Azure DevOps Archives

Migrate from Azure DevOps to GitHub – what you…

16/02/202407/01/2025
by Martin Ehrnst

Developers love GitHub, and I do to! However, migrating from one platform to another is akin to orchestrating a complex dance. The rhythm of code, the choreography of pipelines, and the harmony of collaboration—all must align seamlessly. But beneath the surface lies the intricate steps: data mapping, permissions, and legacy dependencies. As the curtain rises, let us delve into the intricacies of this migration journey, where every line of code carries the weight of history, and every commit echoes the promise of a new beginning.

I’ve been apart of this project before, and now I find my self in the same situation. The goal is the same, but not all solutions are identical. You will need to adjust your tasks to fit your company’s situation. But in this blog post, I will outline what you need to know when migrating from Azure DevOps to GitHub.

GitHub for organization and GitHub enterprise.

GitHub enterprise is probably what you’re looking for. You can get some things done with an Organization only, but if you want to use some security features, let’s say, branch policies for internal repositories, you’re forced to go the enterprise route.

GitHub Organizations are well-suited for open-source projects, small teams, or individual developers.

They provide a collaborative space for managing repositories, teams, and access permissions.
Features include team-based access control, issue tracking, and project management.
Ideal for community-driven development and public repositories.

GitHub Enterprise caters to larger organizations and enterprises.

It offers enhanced security, scalability, and administrative controls.
Features include advanced auditing, single sign-on (which you want), and enterprise-grade support.
Perfect for companies with (any) compliance requirements and a need for robust infrastructure.

GitHub Enterprise – account types

Time to chose how accounts are managed. In DevOps you probably used your company’s existing accounts synced with Entra ID. For GitHub you have two options.

Individual accounts using SAML: These are user accounts that are linked to an identity provider (IdP) using Security Assertion Markup Language (SAML). Users can sign in to GitHub Enterprise Cloud with their existing credentials with a linked account to your identity provider, most likely Azure Entra ID.

The other option is Enterprise managed users: Here the user accounts are provisioned an managed through the IdP. Of course this is what you want, right. Full control! However, in both projects we ended up with option 1, individual accounts with SAML. What you do comes down to whether you want to favor developer experience a bit more than full control and central management.

Enterprise managed users are totally blocked from any collaboration outside your enterprise. This means creating issues on a public repo, etc. I really hope GitHub will change this, because what we actually want is both!

Migrating repositories

Let’s delve in to the more technical side of things. You want your repositories moved from DevOps to GitHub. And that is pretty damn simple, possibly the easiest part of the whole project as both is using Git as the underlying technology.

If you only have a handful repo’s a simple git clone can do the job. But most likely, you want to do a bit more, and if you are like me, working as a platform engineer or similar, you probably would like to streamline the process, and have each repository set up with some baseline settings. All this will require some scripting.

Enter GitHub CLI and ADO2GH extension despite having a super annoying limitation requiring personal access tokens (PAT) for bot DevOps and GitHub, I still think this is you best option. I spent a few hours trying to find out how to use GH CLI with an application, but without luck. Considering this is a time limited project, using a PAT from a service account (will consume a license) is acceptable.

Our solution for migrating repositories is a workflow in GitHub developers can run. Below is an example on the workflow and the PowerShell migration script.

	param(
	[Parameter(HelpMessage="The Azure DevOps organization.")]
	[string]$adoOrg = "Adatum",

	[Parameter(Mandatory=$true, HelpMessage="The Azure DevOps team project.")]
	[string]$adoTeamProject,

	[Parameter(Mandatory=$true, HelpMessage="The Azure DevOps repository.")]
	[string]$adoRepo,

	[Parameter(HelpMessage="The GitHub organization.")]
	[string]$githubOrg = "Adatum",

	[Parameter(HelpMessage="The GitHub repository.")]
	[bool]$lockAdoRepo = $false,

	[Parameter(HelpMessage="Repository owner.", Mandatory=$true)]
	[string]$repoOwner
	)

	# Use the Azure DevOps repository name as the GitHub repository name
	[string]$githubRepo = $adoRepo

	gh auth login —with–token $env:GH_TOKEN

	$repoExists = $null
	$repoExists = gh repo view $githubOrg/$githubRepo

	if ($null -eq $repoExists) {
	# Use the custom extension to migrate the repository
	try {


	gh ado2gh migrate–repo —ado–org $adoOrg —ado–team–project $adoTeamProject —ado–repo $adoRepo —github–org $githubOrg —github–repo $githubRepo —target–repo–visibility 'internal'

	# get default branch and set branch protection
	Write-Output "Setting branch protection…"
	$defaultBranch = gh repo view "${githubOrg}/${githubRepo}" —json defaultBranchRef —jq '.defaultBranchRef.name'

	gh api repos/$githubOrg/$githubRepo/branches/$defaultBranch/protection —method PUT `
	–H "Accept: application/vnd.github+json" `
	-F "required_pull_request_reviews[required_approving_review_count]=1" `
	-F "required_status_checks=null" `
	-F "restrictions=null" `
	-F "enforce_admins=true" `

