DevOps Frequently Asked Questions
Q1: How do I get access to Azure DevOps?
Access to Azure DevOps is maintained by your Project Administrator. See DevOps Support Overview for instructions on how to connect with the administrator group for your project.
Each user requires some sort of entitlement in Azure DevOps. As described in the Authorization document,in the Migration Workflow document and in the Training and Access document you will need to be added to a DL to handle the entitlement and a DL to specify which team(s) you should have access to. Note this is at least 2 DLs that a person must be a member of to gain contributor access to MDTProductDevelopment.
Another important thing to remember about the use of DLs in Azure DevOps is that nested DLs will not work. This has been an issue / enhancement in Microsoft's backlog since 2016 as you can see at this link.
Another common issue that occurs is when folks have been placed in one of the MSDN (aka VSS) DLs and their identity is not the same as their Medtronic identity (e.g. Bob Smith vs Robert Smith or if their identity comes from their contracting house rather than Medtronic AAD), Azure DevOps cannot find their subscription and will make their access level stakeholder (i.e. read only).
Note: You should be part of only one of the below Entitlement DLs, based on your use case as described in below table to save cost.
Entitlement / Org DL Explanation
| DL Name | Description | Default Permissions |
|---|---|---|
| DL MDTProductDevelopment MSDN | MDT Employees only Microsoft account identity comes from Visual Studio Subscription Seat cost is included in Subscription cost (approximately $2500 / year as of June 2021) |
Member of Contributors for Shared project Member of Readers group for all other projects |
| DL MDTProductDevelopment Contractor MSDN | MDT Contractors only Must set up an alternate Identity in VSS Seat cost is included in Subscription cost |
Member of Contributors for Shared project Member of Readers group for all other projects |
| DL MDTProductDevelopment Basic | Users who do not have a VSS and do not need access to test plans should be added to this group Microsoft account identity comes from Medtronic's Azure Active Directory (AAD) Note that the identity has to be in the form of [userid]@medtronic.com Seat cost is $6 / month |
Member of Contributors for Shared project Member of Readers group for all other projects |
| DL MDTProductDevelopment Basic - Test | Provides users access to Test Plans in addition to the other functionality available in Azure DevOps Seat cost is $52 / month |
Member of Contributors for Shared project Member of Readers group for all other projects |
| DL MDTProductDevelopment Stakeholder | Stakeholders can add to the discussion on work items and view information in Azure DevOps but they cannot view Wikis that are published via a repo nor can they modify any code or work items Seat cost is free |
Member of Readers group for all projects |
Team / Functional Area DL Explanation
| DL Type | Description |
|---|---|
| Team DL | Member of Project Contributors group for the project team Member of Readers group for all other project teams (via the org DL, as described above) Read / write access to project backlogs, repos, etc Restricted access for creating (repos, new paths, etc) |
| Team Admin DL | Member of the Project Administrators group for the project team In addition to all the things that are true for contributors, admins can create repos, service connections, new paths |
| Functional Area DL | Member of Project Contributors group for all projects in MDTProductDevelopment org Read/write access to project backlogs, repos, etc Restricted access for creating (repos, new paths, etc) |
If a user is in multiple groups, any settings that are denied in any of the group settings will be applied. In the case when a setting is set to allow in one group and 'not set' in another group the user belongs to, the allow permission will be applied. This should be avoided but is included here for the curious reader.
To check if you have an existing Visual studio Subscription license or not, click here.
Q2: How do I get a new Repo for my team?
Project administrators can create repos within their project. See DevOps Support Overview for instructions on how to connect with the administrator group for your project.
Remember to follow the naming convention described in the Repos document.
Other important permissions and restrictions to note are that the repo will be initialized with a main branch and readme file; project administrators can create the develop branch; project contributors can only create branches beginning with feature/* and are able to contribute to develop and main branches via Pull Requests (PRs).
Q3: How do I get SonarQube setup on my Repo for code analysis?
SonarQube (on-premise equivalent of SonarCloud) provides static code analysis for your repos by configuring your pipeline to send the build data to SonarQube. During this configuration you must supply your repo's unique SonarQube "project key". See this helpful Pluralsight module for an example on how to do this. Please submit a service request assigned to the Energizers team to request a new SonarQube project key for your repo.
Q4: How do we manage artifacts in Azure DevOps?
This wiki page describes how artifacts are used in Azure DevOps.
Q5: How do I setup my repo to generate an automated SOUP report?
Our SOUP dependency reporting can be added to any repo, with instructions found here. To generate you report you can run a pipeline which will export SOUP dependencies to a CSV file, see our documentation to learn how to run the pipeline.
Q6: Am I able to customize my work items metadata or the process definition used in my project?
For all customizations, we need to consider the scope of applicability as well as maintainability and reporting needs. The overall direction is to keep as much the same as possible. Currently, only out-of-the-box AZDO configurations are being allowed. You can submit a service request for a request to be evaluated.
Q7: How can I get a new AZDO extension enabled in my project?
Extensions are enabled at the organization. This means that we need to consider the experience of all projects and teams when an extension is considered. Reference this guidance for when and how to request a new extension be enabled.
Q7: How can I create Microsoft Entra ID(Azure AD) application?
Use https://dev.azure.com/MDTProductDevelopment/mlife-platform/_git/mlife-terraform-azuread-app-registrations as a self service tool to create Azure AD application. These app registrations do not currently allow any delegated Azure Graph/Azure AD acces, if you need an app registration with access to modify directory objects, you would need to work with our corporate IAM team to enable that capability.
Q8: How to connect/Authenticate an Azure DevOps pipeline to artifacts?
You will need the task MavenAuthenticate@0 to provide credentials for Azure Artifacts feeds and external Maven repositories.
Example -
# Maven Authenticate v0
# Provides credentials for Azure Artifacts feeds and external maven repositories.
- task: MavenAuthenticate@0
inputs:
#artifactsFeeds: # string. Feeds.
#mavenServiceConnections: # string. Credentials for repositories outside this organization/collection.
Q9: Unable to upload/download Artifacts to/from the Artifacts feed?
If you try to upload or download a package to the Artifacts feed and you get this error from the Azure CLI:
Certificate verification failed. This typically happens when using Azure CLI behind a proxy that intercepts traffic with a self-signed certificate. Please add this certificate to the trusted CA bundle. More info: https://docs.microsoft.com/cli/azure/use-cli-effectively#work-behind-a-proxy
Try adding the ZScalar certificate from your computer’s certificate to the cacert.pem file.