A set of PowerShell scripts to accomplish different tasks in Azure DevOps.

You need one or two things before you can start. :)

• PowerShell 7
• Az PowerShell Module 4.7 or higher (https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-4.7.0)
• Azure DevOps PAT token (see individual prerequisites of each script below for necessary permissions)

1. In Azure DevOps UI create a PAT token in Azure DevOps that has the permissions mentioned below.
2. Create the environment variable AzureDevOpsTools_PAT containing the PAT token.

Gets the latests URL and SAS Token for the Base Templates (IaC_Templates). Use the currently checked-out branch when calling it from a git working copy of IaC_Templates or from a branch speficied.

Uses the Azure DevOps API to validate a single pipeline YAML file.

Uses the Azure DevOps API to validate local YAML changes based on an existing Azure Git repo and pipeline.

Gets a list of pipelines which are not using the central build pools.

Like Get-PipelineTransition but writes CSV result.

Gets a list of all git repositories within a specified organisation or within a specified project. The output includes information about the last commit and the combined types of permissions set on the repo.

Get data of all git repos in organisation "myorganisation" and project "MyProject".

.\Get-AdoGitRepos.ps1 -OrgName "myorganisation" -ProjectName "MyProject"

Get data of all git repos in all projects of organisation "myorganisation" and write ouput as CSV to file myorganisation-repos.csv.

.\Get-AdoGitRepos.ps1 -OrgName "myorganisation" | ConvertTo-Csv > myorganisation-repos.csv

• OrgName (mandatory)
  The name of the Azure DevOps organisation to use.
• ProjectName (optional)
  The name of the Azure DevOps project where the git repositories are located. If this is omitted information about all repositories in all projects of the specified organisation is returned.
• ExcludePermissions (optional)
  If this is set, the permissions of each repository are not included in the output. Choose this for faster execution.

• Azure DevOps PAT token permission: Code: read

Displays the permissions (access control lists) of a specified repository.

Show permissions (access control lists) set on repository "MyRepo" in project "MyProject" in organisation "myorganisation".

.\Show-AdoGitRepoPermissions.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -RepoName "MyRepo"

• OrgName (mandatory)
  The name of the Azure DevOps organisation to use.
• ProjectName (mandatory)
  The name of the Azure DevOps project where the git repository is located.
• RepoName (mandatory)
  The name of the Azure DevOps git repository where the permissions should be changed.

• Azure DevOps PAT token permissions: Code: read and Identity: read

Removes all write permissions from a repository.

Sometimes old repositories should be "deactivated" in a way, that nobody can change the code anymore while keeping it readable for reference purposes. In these cases disabling the repository is not a good option, because then it does not appear in the list of repositories in the UI anymore. This script can be used to remove all write permissions from the repository.

This script does the following modifications for all ACLs of a given repository

1. Removed explicit allow of write permissions on all existing ACEs
2. Set an explicit deny of write permissions on all existing ACEs for the following actions:
3. Display modfied ACLs and ACEs with old and new values

The script will first display the existing permissions set on the repository, then ask for user confirmation to continue or abort (unless called with parameter -Confirm), remove and update the permissions and read them again to display the updated permissions.

The following write permissions are removed by the script for all users.

GenericContribute
ForcePush
CreateBranch
CreateTag
ManageNote
PolicyExempt
PullRequestContribute
PullRequestBypassPolicy

Remove all write permissions from the ACL of the repository "MyRepo" in project "MyProject" in organisation "myorganisation".

.\Remove-AdoGitRepoWritePermissions.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -RepoName "MyRepo"

• OrgName (mandatory)
  The name of the Azure DevOps organisation to use.
• ProjectName (mandatory)
  The name of the Azure DevOps project where the git repository is located.
• RepoName (mandatory)
  The name of the Azure DevOps git repository where the permissions should be changed.
• Confirm (optional)
  If this is set, the script won't ask the user for confirmation before changing the permissions.

• Azure DevOps PAT token permissions: Code: read, Identity: read and Security: manage

Get contents of one or more variable groups.

Get variable group "MyVariableGroup" in project "MyProject" in organisation "myorganisation".

.\Get-AdoVariableGroups.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -VargroupNames @( "MyVariableGroup" )

Get variable groups "MyGroup.Dev" and "MyGroup.Prod" in project "MyProject" in organisation "myorganisation" as CSV to file mygroup-vars.csv.

.\Get-AdoVariableGroups.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -VargroupNames @( "MyGroup.Dev", "MyGroup.Prod" ) | ConvertTo-Csv > mygroup-vars.csv

• OrgName (mandatory)
  The name of the Azure DevOps organisation to use.
• ProjectName (mandatory)
  The name of the Azure DevOps project where the variable group is located.
• VargroupName (mandatory)
  The name of the variable group.
• Raw (optional)
  If this is set, the script will return raw objects instead of flattened key-value collections. This is suitable to keep all information returned by the API for subsequent processing.

• Azure DevOps PAT token permission: Variable Groups: read

Searches and displays variables according to specified name and value search patterns from one or more variable groups.

Find and display all variables containing the string "-legacy" in all variables with names starting with "ServerName" or `HostName" in the variable groups "MyVarGroup.Dev", "MyVarGroup.Test" and "MyVarGroup.Prod" in the project "MyProject" in organisation "myorganisation".

.\Update-AdoVariables.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -VargroupNames @( "MyVarGroup.Dev", "MyVarGroup.Test", "MyVarGroup.Prod" ) -VariableNameExpressions @( "ServerName.*", "HostName.*" ) -ValueMatchExpression "-legacy"

• OrgName (mandatory)
  The name of the Azure DevOps organisation to use.
• ProjectName (mandatory)
  The name of the Azure DevOps project where the variable group is located.
• VargroupNames (mandatory)
  A list of names of variable groups to process.
• VariableNameExpressions (optional)
  A list of regular expressions to select the names of the variables to process. It this is omitted, all variables in the specified groups will be processed.
• ValueMatchExpression (optional)
  A regular expression to select variables by their value.

• Azure DevOps PAT token permission: Project and Team: read and Variable Groups: read

Performs regex replacing in variable values of one or more variable groups.

Replace the string "-legacy" with "-azure" in all variables with names starting with "ServerName" or `HostName" in the variable groups "MyVarGroup.Dev", "MyVarGroup.Test" and "MyVarGroup.Prod" in the project "MyProject" in organisation "myorganisation".

.\Update-AdoVariables.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -VargroupNames @( "MyVarGroup.Dev", "MyVarGroup.Test", "MyVarGroup.Prod" ) -VariableNameExpressions @( "ServerName.*", "HostName.*" ) -ValueMatchExpression "-legacy" -ValueReplaceExpression "-azure"

• OrgName (mandatory)
  The name of the Azure DevOps organisation to use.
• ProjectName (mandatory)
  The name of the Azure DevOps project where the variable group is located.
• VargroupNames (mandatory)
  A list of names of variable groups to process.
• VariableNameExpressions (optional)
  A list of regular expressions to select the names of the variables to process. It this is omitted, all variables in the specified groups will be processed.
• ValueMatchExpression (mandatory)
  A regular expression to select a matching part of the variable values for replacement.
• ValueReplaceExpression (mandatory)
  A regular expression to replace the matched part of the variable values.
• Confirm (optional)
  If this is set, the script won't ask the user for confirmation before updating the variables.

• Azure DevOps PAT token permission: Project and Team: read and Variable Groups: read, create, & manage