I would like to remove the DELETE (Delete Project) permission from the Project Administrator role for each project in Azure DevOps. Here are the CLI commands that I am running. Everything goes without errors. However, when you go back and check on the web, the permissions are untouched. Any ideas?
$org = "myOrg"
$orgUrl = "https://dev.azure.com/$org"
$projName = "myProject"
$group = "Project Administrators"
$projId = az devops project list --org "$orgURl" -o json --query "value[[email protected] == '$projName'].id | [0]"
$projToken = '$PROJECT:vstfs///Classification/TeamProject/'+$projId
$projToken = $projToken -Replace '"', ""
$subject = az devops security group list --org "$orgUrl" --scope organization -o json --subject-types vssgp --query "graphGroups[[email protected] == '[$projName]\$group'].descriptor | [0]"
$namespaceId = az devops security permission namespace list -o json --org "$orgUrl" --query "[[email protected] == 'Project'].namespaceId | [0]"
$bit = az devops security permission namespace show -o json --namespace-id $namespaceId --org "$orgUrl" --query "[0].actions[[email protected] == 'DELETE'].bit | [0]"
az devops security permission update --id $namespaceId --subject $subject --token $projToken --deny-bit $bit --org "$orgUrl" --merge true
Output is: PS Screenshot
Any idea what I am doing wrong?
Thanks in advance, Jake
