I came across a strange issue today while trying to automate working with groups in Azure DevOps. I needed to get their security descriptor to add some members and permissions. Three of the four groups could be resolved fine, but for some reason I couldn’t find the fourth. I could see it in the portal, but the az cli couldn’t return it. When i looked in the portal, the groups wer the same apart from their names.
$groupName = "[test-project]\frontEnd Devs"
az.cmd devops security group list `
--org "https://dev.azure.com/cgfootman/" `
--scope organization `
--subject-types vssgp `
--query "graphGroups[?@.principalName == '$groupName'].descriptor | [0]"
Initially I thought it might be that I was trying to select the security descriptor. So I tried the command without specifically selecting the property. Again it could only find 3 out of the 4 groups.
$groupName = "[test-project]\frontEnd Devs"
az.cmd devops security group list `
--org "https://dev.azure.com/cgfootman/" `
--scope organization `
--subject-types vssgp `
--query "graphGroups[?@.principalName == '$groupName']"
I read the docs and it talked about the –project or -p switch that allowed you to scope your command to the specific project you were dealing with. This seemed like a sensible thing to do anyway, so I added it.
$groupName = "[test-project]\frontEnd Devs"
$projectName = "timeApplication"
az.cmd devops security group list `
--org "https://dev.azure.com/cgfootman/" `
--scope organization `
--subject-types vssgp `
--project $projectName `
--query "graphGroups[?@.principalName == '$groupName']"
When I ran the command, it brought back the 4th group. This must be a bug of some description, but I still couldn’t see what was different with my 4th group to make it unsearchable. Very odd