code** section. * Enable the **Read** permission checkbox.

{% hint style="warning" %} The Code > Read permission provides the minimum required access for PBIP metadata extraction operations. {% endhint %} #### Step 4: Generate the PAT Token * Click **Create**. * Copy and securely store the generated **PAT** token for future authentication and extraction operations. ### Required PAT Permissions **Minimum Scope Required** The following PAT permission is sufficient for all repository and file extraction APIs used during the PBIP extraction process. | Scope | Access Level | | ----- | ------------ | | Code | Read | ### Equivalent OAuth Scope The following OAuth scope corresponds to the required PAT permission.

Scope	Description
vso.code	Grants read access to source code and metadata associated with commits, branches, repositories, and other version control artifacts. Also allows reading repository files and file contents.

### APIs Covered The following Azure DevOps REST APIs are supported using the Code > Read permission. * **Get Repositories** ``` GET https://dev.azure.com/{organization}/{project}/_apis/git/repositories?api-version=7.0 ``` * **Get Repository Items / File Paths** ``` GET https://dev.azure.com/{organization}/{project}/_apis/git/repositories/{repositoryId}/items?recursionLevel=Full&api-version=7.0 ``` * **Get File Content** ``` GET https://dev.azure.com/{organization}/{project}/_apis/git/repositories/{repositoryId}/items?path={filePath}&includeContent=true&api-version=7.0 ``` ### Files Accessible Using the Required Permission A PAT token configured with **Code** > **Read** permission can retrieve the following PBIP project files: | File Name | Description | | ----------- | ------------------------------------------ | | .pbip | Power BI project configuration file | | report.json | Report metadata and report definition file | | model.bim | Semantic model definition file | ### Implementation Details #### PAT Token Configuration Configure the Azure DevOps PAT token with the following settings: | Configuration | Value | | --------------- | -------- | | Permission Area | Code | | Access Level | Read | | Scope | vso.code | ### Access Validation Workflow The PBIP extraction workflow performs the following operations: 1. Authenticates using the configured Azure DevOps PAT token 2. Retrieves repository details using Azure DevOps REST APIs 3. Enumerates repository items and file paths 4. Reads PBIP project files from the repository 5. Extracts metadata from supported PBIP files ### Additional Access Requirements In addition to the PAT scope configuration, the Azure DevOps user account or service account must have the following access permissions: * Access to the Azure DevOps organization * Access to the target project * Read access to the target repositories Repository-level permissions remain mandatory even when the PAT token contains the required scope. *** Copyright © 2026, OvalEdge LLC, Peachtree Corners GA USA --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ovaledge.com/release8.1/connectors/connector-repositories/reporting-tool/power-bi/power-bi-cloud/azure-devops-pat-permissions-for-pbip-extraction.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.