Azure DevOps, Tips & Tricks

Enterprise-level Azure DevOps permissions from the trenches

Or how to implement role-based access control (RBAC) in Azure DevOps in enterprise environments and still keep it maintainable. 4 Antipatterns and an approach on how to implement this yourself!

Introduction and key values

Assigning permissions to users and groups of users in Azure DevOps in small companies, maybe up to about 25-50 employees is easy and straightforward. However, at a large scale one needs to think carefully about how to approach this. At a medium-sized customer (about 250 users) I had to redesign the permissions structure in Azure DevOps. Their most important requirement was to be able to manage access control through Microsoft Identity Manager (MIM – https://docs.microsoft.com/en-us/microsoft-identity-manager/). Microsoft MIM is put in place to implement role-based access control (RBAC – https://en.wikipedia.org/wiki/Role-based_access_control). The idea behind their implementation is that team leads can approve access to systems (self-service), instead of a support team. This access was predefined by the system administrators by setting up MIM roles and (Azure) Active Directory (AAD) groups. By using MIM roles that are linked to AAD groups, it is no longer necessary to assign permissions to individual users, as adding them to a group is all that is needed.

Continue reading
Tips & Tricks

Controlling Azure DevOps from PowerShell

When using Azure DevOps frequently, a moment will come at which you’ll be faster executing a task using script rather than clicking your way through… There are a lot of reasons on why you should code repeating work, including:

  • Repeatability
  • Knowledge sharing (provided that you store the code in Version Control, accessible to your coworkers)
  • It’s fast

Today there are lots of possibilities and in this blogpost I’ll explain you how to use Az DevOps from PowerShell.

Continue reading
Visual Studio Team Services

Migrating a VSTS instance from MSA’s to AAD accounts

To setup a VSTS (Visual Studio Team Services) account initially is very easy. The default user directory that is behind VSTS is a directory based on Microsoft Accounts (MSA). Quite some companies start by using MSA’s to access their VSTS instance and then decide to make the move to Azure Active Directory (AAD) once relevant data is already stored, but then face some issues.

Continue reading