Azure DevOps ServiceConnection Roles Rest API

Question

How can I modify Azure DevOps ServiceConnection Roles using the REST API?

This is the corresponding UI

I want to add a team within the 'User' role.

I have been looking at

is this the right direction?

Levi Lu-MSFT Levi Lu-MSFT · Accepted Answer · 2019-12-11T11:32:02

You can use below api to update security for service connection.

Put https://dev.azure.com/<Org>/_apis/securityroles/scopes/distributedtask.serviceendpointrole/roleassignments/resources/<resourcesId>?api-version=5.1-preview.1"

The API is not documented. But you can find it when you F12 your browser.

You can get the resourceId from the request url in F12 page.

And also from the URL of the Service Connection UI page url and also

Below is example in powershell scripts:

$url="https://dev.azure.com/<org>/_apis/securityroles/scopes/distributedtask.serviceendpointrole/roleassignments/resources/......c5_d69e94f6-9c07-4341-bd6f-8b28e05d4b08?api-version=5.1-preview.1"

$connectionToken ="Personal Access token"

$base64AuthInfo= [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($connectionToken)"))

$body ='[{"roleName":"User","userId":"....a313-31d7848bcdcc"}]'

Invoke-RestMethod -Uri $url -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method put  -ContentType "application/json" -Body $body

Above script with assign the user to User role permission for the service connection.

You can get the user id from the request body in F12 page. But you may still need to use below rest api to get the user id

GET https://vssps.dev.azure.com/{organization}/_apis/graph/users/{userDescriptor}?api-version=5.1-preview.1

You can get the userDescriptor from the URL in UI page of the Permission page for each user.

Azure DevOps ServiceConnection Roles Rest API

2 Answers