Thursday, November 21

    If you’re an administrator of the cloud-based Azure DevOps and your teams use Azure Boards, you may have noticed that DevOps lacks a practical UI for managing Tags within a Board.

    By default, Microsoft states that unused Tags on a Board will be automatically deleted after a certain period. However, from personal experience, this is not always the case.

    To better suit my users’ needs, I installed the Tags Manager extension by Yod Labs. This extension provides a visual UI for the tags assigned to a specific process.

    By default, the extension only allows Project Administrators to update and/or delete tags within a Project. This limitation arises because Microsoft hides many permissions behind the CLI rather than exposing them in the Settings UI.

    After some investigation, admins can use the az devops CLI to discover and set these hidden permissions. Below is a script that helps admins set the correct permissions for managing Tags. This script is an adaptation of one created by Andy Li.

    az login
    az extension add --name "azure-devops"
    
    $org = "ORGANIZATION"
    $Project = "PROJECT"
    $Group = "DEVOPS GROUP NAME"
    $Type = "Delete" #Or Update
    $ProjectID = "" #https://dev.azure.com/ORGANIZATION/_apis/projects?api-version=5.0-preview.3
    
    $subject = az devops security group list `
        --org "https://dev.azure.com/$org/" `
        --scope project `
        --subject-types vssgp ` 
        --project "$Project" `
        --query "graphGroups[?@.principalName == '[$Project]\$Group'].descriptor | [0]"
    
    $namespaceId = az devops security permission namespace list `
        --org "https://dev.azure.com/$org/" `
        --query "[?@.name == 'Tagging'].namespaceId | [0]"
    
    $bit = az devops security permission namespace show `
        --namespace-id $namespaceId `
        --org "https://dev.azure.com/$org/" `
        --query "[0].actions[?@.name == '$Type'].bit | [0]"
    
    az devops security permission update `
        --id $namespaceId `
        --subject $subject `
        --token "/$ProjectID" `
        --allow-bit $bit `
        --merge true `
        --org https://dev.azure.com/$org/
    

    The above script will update a DevOps User group to have the “Delete” or “Update” bit assigned to it, allowing the group (or user) to perform those given actions.

    In addition, admins can use the code to identify other possible permission sets that are hidden by Microsoft:

    az devops security permission namespace list --org "https://dev.azure.com/$org/" >> %USERPROFILE%\Desktop\DevOpsSecurityPermissions.txt
    

    For possible Security Tokens used by the az devops security permission update command, Microsoft outlines their formatting here.

    Comments are closed.