When I create an Agent Pool in any of my DevOps projects I will see the pool also in the other projects in the same organization. How to disable this behaviour? I want each Agent Pool to be accessible only by the selected project.
for agent pool and self-hosted agent setting, both for Linux, mac and windows, you need to enter organization URL when configure the agent. So you need to go to organization settings->Agent pools->click the affected agent pool then go to Security, to limit other projects users' permission to read the agent pool.
Here in my example, if I remove other project\project valid users and only leave project A\project valid users as readers, only users in project A could see the affected pool in the organization level and other projects' agent pools.
Users in other projects will not be able to see the agent pool, unless you add the individual user as at least reader role in the security part.
I hope it could do some help.
Related
I have been building canvas apps as part of solutions on non-default environments for a while.
Recently a customer required that the app be shared (to run, not edit) with an AAD security group's members.
The SG setup is as follows;
Image of SG setup
I imagined this to be simple and indeed I was able to 'Share' the canvas app with the SG.
However, users were unable to access the app even via a direct URL unless I gave them individual access.
I have spent many hours perusing the documentation and it seems that it is all aimed at 'Dynamics/CDS' environments.
The only way that i was able to share the app to them using the SG, was to create an environment DB add then to set the SG as the env SG.
Is that the correct approach?
It seems counter-intuitive because, according to MS, if an SG is not set to an environment, then all users can access the env?
First, make sure the group you are sharing with is really a security group or security-enabled M365 group.
You can't share an app with a distribution group in your organization or with a group outside your organization.
...
You can share an app with Microsoft 365 groups. However, the group must have security enabled
You can do that at Azure Portal:
Go to Azure AD Active Directory > Groups (direct URL)
Click [Columns] and add Security enabled column to the list
Find the group and make sure it is security-enabled
Also, make sure users have permissions to access and other resources
For a shared app to function as you expect, you must also manage permissions for the data source or sources on which the app is based, such as Microsoft Dataverse or Excel. You might also need to share other resources on which the app depends, such as flows, gateways, or connections.
Source: https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app
Do you have any ideas how to reactivate the microsoft hosted agent pool?
Look at the image, from my dashboard it is missing "Azure Pipelines".
(I use the free Version of Azure Devops)
There was a change made earlier this year to prevent abuse by crypto miners; you no longer get pipelines automatically in new organizations, you have to specifically request that they be enabled.
By default, new organizations created in Azure DevOps will no longer get a free grant of concurrent pipelines. This applies to both public as well as private projects in new organizations.
To request your free grant, send an email to azpipelines-freetier#microsoft.com and provide the following details clearly:
Your name
Azure DevOps organization for which you are requesting the free grant
Whether you need the free grant for public projects, private projects, or both
Links to the repositories that you plan to build (public projects only)
Brief description of your project (public projects only)
Ref: https://learn.microsoft.com/en-us/azure/devops/release-notes/2021/pipelines/sprint-184-update#changes-to-azure-pipelines-free-grants
I want to change process from agile to scrum in azure DevOps but the change process button is missing. While i changed the "Change process of team project" setting in project settings.
Did you check your permissions required to perform the change process operation?
Pre-requisites
To create, delete or edit a process, you must be a member of the Project Collection Administrators group, or have the corresponding permissions Create process, Delete process, Edit process, or Delete a field from organization set to Allow. See Set permissions and access for work tracking, Customize an inherited process.
Users granted Basic or Stakeholder access can be granted permissions to create, edit, and delete processes, and administer process permissions.
Learn details at https://learn.microsoft.com/en-us/azure/devops/organizations/settings/work/change-process-basic-to-agile?view=azure-devops#prerequisites
Change process button from agile to scrum is missing in azure devops
According to the image you provided, it seems you are using the Azure devops Server instead of the Azure devops service, which does not support this feature to change the process from agile to scrum.
To change the process from agile to scrum on Azure devops Server, you could check following ticket for some more details:
Is it possible to migrate from Agile to Scrum based project
If you are using Azure devops service, you need to check if you meet the Prerequisites, then select the project, you will see options:
Hope this helps.
In order to not be restricted to 4h of build /month, in VSTS we have bought an hosted build agent for us Team (We can see it in Azure portal).
But how restrict the access to the other teams ?
In the Agent Queues i see nothing to do that...
For the same team project, you can’t do it.
For different team projects, the user with Administrator role of agent pool and project collection can create new queue. So you can remove these permissions for others and delete the Hosted queue from related team project. With this way, they can’t use Hosted queue.
BTW, there isn’t the time restrict once buy a Hosted pipeline.
Currently all of our web apps have their Application Pool Identity set to ApplicationPoolIdentity. Now, When an app needs to access some resources on some some server, say, add/read some file, the app performs impersonation in code to a user that has permissions to do this stuff. But now, we are contemplating to create a specific user for each app, and set its app pool identity to its specific new user. But I have noticed in the Advanced Settings dialog that Microsoft recommends to use the application pool identity, as shown in the following image:
Why does Microsoft recommends to use this identity, and is using a specific user is not best practice or a wrong move?
thanks,
ashilon
ApplicationPoolIdentity uses a concept called Virtual Accounts
and is implemented to have App Pool isolation.This blog explains
in detail about that .
ApplicationPoolIdentity is the recommended approach to have proper isolation between each website/application pool in IIS7+ onwards.So you can have code or files running for one website or app which cannot be accessed by no one else.
But for your scenario where you need to access resource on another server,When you use ApplicationPoolIdentity it uses the Machine identity only always.So the best approach is to use managed service account
Managed Service Accounts are a great way to manage Services
that need network access. Let Windows take care of passwords and SPNs
for you
Please find more information here ,here
But this has problem as only one managed service account can be assigned to one Server.Even with Application Pool identity,it will be using the $machineaccount to access network resources.
If network resources you have to isolate for each website/application,then your only way to create the separate User Account for each Websites and manage that.
Hope this helps!