Setting Azure DevOps policies programatically

posted on 2019-09-19

Azure devops has branch policies you probably want to set, but there is no way to set a default for new policies yet. As soon as you have a larger set of repositories, rolling out new policies becomes boring.

The azure-cli is here to help. First start a docker if you have not installed the tool locally:

docker run -it microsoft/azure-cli                                                             ✭

Login the tool

az login

The output will redirect you to to log in and match the device code.

Now we need the devops extension to work with repos and policies, so first install the extension:

az extension add --name azure-devops

After that, all the extension commands will become available.

By setting the project and the organization as defaults, we don't have to repeat them:

az devops configure --defaults organization=
az devops configure --defaults project=my_project

We should be able to get a list of all the repositories in the project:

az repos list

each repository has an UUID which you need for most changes, so let's extract those:

az repos list --query [].[name,id]

The query part of the above command is a JMESPath selecting two attributes (name and id). For most things, we want to apply a command per repository-id, so I choose to use xargs for that. To get a list of only project ids without json formatting, we use:

az repos list --query [].id --output tsv

You can write the list to a file, edit that file and then load. But because it's a good default, let's set a review comments have to be resolved policy on all projects for the master branch:

az repos list --query [].id --output tsv |xargs -n1 az repos policy comment-required create --blocking true --branch master --enabled true --repository-id

If the policy is already set, you will get an error message saying The update is rejected by policy., but as we just want a policy to be there in the first place we can safely ignore these errors.

We can do the same for requiring at least 1 reviewer to approve the PR:

az repos list --query [].id --output tsv |xargs -n1 az repos policy approver-count create --blocking true --branch master --creator-vote-counts false --enabled true --minimum-approver-count 1 --reset-on-source-push false --allow-downvotes false --repository-id

Same trick. Make sure you always experiment on a single repository before applying it to all repositories, but you should be able to use the above code to apply a policy across all the repositories your project contains.

Other useful commands

  • Checking policies on a repository:

     az repos policy list --repository-id repo-uuid --branch master --query [].type
  • Getting a list of all repository ids, then check their policies for the master branch az repos list --query [].id --output tsv > allrepos.txt cat allrepos.txt | xargs -n1 az repos policy list --branch master --query [].type.displayName --repository-id

  • Install vim command in the alpine docker apk update apk add vim