Get Members of a Group in Azure DevOps Server 2022

Question

I need to know the way to get the users of a specific group through the REST API of Azure DevOps Server 2022, that is, on-premise. We are going to use as an example url 192.168.0.1 and the DefaultCollection as practice purposes. I have searched the documentation but when I try to apply them in my case they don't work for me, I get a 404 Not Found.

For now I am doing:

http://192.168.0.1:8080/tfs/_apis/groupentitlements?api-version=6.0-preview.1 http://192.168.0.1:8080/tfs/DefaultCollection/_apis/groupentitlements?api-version=6.0-preview.1

Neither seems to work. They throw 404.

I don't know if it has something to do with it, but I was reading on this website that a "vsaex" prefix is used for groupentitlements, "vssps" for graph and "status" for status, so I tried the following: http://vsaex.192.168.0.1:8080/tfs/_apis/groupentitlements?api-version=6.0-preview.1 http://vsaex.192.168.0.1:8080/tfs/DefaultCollection/_apis/groupentitlements?api-version=6.0-preview.1

Again, neither seems to work.

Also I tried differents api-versions, or without using any of them. I don't have any trouble using other parts of the REST API, e.g.: I can get Projects of a collection, Teams by Project, etc. and they work fine.

Answer 1

I had no success with

http://{server:port}/tfs/{collection}/_api/_identity/ReadGroupMembers...

So I had to resolve to using

http://{server:port}/tfs/{collection}/_api/identies?identityIds...

instead.

$Server = 'server:port'
$Org = 'tfs'
$REST = "https://$Server/$Org/_apis"
$ProjectName = '[Project Name]\' #If empty, all projects will be included
$GroupName = 'Group Name'

[Array]$Groups = Invoke-RestMethod (
  "$REST/identities?searchFilter=General" +
  "&filterValue=$ProjectName$GroupName" +
  "&queryMemberShip=Direct" +
  "&api-version=5.1"
) |
  select -ExpandProperty Value

$Groups | foreach {#replace identityId with the Identity Objects

  $ThisMemberIdsString = $_.memberIds -join ','

  $_.memberIds = Invoke-RestMethod (
    "$REST/identities?IdentityIds=$ThisMemberIdsString" +
    "&api-version=5.1"
  ) |
    select -ExpandProperty Value

}

$Groups

Now, $Groups.memberIds will contain the member objects instead of the memberIds.

(This script could of course be written in much fewer lines and with less variables, but I prefer this format for clarity in the example.)

Answer 2

After some research I found that with this call you can GET what I was searching.

 - http://{server:port}/tfs/{collection}/_api/_identity/ReadGroupMembers?scope={groupId}&readMembers=true&api-version=6.0
   you can do that.

If you need the groupId you can get it from:

 - http://{server:port}/tfs/{collection}/_apis/identities?searchFilter=General&filterValue={group
   Name}&api-version=6.0

If you have more than 1 group called the same, search in the response the group that you want in providerDisplayName property -> [{ProjectName}]\\{Group Name} There you will get the groupId and from that you can get the Members of a Group

The weird thing is that you have tu use _api/_identity instead of _apis/identities.

Answer 3

You are looking at the wrong APIs. Group Entitlements are for managing licenses for Azure DevOps Services and do not exist in on-prem versions of Azure DevOps Server.

You are looking for the Security APIs.