For those that come after.
In my case, the answer required combining several existing solutions.
My scenario was accessing repos as submodules from another project (but in the same organization).
ProjectA has repoA that has repoB (in ProjectB), as submodules.
Here are the key things you need to do to make it work (without compromising on security)
## **In your .gitmodules**
After you have added your submodules, it is best to have the url as such
``` url = https://{ORGANIZATION}@dev.azure.com/{ORGANIZATION}/{PROJECT}/_git/{REPO} ```
make sure to replace {ORGANIZATION}, {PROJECT}, {REPO}, with your respective info
## **In Azure Devops**
*In ProjectB (the project that has repoB that is being used as a submodule)*
Go to
**Project Settings -\> Permissions**
Click on **Readers** then **Members** Add the Build Service from ProjectA (the name format is {**PROJECTA**} Build Service ({**ORGANIZATION**})
*In ProjectA (these steps are very important, as this is where I was stomped for the longest time)*
Got to
**Project Settings -\> Settings**
Disable **Limit job authorization scope to current project for non-release pipelines** (if it is greyed out, you will have to disabled it on the Organization level, so {ORGANIZATION} -\> Settings -\> Settings)
Disable **Protect access to repositories in YAML pipelines** (for me this is what was blocking the cross project repo access, the issue, from what I understand, if this is enabled, the token generated by the pipeline will be strictly scoped to your repo, and as such it wont be passed on to other repos, even if you add them as resources in your yaml)
[](https://i.sstatic.net/3DNanUlD.png)

For those that come after.
In my case, the answer required combining several existing solutions.
My scenario was accessing repos as submodules from another project (but in the same organization).
ProjectA has repoA that has repoB (in ProjectB), as submodules.
Here are the key things you need to do to make it work (without compromising on security)
## **In your .gitmodules**
After you have added your submodules, it is best to have the url as such
``` url = https://{ORGANIZATION}@dev.azure.com/{ORGANIZATION}/{PROJECT}/_git/{REPO} ```
make sure to replace {ORGANIZATION}, {PROJECT}, {REPO}, with your respective info
## **In Azure Devops**
*In ProjectB (the project that has repoB that is being used as a submodule)*
Go to
**Project Settings -\> Permissions**
Click on **Readers** then **Members** Add the Build Service from ProjectA (the name format is {**PROJECTA**} Build Service ({**ORGANIZATION**})
*In ProjectA (these steps are very important, as this is where I was stomped for the longest time)*
Got to
**Project Settings -\> Settings**
Disable **Limit job authorization scope to current project for non-release pipelines** (if it is greyed out, you will have to disabled it on the Organization level, so {ORGANIZATION} -\> Settings -\> Settings)
Disable **Protect access to repositories in YAML pipelines** (for me this is what was blocking the cross project repo access, the issue, from what I understand, if this is enabled, the token generated by the pipeline will be strictly scoped to your repo, and as such it wont be passed on to other repos, even if you add them as resources in your yaml)
[](https://i.sstatic.net/3DNanUlD.png)