Limiting the number of requests from a valid user in Azure Devops - azure-devops

I have a scenario where a user with a valid Personal Access Token makes thousands of calls to create work items in Azure DevOps. I went through all the documentation but couldn't find anything. One can enable conditional access but that would not cover this. The rate-limits etc are all default and there is no option to control those. Is there a way to control the number of requests a valid user can make?

Is there a way to control the number of requests a valid user can make?
I am afraid there is no such way to do this at this moment.
In my personal opinion, this request is reasonable.
You could add your request for this feature on our UserVoice site (https://developercommunity.visualstudio.com/report?space=21&entry=suggestion), which is our main forum for product suggestions. Thank you for helping us build a better Azure DevOps.

Related

Azure Devops SonarQube Pull Request Decoration

We have successfully integrated SonarQube into our build pipelines on Azure DevOps and have used a developer's account to generate a PAT for pull request decoration. The problem is now that the developer's account is posting comments across all our repos on different Pull Requests. It seems the alternative is to create a whole new user titled 'SonarQube' (or similar) in our Active Directory and generate a new PAT to do this, which seems overkill. Any alternative options would be appreciated.
Creating a separate identity that would belong to SonarQube is the only option. The identity posts the comments using the DevOps API where the PAT is the only identification of the identity.
Using a developer's account for PR decoration not only feels strange when reading the comments, but it is also fragile. When the developer leaves the company, their account will be terminated and suddenly, PR decoration will break and it may not be immediately clear why. Also, the developer could revoke the PAT at any time by mistake. In a larger organization, no single developer will have the right to comment on pull requests everywhere, so multiple developer accounts will be in use, which makes the configuration even more complex and fragile.

GitHub - best practice for authentication when automating organization account workflow

I am tasked to help automate the workflow related to automating a few tasks related to management of our organization account on GitHub. For example, add and remove users from the org, create new repos, add external collaborators etc. The requests for this actions will come from a system where a user fill in a form and this system will curl to the GitHub API after the request is reviewed and approved.
By reading the GitHub API documentation I can set up the curls for this, but I am unsure about authentication best practices. My first idea would be to create a user account specific for this use case, make it admin for the org, and create an OAuth token with scopes needed to be allowed to make this requests. However, it feels a bit too hacky to create an individual account for something that is not an individual, and then make it admin of the whole organization.
Is there a better way to approach this?

Use personalised information in a custom google actio

I’ve built a google action that talks to my bespoke web Api.
The actions code currently has personal details hard coded into it. I need to make it so that when someone uses it for the first time it asks them for a username password and URL.
Is there a way to do this? Or maybe there is a way for a user to add those details to there google account in some way that the action can read them.
Alternatively is there a way to publish an action so only specific users can access it?
In general, asking for a username and password is a bad approach for Actions, for several reasons, and asking for a URL can be quite a mess. Particularly if you're expecting the user to access the Action via voice or a device that doesn't support a keyboard.
The better approach is to use Account Linking to connect their Google Account to an account they have created on your system. If you need additional one-time configuration information, you can have them provide this information for their account via a webapp, store it in a datastore of some sort, and then access it when they contact your webhook via the Action.
There is no way to have the Assistant enforce access to a production Action. You can publish an Alpha release to up to 20 accounts, but this is still treated as a "test" version.

User for automation instead of personal access token

I have a service hook configured to point to a server which receives a request from Azure Devops every time a pull request is made, which then in turn makes a call to the Azure Devops services REST API to create another pull request.
This second part is done using a PAT (Personal Access Token) for the time being generated from my account. This means that all the pull requests created automatically are made under my name, meaning I receive all the emails and notifications related to this automation.
Is there a way I can create a "fake" identity (without adding an actual user which may authenticate) with a different token which can be used for this automation (opening all pull requests under that identity)?
Is there a way I can create a "fake" identity (without adding an actual user which may authenticate) with a different token which can be used for this automation (opening all pull requests under that identity)?
Short answer is no.
Notification could be setting with three Levels : Origination,project,personal. It is not related with the PAT token.
Based on my experience, the Azure Devops also has no way to know which request is automation or manual way to create PR.
So if you don't want to receive the created PR notification, you could disable it on the personal level.
You also could customize the receive emails with project setting to receive the related information.For more information please refer to this Document.

Office 365 room mailboxes CalendarProcessing access via Microsoft Graph

When using rooms and equipments, Exchange (in Office 365, but in other versions as well) uses a number of options to handle requests for those resources in events.
By default, Exchange will for instance strip the subject when creating the event in the room's calendar, and replace it with the organiser name. If you then try to fetch the room's calendar (for a meeting room display, for instance), you'll only have the organiser name instead of the subject of each meeting.
This may be appropriate in some scenarios, but in many others one wants the actual subject to be shown in that calendar.
To achieve that, the only option I know of is to use the Powershell Set-CalendarProcessing cmdlet to change DeleteSubject, AddOrganizerToSubject and more.
In a SaaS environment this is pretty annoying as you need the Office 365 admin to use Powershell to do this operation, which may not be completely straightforward, or you need to ask for the user's login and password and pass them to Powershell, which raises security issues, and will not work in many scenarios (2FA, SAML auth...).
Is there a way to access these settings via Microsoft Graph?
Alternatively, if not available via Microsoft Graph, is there a way to use a Microsoft Graph oAuth token to perform this operation via Linux Powershell? I know it's possible to use oAuth tokens, but despite all my efforts I haven't managed to find a way to perform regular hosted oAuth login and use the token received for this purpose.
Any hints welcome!
Edit
To clarify: I'm in a SaaS scenario where I am the SaaS provider, so I need to allow admins of my customers to change those settings easily or automatically, it's not to access my own room mailboxes (I would use powershell for that).
I don't see anything in the MS Graph Reference that would do what you want. With that said, the barriers you state in your question for using the remote powershell api shouldn't be hard to accomodate.
For starters, your IT provider for email should work with you to configure rooms the way that you want/need. If they are willing to delegate this to you, then there are ways to set up Role Based Access Control (https://4sysops.com/archives/create-custom-rbac-roles-in-exchange-and-office-365/) to give you only access to calendar processing.
Likewise, MS has posted instructions and tools to use MFA with Exchange Online Powershell (https://learn.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps).
According to your description, I assume you want to get the subject of a meeting room.
There is no reference on official Doc for your case yet, we can post this issue to the Graph support on the User Voice.
The only interface I'm aware of for managing this (beyond the Exchange UI of course) is PowerShell.
This isn't supported by Microsoft Graph or Exchange Web Services. It's worth noting that even if this operation was supported, it would still require an Admin to execute it. Operations of this nature almost always require Admin Consent.
Try using JEA (Just Enough Administration) or PSSessionConfigurations . Create a constrained endpoints and give access for necessary user/groups for required cmdlets.