Extracting and Auditing Azure DevOps Permissions at Scale with PowerShell
Managing access in Azure DevOps is easy at small scale — and increasingly opaque as organizations grow. This post introduces ADO Permissions Output, an open-source PowerShell toolset that queries Azure DevOps REST APIs across 30+ security namespaces, decodes bitmask permissions, resolves cryptic GUIDs and tokens into readable names, and produces structured JSON/CSV output ready for Power BI. It also surfaces "ghost" members — users who appear in ADO through nested Entra groups but hold no active entitlement — which the standard Graph API alone cannot detect. Whether you're preparing for a compliance review or just want to know who actually has access to what, this tool closes the gap between the ADO portal and a complete audit picture.
Permissions required for Report Generation
I have tried a lot of things, so wanted to reach out and see if anyone here had help/insights. I have tried to follow the processes outlined in the online documentation around provisioning access to an admin account, but even when I have global admin rights within Purview, I am still not able to view or run reports. I am trying to access the Classification Health Reports, but cannot seem to get the right permissions structure to view the Reports tab. I tried the documentation online but the naming conventions are now different given the new updates and could use some help. Thanks!
