Posted on Leave a comment

Azure DevOps best practices – Organization security settings

Security is a vital component of every Organization. As such DevOps components and environments should also be protected and created based on best practices. Below are some important settings that you should consider enabling/disabling for your Azure DevOps Organization. All these can be found on the left bottom corner of your organization page.

  • Disallow external users joining your organization. In order to protect your projects, pipelines and source code you should disable external user access. This setting combined with an Azure directory integration, should allow only verified users of your company.
  • Disable public projects. Sometimes a project may be created public by mistake and expose a threat for your source code. With the below setting you can disable public projects creation.
  • Enable Log Audit Events. For security purposes you should log Pipeline and user actions. Going into security policies you can enable log Audit events. Then a new pane will be created named Auditing. Through auditing you will have a view on what is happening in your projects.
  • Don’t add users on the Project Collection Administrators group on your organization. This group will provide global admin permissions for your organization and allow changing settings on it. Make sure you have you have only the necessary personnel on this group.

Disable Allow team and project administrators to invite new users. You can disable project administrators from inviting new users. This should prohibit unnecessary invitations on your projects as only Organization administrator will be able to invite new users.

  • Install only trusted extensions inside your organization. Extensions can help you implement more complex functionality on your projects using tasks that have been created from community/companies. However one should be careful for the installed extensions and only allow verified publishers that their code will not harm your organization.
  • Enforce a maximum allowed lifespan for new PAT tokens and also restrict full scoped PAT. When your organization is connected with your company AD you can restrict the full scoped PAT. As full access for a PAT can interact with many aspects of the organization it would be a best practice only to enable the service that is needed. Also a maximum lifespan of the tokens can be enforced so that compromised tokens will expire.

Although every practice you follow cannot protect you 100% the above settings are a good starting point for every Azure DevOps administrator.

Posted on Leave a comment

Dynamically checkout github repository based on parameter

In some cases, the DevOps team may need to checkout multiple github repositories in the current working directory of the pipeline. By default the pipeline will download the code of the repository where it belongs.

The below pipeline will download a github repository based on a parameter that user provides. In order to accomplish that you will need a service connection with your github account/organization.

Then using the below pipeline you can download a repository with a specific branch by providing the repository name.

- main

  vmImage: ubuntu-latest

- name: repoparam
  type: string
  default: reponame
- name: branchparam
  type: string
  default: main

  - name: repositoryvar
    value: ${{parameters.repoparam}}
  - name: branchvar
    value: ${{parameters.branchparam}}

    - repository: gitrepo
      type: github
      name: geralexgr/$(repositoryvar)
      ref: $(branchvar)
      endpoint: geralexgr

- checkout: gitrepo
  displayName: download repository

For example given that I have created a repository geralexgr/terraform-az-lin-win I will provide only the name of it terraform-az-lin-win and the main branch.

When running the pipeline the selected repository will be downloaded into C:agent/work/buildID/s or /home/vsts/work/buildID/s

Posted on Leave a comment

Authentication failed. The ‘Authorization’ header is missing – Invoke-WebRequest Azure ARM

While building an automation procedure I had to POST the management API of Azure.

Invoke-WebRequest -Uri -Method POST

When I used the Invoke-WebRequest without Authentication it failed. The error that you will get when you do not have Authentication headers set can be found below.

Invoke-WebRequest: {"error":{"code":"AuthenticationFailed","message":"Authentication failed. The 'Authorization' header is missing."}}

In order to authenticate with azure you can get an access-token using az cli.

az account get-access-token

The output will look like the below output:

  "accessToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxVG-hTDHECYJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-B5FA9l9RvqOls3iaDDYw5O86acvLIwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-ixxxxxxxxxxxxxxxxx3eoeKlxZfxxxxxxxxxxfGW2O6oA",
  "expiresOn": "2022-05-05 14:51:08.000000",
  "subscription": "a23eef11-f200-4722-866c-248ca45142f6",
  "tenant": "1efa646f-3fc3-4554-bd8c-651879a2b110",
  "tokenType": "Bearer"

You should take the output of the token and use it on your call.

For example using POSTMAN you should place your token under the Authorization tab. You will then be able to get the result from Azure ARM api.

Posted on 2 Comments

InvalidAuthenticationToken “message”:”The access token is invalid.” – Powershell

The below sample code will make an HTTP call using powershell with Authorization headers. However when you run the code it will fail.

$token =  az account get-access-token | ConvertFrom-Json
$mytoken =  $token.accesstoken
$headers = @{ Authorization = "Bearer $token.accesstoken" }
echo $headers
Invoke-RestMethod -Method Get -Uri "" -Headers $headers -UseBasicParsing

This is an error occuring on powershell as the $token.accesstoken is not correctly parsed. In order to resolve either use a new variable and assign the value on it ($mytoken)

$headers = @{ Authorization = "Bearer $mytoken" }