	# setting the repo admin
	gh api repos/$githubOrg/$githubRepo/collaborators/$repoOwner —method PUT -F permission=admin

	Write-Output "creating environments…"
	gh api repos/$githubOrg/$githubRepo/environments/production —method PUT `
	–H "Accept: application/vnd.github+json" `
	-F "deployment_branch_policy[protected_branches]=true" `
	-F "deployment_branch_policy[custom_branch_policies]=false"

	gh api repos/$githubOrg/$githubRepo/environments/dev —method PUT `
	–H "Accept: application/vnd.github+json"
	gh api repos/$githubOrg/$githubRepo/environments/qa —method PUT `
	–H "Accept: application/vnd.github+json"

	}
	catch {
	if ($LASTEXITCODE -eq 1) {
	Write-Output "Migration failed. Aborting…"
	gh ado2gh abort–migration —ado–org $adoOrg —ado–team–project $adoTeamProject —ado–repo $adoRepo —github–org $githubOrg —github–repo $githubRepo
	break
	}
	}

	if ($lockAdoRepo) {
	Write-Output "Disabling Azure DevOps repository…"
	gh ado2gh disable-ado–repo —ado–org $adoOrg —ado–team–project $adoTeamProject —ado–repo $adoRepo
	}


	} else {
	Write-Output "Repository already exists. Migration skipped."
	}

view raw migrate-devops-repo.ps1 hosted with ❤ by GitHub

	name: Migrate DevOps Repo
	on:
	workflow_dispatch:
	inputs:
	adoTeamProject:
	description: 'Azure DevOps team project'
	required: true
	adoRepo:
	description: 'Azure DevOps repository'
	required: true
	lockAdoRepo:
	description: 'Lock Azure DevOps repository'
	required: false
	type: boolean
	default: false

	jobs:
	migrate:
	name: Migrate repo, ${{ github.event.inputs.adoRepo }}
	runs-on: ubuntu-latest

	steps:
	– name: Checkout code
	uses: actions/checkout@v4
	with:
	persist-credentials: false
	ref: ${{ github.head_ref }}

	– name: Install GH CLI Extension
	run: \|
	gh extension install github/gh-ado2gh

	– name: Run PowerShell script
	shell: pwsh
	run: \|
	.\scripts\migrate-devops-repo.ps1 -adoTeamProject "${{ github.event.inputs.adoTeamProject }}" -adoRepo "${{ github.event.inputs.adoRepo }}" -repoOwner "${{ github.triggering_actor }}"
	env:
	GH_PAT: ${{ secrets.GH_PAT }}
	ADO_PAT: ${{ secrets.ADO_PAT }}

view raw run-repo-migration.yaml hosted with ❤ by GitHub

From Azure Pipelines to GitHub workflows

Next up in your migration is CI/CD. What do you do? In our case, we have also discussed if it’s time to ditch our deployment pipelines in favor of GitOps, using Flux or ArgoCD. All our applications run on Kubernetes (AKS), which makes this a viable option. However, it is a broader discussion, and most likely some developers want to move, and some others will not. It’s reasonable to think deployment pipelines will be a part of our setup for a long time.

Question is, should you try using the GitHub actions importer, or is a refactor about time anyway? Given the fact that the importer tool has some limitation, and you probably have wanted to do some adjustment to your existing pipelines already, I believe this project will force some refactoring anyway.

As a platform engineer, I always strive to create self-service options. Now for pipelines, I can create custom starter workflows. I really like this approach, as it provides the DevOps/Platform team a way to streamline, and scaffold the bare minimum of what’s required, and developers can adjust to their application specific needs. The example in the image above is nothing but a slightly modified standard workflow. However, with the starter workflow we can add references to our container registries, use organization secrets, use and pre-populate connection to our Azure environment. As I mentioned above with the user accounts. We want both, freedom and control!

Azure Work Items and GitHub issues

Azure work items translate to GitHub issues (almost). Work items is a part of Azure Boards, and boards are almost similar to GitHub projects. With some careful consideration and new thinking, I believe it is possible to ditch Azure Boards and work items in favor of Issues with projects. If not, you can connect Azure Boards to GitHub. As you probably have noticed, I haven’t solved this yet, but I will do my best in making it happen.

The biggest difference between the work items and issues is that work items are linked to the board, where issues are tied to one repository. After making the repo migration, you will have to create a script to pull work items from Azure DevOps and create them as issues in the correct repository on GitHub. After that, we can re-create the boards in GitHub projects. There’s a few options/scripts for doing the first task, but I believe every organization use these features differently, so customization is needed. This solution by Josh Johanning is where I will start.

I will update this post when i hit a wall or find different solutions. Until then, happy migration!

Azure DevOps

Automate Azure DevOps like a boss

23/06/202107/01/2025
by Martin Ehrnst

Over the past weeks, I have worked on automation within Azure DevOps. One of the tasks was to create a self-service tool for our developers to create new projects where all pre-requisites were taken care of. That means the project itself, service connections (ARM) to access our Azure Kubernetes Service (AKS), Azure AD groups for accessing the project, and so on.

