What permissions are needed for the Azure DevOps Deployment Group Agent? - azure-devops

I am trying to install the Azure DevOps Deployment Group Agent as described in
Provision agents for deployment groups.
Step 6 includes the following guidance: When prompted for the user account, press Return to accept the defaults.
However, the default configures the agent to run under the NT AUTHORITY\SYSTEM account, and I'm hesitant to give full access to a process that runs commands it obtained over the web. What are the minimum permissions/roles I need to give an agent so it will function properly?

Please follow this doc: Provision agents for deployment groups to accept the defaults configures the agent to run under the NT AUTHORITY\SYSTEM account, it is required for the agent to run without issues.
If you run it under other accounts/roles, it will fail with unexpected errors as reported here: https://developercommunity.visualstudio.com/t/running-azure-devops-agent-as-domain-account-fails/712546 and https://developercommunity.visualstudio.com/t/running-azure-devops-deployment-group-agent-using/1107600, etc.
In addition, there is a suggestion ticket in Developer community about this requirement. You can vote and follow this ticket. You can also create a new suggestion ticket here. The product group will review these tickets regularly, and consider take it as roadmap.

Related

Azure DevOps Server 2022 (on-premise) AAD group members not updating?

We are evaluating Azure DevOps Server 2022, specifically using the Git repositories function. We require an on-premise solution due to some compliance requirements, which is why we aren't using Azure DevOps Services (cloud).
Something I can't wrap my brain around is application of new permissions. We configured some AD security groups and added to the appropriate DevOps groups. We have groups for Collection admins, project admins, build admins, and contributors. Everything looks great until we add a user to one of the groups. It seems the Azure DevOps server doesn't see membership changes until after an unspecified amount of time, sometimes as much as 24 hours.
My question is, why wouldn't group memberships be seen and applied with Azure DevOps immediately, and is there a process to force DevOps to check for and sync/refresh group memberships? Anything I find via a Google search always references Azure AD sync-related configurations, whereas our implementation is strictly on-premise using ADDS, not Azure AD.
Restarting the server and any related services.
TFS/Azure DevOps Server use a background synchronization job, scheduled every hour, to look for changes in Active Directory (or the local machine workgroup if the server is not domain joined). So, changes you make to local or Active Directory groups do not get reflected in TFS/Azure DevOps Server immediately. Instead, TFS/Azure DevOps Server will synchronize those groups regularly (by default every hour).
You can force the job to run using any of these techniques: How to synchronize TFS users with AD.
It could be that you still do not see the user or name listed in the UI even if synchronization is working. The synchronization job does not automatically create a user profile in the database for every user or group in the database, to avoid useless growth in big enterprises.
In such a case, the first time you use a new AD account (user or group), you must refer to it uses DOMAIN\account syntax so that TFS/Azure DevOps Server look up in AD on the fly and insert a profile record in the database for the account.
Further Troubleshooting Mr. Hinsh has a good troubleshooting guide if you still have troubles. It's still applied to Azure DevOps Server.

Update PAT of Self hosted agent

The user from whose PAT a self hosted agent was configured is leaving the organization.
Once the users leaves the org, his account would be deleted from Azure AD and hence his PAT would be expired.
How should one take over the self hosted agent or update the PAT with other users account?
I was unable to see any MSFT docs w.r.t PAT updates.
Is uninstalling and reinstalling the only option in this scenario?
You do not need to update PAT. Check the documentation: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops
Inside the install directory of the agent (in my case it was C:\agent), you will find some files including
config.cmd
run.cmd
You can reconfigure your agent without uninstalling by running config.cmd editing the values and then run the agent again with run.cmd. You will be prompted to provide the PAT and also the agent pool. You can change only the values that you need.

How do I properly renew my PATs so that my deployment groups do not stop working due to expiration of the PAT?

When does a Deployment Group stop working due to expiration or regeneration of the Personal Access Token (PAT) that it was configured with?
If I regenerate the PAT, do I need to update the deployed agents, e.g. reconfigure them with the new PAT?
What happens if I just edit the PAT, update the Expiration date, but don't do anything else, e.g. do not regenerate the PAT or do any changes at the configured deployment agent? Will it stop it from expiring and the configured deployment agent still work?
We have Azure DevOps pipeline, along with a deployment group configured to install the solution to one server.
We have a service account, which we use have generated a PAT and used that token to configure the Deployment Group.
I have tried to regenerate the token, which gave me a new PAT. I have not tried to configure the server with the new PAT. However, deployments still seem to work just fine hours from regenerating the PAT.
What is the proper way to update the PAT so that it does not expire and my deployment agents do not stop working?
From the official Microsoft docs:
To register an agent, you need to be a member of the administrator
role in the agent pool. The identity of agent pool administrator is
needed only at the time of registration and is not persisted on the
agent, and is not used in any subsequent communication between the
agent and Azure Pipelines or TFS. In addition, you must be a local
administrator on the server in order to configure the agent.
Your
agent can authenticate to Azure Pipelines or TFS using one of the
following methods: Personal Access Token (PAT): Generate and use a PAT
to connect an agent with Azure Pipelines or TFS 2017 and newer. PAT is
the only scheme that works with Azure Pipelines. Also, as explained
above, this PAT is used only at the time of registering the agent, and
not for subsequent communication.
So, if you remove or re-generate the PAT the agents will keep working without any issues.
You can do two things:
You can Edit token and change expiration date, this is the easiest way
You can Regenerate token, this will create new token, and you will have to:
2.1. Write down your agent user capabilites, name, service user account etc.! Because once you remove the configuration this information will be lost
2.2 Remove agent's configuration (in agent's folder), run ".\config.cmd remove"
2.3 Configure agent with new PAT (in agent's folder), run ".\config.cmd"

Is there any way to remove VSTS agent without PAT?

I'm trying to remove a VSTS agent from a system, but I no longer possess the Personal Access Token (PAT) originally used during setup. An answer on this thread states that I can just delete the agent from the VSTS web UI, but I don't see that option besides nuking the entire agent pool (which is not a great option for us).
When I try to run config.cmd remove, these are my results:
PS C:\agent> .\config.cmd remove
Removing agent from the server
Enter authentication type (press enter for PAT) >
Enter personal access token >
Enter personal access token > Exiting...
First, it’s better to remove VSTS agent through config.cmd remove command and the PAT is required, you don’t need to use original PAT, you can apply a new PAT with Agent Pools (read, manage) scope and use it to remove agent.
Secondly, without PAT:
Deleting agent from server:
Deleting agent service in local system through sc command if it is running as service: sc delete [service name].
After that, you can delete the agent files.
Dears, I've another use case; I've been using Azure DevOps on-prem server.
I deleted the agent from the devops server 'Website,' However this's wont help me out when I tried to reinstall the agent it tells me:
Cannot configure the agent because it is already configured. To
reconfigure the agent, run 'config.cmd remove' or './config.sh remove'
first.
However, I've solve it when typing the below:
resolved

VSTS Deployment to a deployment group from a UNC share

I am using visualstudio.com Teams Services to build and deploy an ASP.NET website to two Azure VMs.
I have a build which on completion triggers a release to my two servers in a deployment group. When you configure a Deployment Group for Visual Studio Team Services you create an agent that by default runs as NT AUTHORITY\SYSTEM.
If I publish my build artifacts to Azure (the server option) then everything works fine and deployment succeeds to both my VMS. However when using a file-drop I get the following error:
The artifact directory does not exist:
\\MACHINE1\drop\RRStore\20170517.20. It can happen if the password of
the account NT AUTHORITY\SYSTEM is changed recently and is not updated
for the agent.
This is basically saying MACHINE2 cannot access \\MACHINE1\drop due to permissions. In windows I can bring up this folder just fine, but since the agent is running as NT AUTHORITY\SYSTEM it cannot access it.
I want to use a filedrop because my website is about 250MB (although in the meantime I am using the 'publish to server' option and deploying via team services.)
I am unclear how to give permissions to the file drop though as the agent is running as SYSTEM. I am running as a WORKGROUP and giving permissions to 'Everyone' does not seem to work.
What is the correct way to configure access to a VSTS drop folder so that the deployment agent can access it?
Few possible options:
Set up a domain (I tried doing this but then I need a new network interface and it sounds klunky)
Continue using teamservices to deploy the artifacts (or reduce the website size!)
Save to a storage account, but again I'm not sure how to configure that.
Run as a different user account
I have similar problems when deploying with VSTS. Instead I chose to:
Run VSTS agent on the deployment group VM as a local user with limited access.
Impersonate the account on the deployment group VM to test its access to the drop folder.
Save/cache a different credential to access the drop folder if applicable.
(So the sensitive information stays on the VM.)
The cached credentials can be a different local user account created on the drop server just for this purpose.
Grant the local user access to various parts of the file system explicitly to limit access permission of this VSTS agent service runner account.
This should work in most cases. In fact, this same way is used in my VSTS, Jenkins and TFS instances. This should prevent you from setting up a domain to solve this problem.
This may not be the best practice, but at least it should get you started in the right direction.