Search code examples
azure-devopspermissionsazure-powershellazure-cliazure-devops-rest-api

Set Azure DevOps Permissions from azure CLI and Token(not PAT) Issue - Any Azure DevOps/CLI Guru up for a challenge(This one is quite critical)?

I am trying to set up Permissions on groups in Azure DevOps from Azure CLI. I want to eventually automate all the permissions but in this particular instance I want to set for Readers group

  1. Delete team project
  2. Edit project-level information

To update the permissions I require the NameSpace ID(Which is ACL) for PROJECT NameSpace, group descriptor(on which the permissions will be set), bit(which is a ACE, granular permission of the namespace) value to change and the token. The commands I am using are

$OrgName = ""

$ProName = ""

Write-Host "Project Name is " $ProName -ForegroundColor Green

# Get the namespaceID
$namespaceId=""
$namespaceId = az devops security permission namespace list --org "https://dev.azure.com/$OrgName/" --query "[?@.name == 'Project'].namespaceId | [0]"
Write-Host "Name Space Id is " $namespaceId



# get the group descriptor ID for the group "Account Management"
$GroupName = ""
$GroupName = "Readers"
Write-Host  "Group ID is " "$GroupName" 

$Subject=""
$Subject = az devops security group list --org https://dev.azure.com/$OrgName/ --project $ProName --output json --query "graphGroups[?displayName == '$GroupName'].descriptor | [0]" -o tsv
Write-Host "Subject is " $Subject

# Find Bit
$bit = ""
$bit = az devops security permission namespace show --namespace-id $namespaceId --org "https://dev.azure.com/$OrgName/" --query "[0].actions[?@.name == 'GENERIC_WRITE'].bit |[0]"
Write-Host  "Bit is " $bit

# Get Project ID
$ProjID = ""
$ProjID = az devops project list --org https://dev.azure.com/$OrgName/ --query "value[?name == '$ProName'].id |[0]" -o tsv
Write-Host  "Prject ID is " $ProjID

# Set Permission

az devops security permission update --id $namespaceId --subject $subject --token "$PROJECT:vstfs:///Classification/TeamProject/$ProjID" --allow-bit $bit --merge true --org "https://dev.azure.com/$OrgName/" -o table
#az devops security permission show --id $namespaceId --subject $subject --token "$/Shared/$ProjID" --org "https://dev.azure.com/$OrgName/" -o table

#Show the list of ACE's and their BIT numbers
az devops security permission namespace show --namespace-id $namespaceId --org "https://dev.azure.com/$OrgName/"

I followed this post Assigning group permissions using to Azure DevOps CLI

And had a success around 80%. The place I am getting stuck is at the tokens. when using the command below

az devops security permission update --id $namespaceId --subject $subject --token "$PROJECT:vstfs:///Classification/TeamProject/$ProjID" --allow-bit $bit --merge true --org "https://dev.azure.com/$OrgName/" -o table

Now, in the code above if I use any random numbers(for ex ) 78558778, the command will run and show the permissions are added to that token but that token does not even exist.

az devops security permission list --id $namespaceId --subject $subject --org "https://dev.azure.com/$OrgName/" -o table

    Token                                                                              Effective Allow    Effective Deny
---------------------------------------------------------------------------------  -----------------  ----------------
$PROJECT:vstfs:///Classification/TeamProject/e648b2f1-b6c8-4c73-8024-xxxxxxxxxxxx  0                  0
$PROJECT:vstfs:///Classification/TeamProject/ede8562f-3c53-4af7-8b2f-xxxxxxxxxxxx  0                  0
$PROJECT:vstfs:///Classification/TeamProject/f11081f7-a109-4969-8ac2-xxxxxxxxxxxx  0                  0
$PROJECT:vstfs:///Classification/TeamProject/f31ed069-717a-4dae-88c5-xxxxxxxxxxxx  0                  0
$PROJECT:vstfs:///Classification/TeamProject/fb881522-23c6-41be-847c-xxxxxxxxxxxx  0                  0
///Classification/TeamProject/78558778                                             0                  0
///Classification/TeamProject/910e9e11-81ea-471b-8ed3-xxxxxxxxxxxx                 0                  0
///Classification/TeamProject/*******shop                                          0                  0
///Classification/TeamProject/e38e6183-e385-4605-96be-xxxxxxxxxxxx                 2                  0

Based on this Microsoft Document, I have to append project ID to the root toke and when I do that it creates new tokens and hence it does not change the permission in on the ADO portal permission page.

enter image description here

Solution

  • Your token $PROJECT:vstfs:///Classification/TeamProject/$ProjIDis right, but the trick is that there is a $ in it. So if you want to run the command in PowerShell, you need to use

    `$

    to replace $. Otherwise, PowerShell will treat $PROJECT as a variable.

    The following is the update command that will work:

    az devops security permission update --id $namespaceId --subject $subject --token "`$PROJECT:vstfs:///Classification/TeamProject/$ProjID" --allow-bit $bit --merge true --org "https://dev.azure.com/$OrgName/" -o table