For the Azure AD part, I had mostly everything in place already. Service connections for Azure AD are essentially Azure application registrations, and Azure AD groups are easily created using New-AzADGroup or Microsoft Graph API. However, my experience with Azure DevOps API was and still is limited.

Creating the project

Creating the project itself is pretty straightforward. Below is a PowerShell snippet to do so. I used a service account and a Personal Access Token (PAT) with the following access permissions to do everything in my code.

Graph, read/manage
Identity, read/manage
Member Entitlement Management, read/write
Project and team, read/write/manage
Security, manage
Service connections, read/manage/query

Assigning permissions using Azure DevOps API

You don’t get far with just a project. Someone needs to have access to it as well. Since I try to create a paved road for the DevOps users I needed to add users to the DevOps groups inside the project. Here I spent some significant time, trying to understand how. In my routine, I already create three AAD groups for Project Administrators, contributors, and readers. We want to have one single pane for managing access to company resources, and Azure AD is the place.

In my opinion, access control in Azure DevOps is a nightmare, but lets not focus on that. I want to add each AAD group in to it’s corresponding Azure DevOps group.

To do that you use Azure DevOps Graph and the Groups endpoints. What you can see in the Microsoft example is that you need to perform a post operation against https://vssps.dev.azure.com/{organization}/_apis/graph/groups?groupDescriptors=vssgp.Uy0xLTktMTU1MTM3NDI0NS0yMTc2MDU2ODQ4LTMyODAwNzczODUtMjM4NDQzMDA4Mi0yNTc3Njk3NTA4LTEtNzM0NDQ1NzM2LTQwNzkyNzIyNjgtMzA0NzY5MjIyMy0yMjg2NTY0ODM0&api-version=6.1-preview.1

Azure DevOps Descriptor

From the documentation, you can see the request to add AAD groups into a project group like Project Administrators you need to specify a groupDescriptor. I could not find any good information on how to get this information, and as you can see, the request does not specify the project, only at the organization level.

Now, after some digging, I figured I could fetch this information with some additional calls to the API.

Get your project descriptor, by using the projectId as your descriptor…
Get all groups within the project, using the actual project descriptor
Filter the groups you want from the above request
Pass the Azure AD group objectId in the body and POST against /graph/groups?groupDescriptors=

Modify Azure DevOps project features

In our case, we do not use all features in Azure DevOps. I, therefore, wanted to turn off some features like boards. Making it a bit more difficult for our developers to start using features that we have other tools to support. I couldn’t find any official endpoint documented, so I reached out on Twitter to get inputs. Of course fellow MVP Rob Bos had some time to inspect the portal calls and came up with the solution. Basically, after the project is created, you need to make additional calls to an old API to flip the switch for each feature you do not use.

Adding ARM service connections to project using DevOps API

This part is quite well documented. So after creating the app registrations and service principals in Azure AD. You need to create the service connection(s) in the project. In my case I had more than one service connection, so I had to run this snippet multiple times, as I could not find a batch operation for it.

I think that pre-provisioning of the service connections are a good idea. This feature is quite complex to grasp for many, as the built in wizard cause more confusion than it helps. Especially when the users try to create a new SC, and they do not have access to create App registrations in Azure, or to set permissions on the subscription. Then the entire wizard will fail, but you might end up with ghost SPNs in Azure…

I said it was properly documented, but if you take a close look. The endpoint is called servicendpoint and not serviceconnection which is what it is called in the portal.

Automation solutions for Azure DevOps

In my examples I use the native Azure DevOps APIs and PowerShell. This worked best in our solution. However, you can also use Azure CLI or Azure DevOps provider for Terraform.

Since we do not use Terraform for any IAC, I weren’t keen to start using it just for Azure DevOps. Azure CLI have some limitations since it only allow interactive login, or a semi-solution for the PAT. I suggest you see what solution that works for you. But my examples above do at least work.

Summary

In this post I showed how I solved Azure DevOps project creation. The code above only show half the solution as it is very domain specific. However, I hope it helps you along the way. Creating the actual project is only one part of it. You need to create a paved road for the users. Therefore, make sure the users are able to access their projects and deploy resources. Automating the setup will ensure that every project is set up equally and supporting future requests from your developers will be much easier.

Azure

Azure Infrastructure As Code video series

28/10/202007/01/2025
by Martin Ehrnst

For weeks Marcel Zehner and I have held four live streams. Covering ‘everything’ related to Infrastructure as code on Azure.

Recording available

In the series, we covered the following topics, and everything is now available on YouTube

Advanced ARM templates
Deployment scripts
Linked and nested ARM templates
ARM template deployment with Pipelines

Migrate from Azure DevOps to GitHub – what you…

GitHub for organization and GitHub enterprise.

GitHub Enterprise – account types

Migrating repositories

From Azure Pipelines to GitHub workflows

Azure Work Items and GitHub issues

Share this:

Automate Azure DevOps like a boss

Creating the project

Assigning permissions using Azure DevOps API

Azure DevOps Descriptor

Modify Azure DevOps project features

Adding ARM service connections to project using DevOps API

Automation solutions for Azure DevOps

Summary

Share this:

Azure Infrastructure As Code video series

Recording available

Share this: