azure devops access log - azure

I am looking to find access logs for azure devops to
1) List time and date of authorized users who have accessed the code repository
2) List the changes made for all of the the repository and by whom
3) Assuage audit fears of unauthorized users downloading the code
Looks like there is auditing capabilities slotted in the roadmap but I need something now. I tried using the azure portals activity logs but I get zero results for azure devops events
Note: we do not use Active Directory integration yet
Any help is greatly appreciated

For auditing repo changes, every write operation in source control is part of its history.
For limiting read access, you already know the solution, because you said you aren't using it yet: Azure AD. Limit access to within your organization.
For auditing access, as you said, there is no solution yet, it's on the backlog. The reason it's on the backlog is because there is no way to do it at the moment.

Related

Azure LinkedAuthorizationFailed on Active Directory Account / Key Vault Authentication when running DevOps Server Deployment Template

I am trying to deploy an on-prem instance of Azure DevOps Server to a VM in an Azure Government subscription (which by nature, seems it does not support standard DevOps).
This template is referenced within support material directly from Microsoft:
https://github.com/usri/deploy_DevOps_Server_AzureSQL
All the referenced resources were created from scratch for the purpose of getting this server running.
This requires an AAD account with the associated password stored in a Key Vault. However, every attempt I make to run the template returns the following error on the 'Write VirtualMachines' step (when all other components pass):
The client has permission to perform action 'Microsoft.Compute/images/read' on scope '(MY_SUBSCRIPTION)\(MY_RESOURCEGROUP)\(VM)', however the current tenant '(MY_KEYVAULT)' is not authorized to access linked subscription '(ID in the template with the deployment files)'
This seems to me like the password cannot be retrieved from Key Vault- is it a formatting issue with the Secret? An access control issue somewhere? I've tried many various combinations of both. Hopefully this is just a trivial issue..
I am the original author of the code in that repo. I went ahead and merged a pull request into that repo which should address your issue. I did the following:
Updated the ReadMe file to include information on creating the image
Updated the azuredeploy.json with parameters for Key Vault & image references
Updated the ps1 file to eliminate hard links for KV (a particularly bad oversight on my part, my apologies).
Updated and tested everything for the latest version of Azure DevOps Server 2020
This should fix your issue and several other related ones. I retested the entire deployment from scratch and it worked as designed. A couple of other quick notes:
The USRI and all of it's repositories including the one being utilized here are not Microsoft official repositories. They represent an open-source Azure community dedicated to regulated entity customers. The members which contribute there are mostly Microsoft employees and the repos themselves just represent interesting and sometime niche templates that might be of interest.
This particular repo shows a manner in which Azure templates could be used to deploy services when no internet connection is available or permitted. I just used Azure DevOps Server because it was interesting and regulated industry customers use it.
All the best

Is it possible for Azure DevOps to get history of "clone", "fork" and "download as ZIP" by each user?

I would like to get all of the history of Azure Repos.
I would like to get histories of "who/when clone/fork/download repository".
I mean logging of user action.
Is it possible for Azure DevOps(Repos)?
I am afraid, I believe this feature doesn't exist yet. For auditing access or changes etc, a feature as such doesn't exist but by using Azure Active Directory, you can limit the usage or access to say "Read-Only" within your organisation. Also, a similar solution is given here.

Azure service to query Azure Active Directory

Suggest any azure service which
can connect customer azure active directory
can query customer azure active directory
keep my application azure active directory in sync with any future change (add/remove user) on customer azure active directory ?
Service to connect/query Azure AD : Microsoft Graph API can help you query Azure AD
Sync changes between two different Azure AD tenants: AFAIK there isn't any service that will do this for you, you need to write something custom yourself that can make use of Microsoft Graph API
Notification on changes: Microsoft Graph API supports change notifications for some scenarios.. User and Group resource types are supported.. see if this covers what you're looking for Use the Microsoft Graph API to get change notifications
Incremental changes: Microsoft Graph API also supports delta queries for some operations, which could help in figuring out incremental changes.
Authentication: Most probably client credentials grant flow using Application permissions, with a daemon app would make sense for such scenario. Although, this is something you'll need to decide based on how you finally implement.
Permissions required: Microsoft Graph API permissions reference
Function or WebJob or something else: it's a little subjective I guess. I don't have a clear single recommendation. WebJob might be better if it turns out to be long running, but I'm not sure. You may need a separate question or find some already answered good questions about this.
In response to Rohit's answer: -
I agree there isn't any Microsoft service as of now that sync changes between two different Azure AD tenants.
Not here to brag or promote but to give a direction, the company where I work has a product which solves exactly this problem and we have few customers who are using it to keep their partner tenants in sync. In case you are looking for a pre-made product feel free to reach out to me.
Other wise if you need any help on creating your own then what Rohit mentioned are quite good steps to follow, if you still need help with that direction let me know.

Azure DevOps Extension Process on Delete

I'm developing Azure DevOps extension. When client download extension he can register in Azure Hub then his account is added to my database.
When the client delete extension his account should also be removed from my database.
How can I add process for Azure DevOps extension that can be triggered on uninstall / remove extension?
I don't think there is an API for this, but you can see uninstalls here in the Marketplace portal. I guess you could poll this, or figure out the underlying API that's being used. any integration against these APIs is unsupported.
https://marketplace.visualstudio.com/manage/publishers/{PublisherID}/extensions/{ExtensionID}/hub?_a=uninstall
Also, remember that for troubleshooting purposes people uninstall/reinstall extensions and they may need to reinstall as part of migration/upgrade scenarios for which their assumption is likely going to be that no data is lost in the progress.
It's probably best to ask for contact details, upon registration, monitor usage and warn that data will be removed after X days of no usage.

Get Azure Dashboard data via api

Scenario:
One team had built one application, and application is running on azure.
maintenance is taken care by same team, we don't want to give full access of production instance to developer team, but want to give read permission, like - monitoring of logs, cpu usages etc.
Solution according to me is build an application which will get dashboard data and log data from azure via api and that data will be displayed to development team.
I am referring these 2 links
https://msdn.microsoft.com/en-us/library/azure/dn722415.aspx
https://azure.microsoft.com/en-in/documentation/articles/api-management-get-started/
Question:
Still I am not able to find api which will give the dashboard data. if anyone know api for the same, please help.
Is there any alternative solution for this scenario.
If you deploy your app using the new Azure Resource Manager mode, it provides a Role Based Access Control to your resources. You can deploy your app inside a Resource Group and provide read access to your developers. They will be able to view the information about the services that your app are made of but without the option to change anything.
This session from Build 2015 can help you to understand what ARM is and what you can do with it: https://channel9.msdn.com/Events/Build/2015/2-659

Resources