Storing your code in a git repository is kind of a no brainer. We internally use a lot of Azure Devops for that, and you can imagine that we have spun up quite some team projects. Yet in some cases those team projects were created a while back. And when attracting new talent, they are onboarded after a project was created. We ended up with the requirement to add new people to team projects and wanted to look at ways to automate that.
Our goal was to add a specific group to the team project readers group so that all our developers at least would have read access to team projects. Making sure they could checkout the project structure, code, and the user stories. We wanted to run a process at a specific time interval, so we picked the Azure Runbook option and used PowerShell to do so.
Param(
[string]$user = "tbd",
[string]$token = "tbd",
[string]$domain = "digiwijs",
[string]$groupDescriptor ] "aadgp.Uy0xLTktMTU1MTM3NDI0NS0xMjA0NDAwOTY5LTI0MDI5ODY0MTMtMjE3OTQwODYxNi0zLTMwODgzMjQ0MTUtMTQwOTgxNzE1OS0yNjgxNDEwMTYxLTMxNTkxMTE5NjQ",
)
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user,$token)))
$allGroupsRequest = "https://$domain.vssps.visualstudio.com/_apis/graph/groups?api-version=4.1-preview.1";
function UpdateTeamProjects {
Param(
[Parameter(Mandatory=$false)]
[string]$continuationToken
)
if($continuationToken){
$allGroupRequests = "https://$domain.vssps.visualstudio.com/_apis/graph/groups?continuationToken="+$continuationToken+"&api-version=4.1-preview.1"
}
$groupsWebRequest = Invoke - WebRequest -Uri $allGroupsRequest -Method Get -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -UseBasicParsing
$groupResult = ConvertFrom-Json $groupsWebRequest.Content
if ($groupsResult.count -eq 0)
{
throw "Unable to get groups, or no groups have been found";
}
else {
foreach($groupResult in $groupsResult.value){
if($groupResult.principalName -LIKE "*\Readers"){
Write-Host "Updating group:" $groupResult.principalName;
$url = "https://$domain.vssps.visualstudio.com/_apis/graph/memberships/"+$groupDescriptor+"/"+$groupResult.descriptor+"?api-version=4.1-preview.1"
$groupAddedRequest = Invoke-RestMethod -Uri $url -Method Put -ContentType "application/json" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -UseBasicParsing
}
# Process remaining projects
if($groupsWebRequest.Headers.ContainsKey("X-MS-ContinuationToken")){
$token = $groupsWebRequest.Headers["X-MS-ContinuationToken"]
if($token -ne $lastToken) {
$lastToken = $token;
Write-Host "New continuationToken found, move to next batch";
UpdateTeamProjects -continuationToken $token
}
}
}
}
}
UpdateTeamProjects;
Originally posted at: https://www.cloudappie.nl/devops-readpermissions-everyone/