File-level read permission in Azure DevOps is not working - azure

I have this team project in Azure DevOps (previously known as VSTS):
$\TempProjectA
I have this developer that can log into Azure DevOps and develop code:
username: first_developer#example-company.com
password: *****
I have this group that is called SingleFileReaders, and I've added first_developer#example-company.com to this group.
Then using Visual Studio's Source Control Explorer, I've browsed to $\TeamProjectA\FileToBeShared.java, right clicked on it, using Advanced menu I managed to get to Security pop-up. And there, I allowed the read option.
Now I login as first_developer#example-company.com into Visual Studio, but I don't see that file. In fact, I don't see TeamProjectA. What should I do?

You Should add the developer to the Project Team members, with contributor role.
Follow here, Since the UI is changed there are some difficulties to find the securities/adding user configuration in Azure DevOps
Security
Contributor role to access the Source codes

For anyone who's stuck in this point, the trick is to give View project-level information permission to your role/user first. Using built-in roles is not helpful as they have permissions much more than what I wanted. They give access to all files, at least read-only permission.

Related

How do I sign in to my Azure account from the VSCode Azure Functions extension?

I have been trying to create an Azure Function using the documentation. For example, here:
https://learn.microsoft.com/en-us/learn/modules/develop-azure-functions/5-create-function-visual-studio-code
Every time, and with every Azure account, I can't get past the step where you sign in to your Azure account from the Azure Functions VSCode extension. This is the error I am getting:
"Selected user account does not exist in tenant 'Microsoft Learn Sandbox' and cannot access the application 'aebc6443-996d-45c2-90f0-388ff96faa56' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
The Microsoft Learn Sandbox error message is a red herring to me, as I am not trying to do anything with it, only with Azure Functions. The same error appears even with a completely different Azure account.
I have tried looking at several possible solutions, including switching directories (but I only have one directory, so this didn't work), changing settings in Azure AD Connect (but I don't have Azure AD Connect configured, so this didn't work), and I deleted several local .config files and directories on my machine (CentOS 7, btw). If the solution is related to my .config files, I couldn't tell which files I should actually be deleting though.
In my situation, the problem is it was trying to use my "learning" account but I wanted to use my "work" account.
Following the answer here: https://learn.microsoft.com/en-us/answers/questions/696758/how-do-i-sign-in-to-azure-from-vs-code?page=1&orderby=Helpful&comment=answer-697695#newest-answer-comment
Go to the Azure portal and sign out (https://portal.azure.com/) Now
open Visual Studio and Open the Command Palette (Ctrl + Shift + P)
search for Azure: Sign Out and click on it. It will signout you from the Visual Studio extension
Then (this is the important part) it allowed me the option to Clear my Tenant ID.
Then you can sign in again with the new account
Hope this helps someone else!

Is it possible to open azure portal resource link not in the default Directory

For user who has access to multiple directories (see screen shot below)
For azure web app I can generate link like below:
https://ms.portal.azure.com/#resource/{resourceId}/DeploymentSource
If the resource is in my default Directory, I can paste the link to the browser and it will open the right blade.
If I paste a link to a resource that is not in the default directory for the user, then I get the following:
However, If I first got to the root of portal.azure.com and switch directory to the targt webapp, then paste the link to the blade, then it works.
Is this possible to tell azure portal to switch directory based on the resource in question. Btw, this is for code that we are writing that is running outside the azure portal hosting frame (hence the desire to open specific blade for a given web app)
Thanks
This is now possible by adding #directory-domain.com/ after the hash. For example, https://portal.azure.com/#resource/{resourceId}/DeploymentSource under a directory with the stackoverflow.com domain becomes https://portal.azure.com/##stackoverflow.com/resource/{resourceId}/DeploymentSource.
Unfortunately, Azure does not support this at this time.
You could give your feedback to this link, all of the feedback you share in this link will be monitored and reviewed by the Microsoft engineering teams.
Also I have vote this feedback. Your understanding and support will be highly appreciated.

How to add user to VSTS Group visualstudio.com

I need to add a colleague to my development environment (specifically VisualStudioOnline - TFS) and the doc I've read about how to do this shows differently than what I see when I try.
I am the only user of Visual Studio 2012 in my small company. I am using Visual Studio Online for Source Control (as I understand it, this exposes Microsoft Visual Studio Team Foundation Service - Version 15.115.26417.0 as a "service" (i.e. this is the cloud...there is no on-premise TFS installed). Currently, I am using a LOCAL workspace (the default) and TFVC (not GIT).
I added my NewUserA to the Administrators group on the dev server. When click menu item Team to Connect to TFS, I am prompted to sign-in with my "Microsoft" account.
However, when I try to add NewUserA to my TFS, the dialog below seems unable to search for the existence of NewUserA:
It seems to want an "identity" of NewUserA (which suggests an email address too) so it sort of makes sense that this prompt does not look for locally added Windows users.
I am quite confused and would appreciate being helped thru this.
If your VSTS account isn't connected to Azure Active Directory and you're not synchronizing your on-premises AD to AAD, then of course it won't be able to find users from your on-prem domain. If that's the case, you can add users by email address and they'll be prompted to sign up for a Microsoft account (if they don't already have one) using that address. This is different than an organizational account, which is what you'd use if you were connected to Azure AD.

Azure active directory - Unable to delete

I have two additional AD I have created in addition to the one which is associated to the subscription. I want to delete those but my attempt fails with the message "Directory has one or more applications that were added by a user or administrator"
I can see below two common application in both directories, where I don't see a delete button.
Office 365 management apis
Visual Studio Team Services
How can I delete this AD?
Thanks,
Shiju
I ran into the same issue. The only solution I was able to find was to step into PowerShell and get it done. You can find the steps in these two posts:
https://social.msdn.microsoft.com/Forums/en-US/afbfb7b3-92c9-4af6-9128-ba96795de5a6/not-able-to-delete-b2c-tenant
https://social.msdn.microsoft.com/Forums/en-US/e041555c-aa36-4369-bbb9-1f23ae317304/how-to-remove-active-directory-from-windows-azure
The main gist is that you need to have a global admin account which is a direct member of the directory. You can't use your Microsoft/subscription account even though it may have been granted global admin permissions. You then connect using these credentials in PowerShell, find the Service Principals (aka Applications) which exist, and remove them. You can then drop the Admin account for the directory and delete the directory itself.
I also wrote a blog page on how to delete an active directory tenant. I have updated the process to use the new portal and the newer AzureAD PowerShell cmdlets.
https://blog.nicholasrogoff.com/2017/01/20/how-to-delete-an-azure-active-directory-add-tenant/

Azure - Access to non-administrator users

We're using Azure to maintain our development and QA servers.
One of the needs we have now, is to provide our QA members access to update web.config file on the server, which can be achieved via Visual Studio Server's Explorer (with the right configuration).
The problem is that you need a user with a subscription as a co-administrator within Azure (at least as far as I managed to understand), but obviously we'd like to allow our QA members only to maintain the files, with limited access via Visual Studio.
Is there any way to do it?
Following Brendan advice, I've granted the QA members FTP access. This should do the job for now, until Microsoft will come up with something better :)
Thanks Brendan!

Resources