Do not allow service connections to inherit elavated permissions from project level user permissions. The groups (Contributors, Readers, Project Collection Valid Users, Project Valid Users) should not have elavated permissions (Admin/User). User permissions for certain groups must be restricted to read-only access. Learn more: https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices#scoped-permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions-lookup-guide https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources?#user-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions#set-service-connection-permissions
1. Navigate to Project Settings. 2. Open the Service connections link under Pipelines. 3. On 'Service connections' page, click on the three dots button (top right). 5. Click Security. 6. Review security roles and ensure common groups have only read-only access.
{
"target": "ADOSecurityRoleAssignment",
"if": {
"allOf": [
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ResourceType",
"operator": "equals",
"value": "Project"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "ScopeResource.ScopeId",
"operator": "equals",
"value": "distributedtask.project.serviceendpointrole"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Identity.DisplayName",
"operator": "contains",
"value": "$(POLICY_VAR_PROJECT_SECURITY_ROLES_COMMON_GROUPS)"
},
{
"anyOf": [
{
"resource": "ADOSecurityRoleAssignment",
"property": "Role.Name",
"operator": "equals",
"value": "Reader"
},
{
"resource": "ADOSecurityRoleAssignment",
"property": "Role.Name",
"operator": "equals",
"value": "Creator"
}
]
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions