How to allow external access to a private Azure DevOps NuGet feed

Question

The situation is as follows:

• DevOps Org A maintains a private NuGet feed
• DevOps Org B needs to use packages from the above feed within its Pipelines

Current solution involves:

• adding a user U from Org B as a guest in Org A DevOps with Stakeholder role
• creating PAT for user U in Org A with just Packaging -> Read scope
• using the PAT to register a service connection for the feed in Org B
• using NuGetAuthenticate task in Org B Pipeline before the NuGetCommand restore task

The issue is that user U can log in to Org A's DevOps and view boards, work items, members, etc

The question is how to restrict access so that the only thing that anyone from Org B can do is restore packages from Org A's feed and nothing else?

I have set every permission to Deny on user U's Permissions screen in Org A's DevOps.

As soon as I set View project-level information to Deny, the pipeline in Org B fails with a 404 (Not Found - VS800075: The project with id 'vstfs:///Classification/TeamProject/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not exist, or you do not have permission to access it. error.

Answer 1

There is no need to add a user U from Org B in Org A DevOps. Since you only need a PAT with Packaging -> Read scope from Org A. You can just have any user in Org A(who has the access the permission to the NuGet feed) generate a PAT for you.

Or yon can ask any user in Project Collection Administrators group of Org A to create a new normal user account as a service account. And then you can ask them to generate a PAT from this service account of Org A.

In above ways, You donot need to wrong about users of Org B can log in to Org A's DevOps.