✨ *Question of the Day* ✨: how do you secure your Azure DevOps? _SUPPORT THE CHANNEL_ : Buy me a coffee: www.buymeacoffee.com/CoderDave Join my Patreon: www.patreon.com/CoderDave PayPal me donation: paypal.me/dabenveg
You got that right about having a problem with developers freely creating new projects, getting out of control. I've seen this get really wild, and not only that I've seen people create or use their own home-grown testing VMs, packages, anything you can think of. Like a vine growing over a house and covering it! But if the admin tries to take control or limit, complaints overrule!
Hehe don’t get me started 😁 I’ve seen sooo many things around that topic... usually, however, if teams complain about this is because they are not given any other effective alternative. In your example, if I don’t let you create your own VMs to host company projects (which is ok, that should never happen) but the internal process for you to have a VM created lasts 2 weeks, involves 4 different teams, and needs review from a change management board... well, I’d complain as well 🤣
Really useful. I think that there are topics related with token build services, about the scope and so on. Because with that Auth tokens on pipelines someone can clone reports without concrete permissions.
Thanks! I will look into the tokens more and see if I can identify any problem or reason why that may happen. Not sure how many people would watch a video dedicated to scoping tokens but if it can be useful, why not ☺️
Hey @CoderDave, Thanks for sharing your knowledge. We are having a challenge controlling the developers in pulling or accessing the repos on specific machines. (Basically, we want the developers should always pull and access the repos from their office laptop/desktop) and not from any other machine. Is there any way we can control this in Azure DevOps?
Hey, you sure can do that. You need to connect your Azure DevOps to Azure AD (and therefore use AAD as Identity Provider for logging in to AzDO), then you can enable the Conditional Access Policies (CAP) in AAD. As part of the CAP, you can enable the restriction that a user must belong to a certain location and/or network, or that they must be using an enabled device in a management system More info here: docs.microsoft.com/en-us/azure/devops/organizations/accounts/change-application-access-policies?view=azure-devops#conditional-access-policies
Thank youj very much for this stuctured explanation. I have one question please: what permission should I get in order to use 'agents' (pipelines). the message error tells me to have "admin" or "user acess administrator" and I can't get those. is it the only way?
@@CoderDave I'm trying to use a the "ARM Template deployment: Resource Group scope " (to deploy ADF code). It requires a subscription acess, and I can't figure out how to fix it. The msg error is: Failed to set Azure permission 'RoleAssignmentId: xxxx' for the service principal 'xxxx' on subscription ID 'xxxx': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'xxx@xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.
Ah ok, that has nothing to do with the permissions in Azure DevOps. It is telling you that the Service Principal in Azure that you are using die executing the deployment doesn’t have enough permissions. You need to check it and make sure it has the right level of privilege (in the Azure Portal)
✨ *Question of the Day* ✨: how do you secure your Azure DevOps?
_SUPPORT THE CHANNEL_ :
Buy me a coffee: www.buymeacoffee.com/CoderDave
Join my Patreon: www.patreon.com/CoderDave
PayPal me donation: paypal.me/dabenveg
Yes, would like to hear more about securing with AAD. Would also like to hear more about setting up teams (boards, area paths, backlogs).
Noted. Let me see what I can do around those topics
+1
You got that right about having a problem with developers freely creating new projects, getting out of control. I've seen this get really wild, and not only that I've seen people create or use their own home-grown testing VMs, packages, anything you can think of. Like a vine growing over a house and covering it! But if the admin tries to take control or limit, complaints overrule!
Hehe don’t get me started 😁 I’ve seen sooo many things around that topic... usually, however, if teams complain about this is because they are not given any other effective alternative. In your example, if I don’t let you create your own VMs to host company projects (which is ok, that should never happen) but the internal process for you to have a VM created lasts 2 weeks, involves 4 different teams, and needs review from a change management board... well, I’d complain as well 🤣
Really useful. I think that there are topics related with token build services, about the scope and so on. Because with that Auth tokens on pipelines someone can clone reports without concrete permissions.
Thanks! I will look into the tokens more and see if I can identify any problem or reason why that may happen. Not sure how many people would watch a video dedicated to scoping tokens but if it can be useful, why not ☺️
Very Helpful Video :) Thanks for sharing your knowlage!
Always happy to help ☺️
Sweet and short explanation 👍
Glad you like it :)
It is very useful, thanks!
Happy you like it ☺️
Hey @CoderDave,
Thanks for sharing your knowledge. We are having a challenge controlling the developers in pulling or accessing the repos on specific machines. (Basically, we want the developers should always pull and access the repos from their office laptop/desktop) and not from any other machine. Is there any way we can control this in Azure DevOps?
Hey, you sure can do that. You need to connect your Azure DevOps to Azure AD (and therefore use AAD as Identity Provider for logging in to AzDO), then you can enable the Conditional Access Policies (CAP) in AAD.
As part of the CAP, you can enable the restriction that a user must belong to a certain location and/or network, or that they must be using an enabled device in a management system
More info here: docs.microsoft.com/en-us/azure/devops/organizations/accounts/change-application-access-policies?view=azure-devops#conditional-access-policies
@@CoderDave Thanks a lot, your input has given us direction in managing our code with greater flexibility.
Thank youj very much for this stuctured explanation. I have one question please: what permission should I get in order to use 'agents' (pipelines). the message error tells me to have "admin" or "user acess administrator" and I can't get those. is it the only way?
Thanks, glad to be helpful. What do you mean by "use agents"? Like running a pipeline on a different agent?
@@CoderDave I'm trying to use a the "ARM Template deployment: Resource Group scope " (to deploy ADF code). It requires a subscription acess, and I can't figure out how to fix it. The msg error is: Failed to set Azure permission 'RoleAssignmentId: xxxx' for the service principal 'xxxx' on subscription ID 'xxxx': error code: Forbidden, inner error code: AuthorizationFailed, inner error message The client 'xxx@xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials. Ensure that the user has 'Owner' or 'User Access Administrator' permissions on the Subscription.
Ah ok, that has nothing to do with the permissions in Azure DevOps. It is telling you that the Service Principal in Azure that you are using die executing the deployment doesn’t have enough permissions. You need to check it and make sure it has the right level of privilege (in the Azure Portal)