Synchronize accounts from our Azure DevOps organizations

JohnW · November 12, 2019, 9:49pm

Template for a good new topic, formatted with Markdown:

ALM used Azure DevOps
CI system used Azure DevOps

We are attempting to synchronize accounts from our Azure DevOps organizations.

The documentation lists bitbucket and github, however it does not list ADO.

Click your profile picture in the top right menu and select the organization.
In the organization menu, click “Administration > Organization settings”
Click on “Choose an organization on GitHub”.
Click your profile picture in the top right menu and select the organization.
In the organization menu, click “Administration > Organization settings”
Click on “Choose a team on Bitbucket”.
Step 3 is not available within SonarCloud and we were wondering how we would go about connecting all of the ADO organizations that we have.

mickaelcaro · November 13, 2019, 6:37am

Hi @JohnW and welcome to the community !

The “team” object is not the same on Microsoft’s side as the one on Bitbucket and GitHub.

Currently, Microsoft doesn’t offer a reliable way to list users of an Azure DevOps organization, so we can’t implement it on our side.

But soon there will be a improviement for choosing which repository you want to bind to a new SonarCloud project, that will be a first baby step of the revamped AzDO experience on SonarCloud, stay tuned !

Mickaël

jvilimek · March 11, 2021, 2:29pm

Hi @mickaelcaro,

we are currently struggling with similar issue: how to import&keep synchronized our users from DevOps to SonarCloud.

Is it still valid Azure DevOps can’t provide list of users? I am able to list all users in our organization with rights to Azure DevOps (basic license, stakeholder…) like this:

az devops user list --organization https://dev.azure.com/xxx --output json

You then have information such as

{
      "accessLevel": {
        "accountLicenseType": "none",
        "assignmentSource": "unknown",
        "licenseDisplayName": "Visual Studio Professional subscription",
        "licensingSource": "msdn",
        "msdnLicenseType": "professional",
        "status": "active",
        "statusMessage": ""
      },
      "dateCreated": "2017-12-27T20:22:59.483Z",
      "extensions": [],
      "groupAssignments": [],
      "id": "340e60cd-...35",
      "lastAccessedDate": "2021-03-11T04:45:24.230439+00:00",
      "projectEntitlements": [],
      "user": {
        "descriptor": "aad.YzEw...3",
        "directoryAlias": "XXXX",
        "displayName": "XXXX XXXXX",
        "domain": "e46...e",
        "isDeletedInOrigin": null,
        "legacyDescriptor": null,
        "mailAddress": "xxxx@xxxxx.com",
        "metaType": "member",
        "metadataUpdateDate": null,
        "origin": "aad",
        "originId": "f5...96",
        "principalName": "xxx@xxx.com",
        "subjectKind": "user",
        "url": "https://xxxx.vssps.visualstudio.com/_apis/Graph/Users/aad.xxxxx"
      }
    }

I expect there is also some REST/Graph API to access such information (via PAT token).

mickaelcaro · March 12, 2021, 2:52pm

Hi @jvilimek

Thanks for the pointer, i’ll try to have a look at that, but IIRC the az commandline requires an UI login, isn’t it ? Or at least some ARM template with specific authentication.

jvilimek · March 19, 2021, 6:10pm

actually we are using it (az devops cli) from azure devops pipeline and there is a connector for it.

For other pipelines (e.g. Github) you can add personal access token (PAT) to environment variable AZURE_DEVOPS_EXT_PAT and it will use it. See Sign in with a Personal Access Token (PAT), Azure DevOps CLI - Azure DevOps | Microsoft Docs

jvilimek · March 19, 2021, 6:14pm

as for the REST here are the docs: REST APIs for Azure DevOps - Azure DevOps | Microsoft Docs

jvilimek · March 19, 2021, 6:19pm

maybe its related? Azure DevOps user synchronization

jvilimek · April 6, 2021, 7:36am

did it help?

mickaelcaro · April 7, 2021, 6:44am

Yes thanks. I tested the az devops CLI, unfortunately with only PAT authentication, there are no possiblity to list users of an organization.

jvilimek · April 14, 2021, 3:13pm

Why do you think so? Is it, because you got the The requested resource requires user authentication: https://oriflame.vsaex.visualstudio.com/_apis/UserEntitlements?top= 100 ? This is unfortunatelly a false error, see some similar issue here: Auth documentation could be improved · Issue #670 · Azure/azure-devops-cli-extension · GitHub

The correct error would be insufficient rights…

In case you create a PAT token with full access it will work

and then following works

$token = Read-Host
$token | az devops login --org https://dev.azure.com/xxxxx
az devops user list --organization https://dev.azure.com/xxxxxx --output json

Ofc the “full” scope is not ideal so would be great to figure out the exact permission needed to list the users…

Hope this helps and you would be able to implement the integration with Azure AD asap…would be very helpfull for us.

Or do you have any APIs on your side for user creation/rights assignment etc?

mickaelcaro · April 15, 2021, 6:25am

Thanks for the information.

Yes that is definitely something we don’t want, and haven’t got the time yet to figure that out. We’ll defintely take this into consideration.

Mickaël