[1]Can someone please help me on how to create variable group in Azure DevOps Library using PowerShell? The file is in .json/.csv file. This is what I have so far. I am new to PowerShell so please excuse any errors.
$file = get-content = C:\test\Variables.json
ForEach {
$name = $_.Variable;
$Issecret = $_.IsSecret;
$Value = $_.Value;
az pipelines variable-group create --name test -p $ProjectName --org $orgUrl --authorize --variables -$name -$issecret -value
I am trying to import all the values to Azure DevOps library.
Name Is Secret Value
-------------------------- ----------- -------------------------------------------------------------------------------
Test1 False
Test2 False

You can get data from the csv file through the script below:
"variables"= #{};
"type"= "Vsts";
"name"= "TestVariableGroup1";
"description"= "A test variable group"
$employee_list = Import-Csv "D:\test\data.csv"
foreach ($employee in $employee_list){
$body.variables[$]=#{value=$setting.value; isSecret=$employee.isSecret}
$body | ConvertTo-Json
Then you can use rest api to create variable group.
Request url:
Request body:
"description": "xxxx",
"name": "xxx",
"providerData": null,
"type": "Vsts",
"variables": {"test1": {
"isSecret": true,
"value": "fortest1"
"test2": {
"isSecret": true,
"value": "fortest2"
"variableGroupProjectReferences": [{
"description": "xxxx",
"name": "xxx",
"projectReference": {
"id": "projectId",
"name": ""
Sample script:
$token = "PAT token"
$url = "{organization}/_apis/distributedtask/variablegroups?api-version=6.0-preview.2"
$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($token)"))
$JSON = #'
request body
$response = Invoke-RestMethod -Uri $url -Headers #{Authorization = "Basic $token"} -Method Post -ContentType application/json -body $JSON


Azure Devops REST API SendMail

I'm trying to send mail after the successful stage on my release definition.
Following the docs
OAuth box is checked in my stage
Project Collection Service Account is added to Build Administrators and Release Administrators.
But the response from REST API is "Azure DevOps Login Page"
Here is my script:
$OrganizationName = "myorg"
$ProjectName = "myproj"
$sendmailto = ""
$mysubject = "Test Mail Subjcet"
$mailbody = "Mail body to test it works with azure rest api"
$Token = "$(System.AccessToken)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$Token"))
$HeaderMail = #{
Authorization = "Bearer $encodedCreds"
##send mail
$urimail = "https://${OrganizationName}${ProjectName}/_apis/Release/sendmail/$($env:RELEASE_RELEASEID)?api-version=3.2-preview.1"
$requestBody =
Try {
Invoke-RestMethod -Uri $urimail -Body $requestBody -Method POST -ContentType "application/json" -Headers $HeaderMail
Catch {
Tested with:
Tried with 3.2 version and 7.1
PAT Token and authorization to Basic return 400 with Bearer return 401.
Switch $(System.AccessToken) to $($env:System_AccessToken) trygin to convert to base64 and without.
What I'm missing?
Response from
It's caused by the $requestBody. The request body requires valid Azure DevOps users referenced by their tfsIds.
Below PS script works for me, if your are running it in pipeline, then please use the $(System.AccessToken) instead of $PAT.
Running locally and authenticate with PAT:
$OrganizationName = "organization"
$ProjectName = "Project"
$sendmailto = ""
$mysubject = "Test Mail Subjcet"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$PAT"))
$HeaderMail = #{
Authorization = "Basic $encodedCreds"
#Get the tfsid
$userentitlementurl = "${OrganizationName}/_apis/userentitlements?api-version=7.1-preview.1"
$response = Invoke-RestMethod -Uri $userentitlementurl -Method Get -Headers $HeaderMail
#Filter by sendmailto
$tfsid = ($response.value| where {$_.user.mailAddress -eq $sendmailto}).id
Write-Host $tfsid
##send mail
$urimail = "${OrganizationName}/${ProjectName}/_apis/Release/sendmail/168?api-version=7.1-preview.1"
$requestBody =
"senderType": 1,
"to": {
"tfsIds": [
"emailAddresses": []
"subject": "$mysubject",
"sections": [
Try {
Invoke-RestMethod -Uri $urimail -Body $requestBody -Method POST -ContentType "application/json" -Headers $HeaderMail
Catch {
Running in release pipeline and authenticate with $(System.AccessToken): (Please note that, because this script is being run during the release, the summary email will show the environment as IN PROGRESS even if it is run as the last step in the Release.)
$OrganizationName = "organization"
$ProjectName = "project"
$sendmailto = ""
$mysubject = "Test Mail Subjcet"
$HeaderMail = #{
Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN"
#Get the tfsid
$userentitlementurl = "${OrganizationName}/_apis/userentitlements?api-version=7.1-preview.1"
$response = Invoke-RestMethod -Uri $userentitlementurl -Method Get -Headers $HeaderMail
#Filter by sendmailto
$tfsid = ($response.value| where {$_.user.mailAddress -eq $sendmailto}).id
Write-Host $tfsid
##send mail
$urimail = "$env:SYSTEM_TEAMFOUNDATIONSERVERURI$env:SYSTEM_TEAMPROJECT/_apis/Release/sendmail/$($env:RELEASE_RELEASEID)?api-version=7.1-preview.1"
$requestBody =
"senderType": 1,
"to": {
"tfsIds": [
"emailAddresses": []
"subject": "$mysubject",
"sections": [
Try {
Invoke-RestMethod -Uri $urimail -Body $requestBody -Method POST -ContentType "application/json" -Headers $HeaderMail
Catch {

What causes "invalid query definition, dataset is invalid or not supplied" querying the Azure REST API with powershell?

