Open simondel opened 5 years ago
I was able to get the HTTP PATCH to work to change the policies. Is there a GET to list the policies and the values?
@natebunton: There is one, but that is a really internal one
POST https://vsaex.dev.azure.com/devsdb/_apis/Contribution/dataProviders/query
In the post you have to include the bearer token and then you get something like this back
{
"data": {
"ms.vss-org-web.collection-admin-policy-data-provider": {
"policies": {
"applicationConnection": [{
"policy": {
"name": "Policy.DisallowBasicAuthentication",
"value": false,
"effectiveValue": true,
"isValueUndefined": true,
"parentPolicy": {
"name": "Policy.DisallowBasicAuthentication",
"value": false,
"effectiveValue": true,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vstspolicyaltauth",
"description": "Alternate authentication credentials",
"applicableServiceHost": 1
}, {
"policy": {
"name": "Policy.DisallowOAuthAuthentication",
"value": false,
"effectiveValue": true,
"isValueUndefined": true,
"parentPolicy": {
"name": "Policy.DisallowOAuthAuthentication",
"value": false,
"effectiveValue": true,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vstspolicyoauth",
"description": "Third-party application access via OAuth",
"applicableServiceHost": 1
}, {
"policy": {
"name": "Policy.DisallowSecureShell",
"value": true,
"effectiveValue": false,
"parentPolicy": {
"name": "Policy.DisallowSecureShell",
"value": false,
"effectiveValue": true,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vstspolicyssh",
"description": "SSH authentication",
"applicableServiceHost": 1
}],
"security": [{
"policy": {
"name": "Policy.AllowAnonymousAccess",
"value": false,
"effectiveValue": false,
"isValueUndefined": true,
"parentPolicy": {
"name": "Policy.AllowAnonymousAccess",
"value": false,
"effectiveValue": false,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vsts-anon-access",
"description": "Allow public projects",
"applicableServiceHost": 3
}, {
"policy": {
"name": "Policy.EnforceAADConditionalAccess",
"value": false,
"effectiveValue": false,
"isValueUndefined": true,
"parentPolicy": {
"name": "Policy.EnforceAADConditionalAccess",
"value": false,
"effectiveValue": false,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/visual-studio-conditional-access-policy",
"description": "Enable Azure Active Directory Conditional Access Policy Validation",
"applicableServiceHost": 3
}],
"user": [{
"policy": {
"name": "Policy.DisallowAadGuestUserAccess",
"value": false,
"effectiveValue": true,
"parentPolicy": {
"name": "Policy.DisallowAadGuestUserAccess",
"value": true,
"effectiveValue": false
}
},
"learnMoreLink": "https://aka.ms/vstspolicyguest",
"description": "External guest access",
"applicableServiceHost": 3
}]
},
"permissionBits": 16,
"invertedPolicies": ["Policy.DisallowBasicAuthentication", "Policy.DisallowOAuthAuthentication", "Policy.DisallowAadGuestUserAccess", "Policy.DisallowSecureShell"]
}
},
"sharedData": {},
"resolvedProviders": [{
"id": "ms.vss-org-web.collection-admin-policy-data-provider"
}],
"exceptions": null,
"clientProviders": null,
"scopeName": null,
"scopeValue": null
}
@SebastianSchuetze what does your POST body look like?
There was nothing in the body. But I caught this from the network traffic in the browser logs when I browsed the particular page.
@SebastianSchuetze when I make a post with an empty body (using Postman tool). I receive the following response:
{ "$id": "1", "innerException": null, "message": "Value cannot be null.\r\nParameter name: query.contributionIds", "typeName": "System.ArgumentNullException, mscorlib", "typeKey": "ArgumentNullException", "errorCode": 0, "eventId": 0 }
After looking at the network traffic from the UI using chrome tools, I looked at the request/response body for the query.
I was able to get a successful response when I used this in the body of the POST.
{ "contributionIds": [ "ms.vss-org-web.collection-admin-policy-data-provider" ] }
Thanks for posting. I haven't tried a POST myself but was rather observing the network logs
@SebastianSchuetze I also used Basic authentication using a Personal Access Token (PAT). I used this code example to create the header that I used in my Postman requests.
Using this REST API is a hack, but it keeps us moving forward until its actually supported through the standard REST APIs.
@SebastianSchuetze A few more policies have been added to the Organization Policies, but are not in the API in the thread above.
Log Audit Events (Policy.LogAuditEvents) Allow team and project administrators to invite users (Policy.AllowTeamAdminsInvitationsAccessToken)
They are settable with the following APIs: _apis/OrganizationPolicy/Policies/Policy.LogAuditEvents _apis/OrganizationPolicy/Policies/Policy.AllowTeamAdminsInvitationsAccessToken
The settings are able to be retrieved with the following GET API, but would be preferred if they all came from the same API.
https://dev.azure.com/{ORG_NAME}/_settings/organizationPolicy?__rt=fps&__ver=2
Any ideas on how to pull these org policies from the API (_apis/Contribution/dataProviders/query)?
No. I haven't checked it, no time. Sorry. But You may be able to find out by using the browser dev tools.
Right now getting or changing account policies is not documented. I'm referring to the API behind this screen (or https://dev.azure.com/{organisation}/_settings/policy):
It is possible to change a policy by doing a
PATCH
request to https://dev.azure.com/{organisation}/_apis/OrganizationPolicy/Policies/{policyname}?api-version=5.1-preview.1The data to send is:
Where the value
"false"
can also be replaced with"true"
.The mapping of currently available policies is:
So for example, to set the "Allow public projects" to "Off" you would have to do a
PATCH
request to https://dev.azure.com/{organisation}/_apis/OrganizationPolicy/Policies/Policy.AllowAnonymousAccess?api-version=5.1-preview.1 with the value"false"
.Keep in mind that most policy values should be reversed because the policy name contains the word Disallow. To set "External guest access" to "Off", the value you send should be
"true"
because you want to disallow external guest access.