Forum Discussion
Azure Devops CLI - restrict access
Long story
I'm trying to setup Azure Devops (ADO) to allow access for clients - each would have its own Project, all within the same Organization.
Apparently ADO by default does not restrict the access to organization-wide information like listing all projects (even ones you are not member of) or all users (even these you have no project in common with). This is considered an issue, as the project names would expose to each client which other clients are there, same with users.
To tackle this a feature has been developed by Microsoft 2 years ago, "Limit user visibility and collaboration to specific projects". https://devblogs.microsoft.com/devops/limit-user-visibility-and-collaboration-to-specific-projects/ a blog post on this.
HOWEVER, this feature works only on the presentation layer...
Note that the current restrictions are on the user interface only; users will still be able to use the REST APIs to produce or construe the restricted data.
I did check the API and it seems this should be safe as for all authentication methods you need some kind of token which only an "admin" can generate on ADO.
Issue
The problem is that when using the Azure CLI including the azure-devops extension I still can see the list of all users in the organization. This means for me the client would see all users of my other clients too, which is suboptimal.
Here the CLI command I use to display the list of users:
az devops user list -o table
In general this behavior does match https://learn.microsoft.com/en-us/cli/azure/devops/user?view=azure-cli-latest#az-devops-user-list
List users in an organization
Still, is there any way to restrict this to the projects you're member of? Maybe some security groups that would restrict the returned list of users? Or maybe it is even possible to restrict the usage of the CLI at all?
1 Reply
The issue you are facing with Azure DevOps (ADO) and user visibility is indeed a concern when setting up access for clients within the same organization. While the feature "Limit user visibility and collaboration to specific projects" was introduced by Microsoft to address this, it currently only applies to the presentation layer and not the REST APIs.
The Azure CLI command you mentioned, 'az devops user list -o table', retrieves the list of all users in the organization, including those not associated with your specific projects. This behavior aligns with the documentation, which states that it lists users in the entire organization.
To restrict user visibility to only the projects they are members of and mitigate the suboptimal situation where clients can see users from other clients, there are a couple of considerations:
Security Groups: You can leverage Azure Active Directory (AD) security groups to manage user access and permissions within ADO. By carefully configuring security groups and associating users with specific projects through these groups, you can limit the visibility of users within each project. This approach requires proper planning and configuration to ensure that users only have access to the projects they are assigned to.
Custom Solutions: As the current limitations are at the REST API level, you may need to explore custom solutions to address this. One approach could involve building a middleware or custom API layer that sits between the Azure CLI and ADO. This layer would intercept requests for user information and enforce additional authorization checks based on project membership. By controlling the API requests and filtering the user list, you can restrict the visibility of the projects the users are associated with.
Hope the answer provided fulfills your request.
