Reputation: 13745
Azure DevOps and Teams - one Group group to control membership to both
I have been trawling the internet and clicking myself blue in the face! Hopefully someone has a definitive answer.
I want to have one Group (in either of Azure AD, Microsoft Teams or Azure DevOps). This group must have access to a DevOps project and a Team site. When I change the membership of the group, the membership must change for both the Team and the DevOps project. I want to avoid the overhead of managing the groups for both separately.
Is this at all possible? Thanks.
Upvotes: 0
Views: 229
Answers (1)
Reputation: 3581
This is a really good question, and the answer is not obvious at all. Ironically we had the same exact problem in Microsoft Teams - when a user was added or deleted from the underlying Office 365 Group (which is mastered in Azure AD), it would take up to an hour, sometimes more, to be reflected in Teams, which has its own copy of the member list.
There is a way to do it, and it's how Teams does it: it relies on a relatively new feature in Microsoft Graph called subscriptions. You can find the documentation for it here: https://learn.microsoft.com/en-us/graph/api/resources/subscription?view=graph-rest-1.0.
Essentially what you want to do is create a subscription to the group: POST https://graph.microsoft.com/v1.0/subscriptions with the right message body and your endpoint will be called whenever there's a membership change in the group. Your endpoint won't know what changed, just the event and some IDs - you will likely have to make a separate call to retrieve the actual data (unless the IDs alone are sufficient).
There's a sample on GitHub that illustrates how to use Microsoft Graph subscriptions including more details on how to subscribe to group notifications specifically.
One thing to be aware of is that to use these APIs, your application will require fairly elevated permissions: Group.Read.All which means it has the ability to read not only the team/group members, but all of its messages too (among other things), for every group in your Office 365 tenant. We are working with the MS Graph team to support a less-privileged, per-group permission approach, but even after that's released for Teams Graph APIs, support for that will have to be added to the subscriptions APIs I just mentioned and that may not happen for a while.
Upvotes: 1
Related Questions
- Azure DevOps integration with Private Channels of Microsoft Teams
- Azure Devops Boards- Different Teams with same backlog possible?
- Restrict Azure DevOps Boards permissions by Team
- Will Azure DevOps Team admins have the access to create permission group for the team and add/delete members from it?
- Working with Multiple Projects and a Single Team
- Azure DevOps server how to make certain group available for all projects
- Azure DevOps group assignment to projects management
- Teams from different project in Azure DevOps
- How can I share membership between Azure Devops and Microsoft Teams?
- Shared Deployment Groups across team projects in VSTS