I've tried multiple ways to get cost management information from the Azure REST API using Powershell. I'm copy/pasting the data for my $body variable directly from their documentation. I get this error with every example they've posted.
Below is my original attempt.
I've tried to pipe $body to convertto-json.
I've tried saving it as a .json file and then using get-content -raw to get it.
I've tried defining everything in a $params hash table and then using invoke-restmethod #params
No matter what I get the same error.
invalid query definition, dataset is invalid or not supplied
$method = "post"
$URI = ""
$headers = #{
"authorization" = "Bearer verylongstringofcharacters"
$body = #"
"type": "ActualCost",
"dataset": {
"granularity": "Daily",
"aggregation": {
"totalcost" : {
"name": "cost",
"function": "Sum"
"grouping": [
"type": "Dimension",
"name": "ResourceGroup"
Invoke-RestMethod -Method $method -URI $URI -Headers $headers -Body $body
I had this same issue - drove me crazy for at least an hour. It turned out that even though I was using Invoke-RestMethod, I had to explicitly set 'Content-Type' = 'application/json' in the headers of the request. Without it: 'Dataset is invalid...', with it: success.
$headers = #{
"authorization" = "Bearer verylongstringofcharacters"
"Content-Type" = "application/json"

Change variable group value of Azure Pipeline

I have a Variable Group in Azure Pipeline(below attached),
I want to change the value of isPOS to False through below mentioned conditions,
$angular = (Get-Content "$(system.defaultworkingdirectory)/amaze-commerce/angular.json" -Raw) | ConvertFrom-Json
if ($angular.defaultProject -ne "ecomm-ac-ecomm"){
// Please add your code here
Can you please guide me to change the Variable group value and i want to use the same in Release Pipeline.
In order to change the value of a variable group use Azure DevOps Api.
An example of how to update a variable group:
Variablegroups - Get Variable Groups - filtered by {groupName}
$pat ="<your-tfs-security-token>"
$read = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(":$pat"))
$variableGroupName = "Check for angular.json"
$variableGroupId = ((Invoke-RestMethod -Method Get -Headers #{'Authorization' = "Basic $read" } -Uri "https://{instance}/{collection}/{project}/_apis/distributedtask/variablegroups?groupName=${variableGroupName}").Value).id
Variablegroups - Update
$body =#"
"variables": {
"isPOS": {
"value": $false
"type": "Vsts",
"name": "${variableGroupName}",
"description": "Updated variable group"
$response= (Invoke-RestMethod -Uri "https://{instance}/{collection}/{project}/_apis/distributedtask/variablegroups/${variableGroupId}?api-version=5.0-preview.1" -Method Put -Headers #{'Authorization' = "Basic $read" } -ContentType "application/json" -Body $body)

Azure DevOps Rest API to create a branch from a specific branch

I'm looking for an Azure DevOps Rest API to create a new branch from an existing branch.
Azure DevOps Rest API to create a branch from a specific branch
Konteks pointed out the correct REST API.
We could use the Initial commit (Create a new branch) to create a branch, but if you want to create a branch from a specific branch, we need modify the Request Body.
First, we need use the REST API Repositories - List to get the repositoryId.
Then, use the REST API Refs - List with filter=<BranchName> to get the oldObjectId for your specific branch:
Now, we could use the REST API Repositories - List with following request body to create a new branch from a specific branch:
"refUpdates": [
"name": "refs/heads/<DefineYourNewBranchName>",
"oldObjectId": "<oldObjectId we get from above REST API>"
"commits": [
"comment": "Initial commit.",
"changes": [
"changeType": "add",
"item": {
"path": "/"
"newContent": {
"content": "My first file!",
"contentType": "rawtext"
Result from postman:
This is my test powershell scripts:
$connectionToken="<PAT Here>"
$base64AuthInfo= [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($connectionToken)"))
$headers = #{ Authorization = "Bearer $env:SYSTEM_ACCESSTOKEN" }
$url= "<Organizationname>/<ProjectName>/_apis/git/repositories/<repositoryId>/pushes?api-version=5.1"
$body =#"
"refUpdates": [
"name": "refs/heads/Test228",
"oldObjectId": "a57f0c34f8ec7330bdc37e7631f7be3cc3ea3956"
"commits": [
"comment": "Initial commit.",
"changes": [
"changeType": "add",
"item": {
"path": "/"
"newContent": {
"content": "My first file!",
"contentType": "rawtext"
Write-Host "$url"
$response= Invoke-RestMethod -Uri $url -ContentType "application/json-patch+json" -Body $body -headers #{authorization = "Basic $base64AuthInfo"} -Method POST
Hope this helps.
I captured the requests created by the AzureDevOps web UI and found out that creating a branch from a specific branch is quite simple task for the REST api.
$repository = "repositoryName"
$newBranch = "newBranchName"
$baseBranch = "baseBranchName"
$organization = "organizationName"
$project = "projectName"
$pat = "personalAccessToken"
$base64AuthInfo = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$pat"))
$headers = #{ Authorization = "Basic $base64AuthInfo" }
# Get ID of the base branch
$url = "$organization/$project/_apis/git/repositories/$repository/refs?filter=heads/$baseBranch&api-version=5.1"
$baseBranchResponse = Invoke-RestMethod -Uri $url -ContentType "application/json" -headers $headers -Method GET
# Create a new branch
$url = "$organization/$project/_apis/git/repositories/$repository/refs?api-version=5.1"
$body = ConvertTo-Json #(
name = "refs/heads/$newBranch"
newObjectId = $baseBranchResponse.value.objectId
oldObjectId = "0000000000000000000000000000000000000000"
$response = Invoke-RestMethod -Uri $url -ContentType "application/json" -Body $body -headers $headers -Method POST
This worked for me:
To create/update/delete:
To get objectId:
See section "initial commit"
Sparrow plugin does what you need ( using Rest API ):
s6 --plg-run ado-git-branch-create#project=Backends,repo=Catalog,branch_from=dev,branch=feature
Please pay attention, it does not create any dummy files for that, it only references for an existing branch through it's internal object ID.
Feel free to still the code ;-)).
PS Disclosure. I am the tool author, more details could be found here -

Setting "Allow all pipelines" when creating a service endpoint through DevOps API Create Endpoint

I am attempting to create a service endpoint through the Azure DevOps Rest API but cannot set the "Allow all pipelines to use this service connection" option. I cannot find documentation on the json structure to accomplish this.
Current snippet for creating the connection:
$baseUri = "";
$createEndpointUri = "$($baseUri)_apis/serviceendpoint/endpoints?api-version=5.0-preview.2";
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("token:{0}" -f $devOpsPAT)))
$DevOpsHeaders = #{Authorization = ("Basic {0}" -f $base64AuthInfo)};
$AzureSubscriptionData = New-Object PSObject -Property #{
authorizationType = "AzureSubscription"
azureSubscriptionId = $SubscriptionId
azureSubscriptionName = $subscriptionName
clusterId = $clusterId
$Authorization = New-Object PSObject -Property #{
parameters = New-Object PSObject -Property #{
azureEnvironment = "AzureCloud"
azureTenantId = "$tenantID"
scheme = "Kubernetes"
$ServiceEndpointBody = New-Object PSObject -Property #{
authorization =$Authorization
data = $AzureSubscriptionData
name = $serviceConnectionName
type = "kubernetes"
url = $k8sUrl
isReady = "true"
$jsonbody = $ServiceEndpointBody | ConvertTo-Json -Depth 100
Invoke-RestMethod -UseBasicParsing -Uri $createEndpointUri -Method Post -ContentType "application/json" -Headers $DevOpsHeaders -Body $jsonbody;
You can usually figure this stuff out by doing the operation in the Azure DevOps UI and inspecting the HTTP requests it makes using (for example) Chrome debugging tools.
In this case, I think you first need to create the service connection and then make a PATCH request to the pipelinePermissions endpoint, setting the allPipelines.authorized flag to true.
Patch Request Body
"allPipelines": {
"authorized": true,
"authorizedBy": null,
"authorizedOn": null
"pipelines": null,
"resource": {
"id": "{endpointid}",
"type": "endpoint"
Invoke-RestMethod -Method PATCH -Uri "{uriasabove}" -Headers $headers -Body "{patchbodyasabove}" -ContentType "application/json"
Thanks for the above help, however I wanted to do all of this using bash script.
"allPipelines": {
"authorized": true,
"authorizedBy": null,
"authorizedOn": null
"pipelines": null,
"resource": {
"id": "test-service-endpoint-id",
"type": "endpoint"
A simple Bash Script to achieve the same.
#Get Request for endpoint ID
connection_id=$(curl -X GET \
-H "Content-Type: application/json" \
-u $user:$token \$organization_name/$project/_apis/serviceendpoint/endpoints\?endpointNames\=$connection_name\&api-version\=5.1-preview.2 | jq '.value[].id' | tr -d "\"" )
#Creating newpatch.json with connection_id
cat patch.json | jq --arg conn_id "$connection_id" -r ' = $conn_id' > newpatch.json
curl --request PATCH \
-H "Content-Type: application/json" \
-u $user:$token \
-d "#newpatch.json"$organization_name/$project/_apis/pipelines/pipelinePermissions/endpoint/$connection_id\?api-version\=5.1-preview.1
