Azure DevOps Projects

I will be speaking at Global Azure Bootcamp Toronto (well, Mississauga to be exact) on April 21st, 2018. The topic will be DevOps Projects. Azure DevOps Projects. That thing that makes it a lot easier to deploy to Azure through VSTS. Should be fun. Go ahead and register at See you there.

I thought I'd share the description:

IT world changes fast. Very fast. But Azure, and cloud in general, moves even faster. A lot faster. This requires learning latest technologies, using them in your product and deploying at a faster pace. With digital transformation efforts in full swing across enterprises in nearly every industry, developers are driven harder than ever to speed up application releases. In the process, they also want to ensure quality and security and to manage these apps more efficiently. This is where DevOps becomes critical and where a simplified way to get started with DevOps could be useful. Microsoft's new Azure DevOps Projects tool lets developers configure a DevOps pipeline and connect it to the cloud with no prior knowledge of how to do so.

The Azure DevOps Project presents a simplified experience which creates Azure resources and sets up a continuous integration (CI) and continuous delivery (CD) pipeline for when you are developing a .NET, Java, Node, PHP, or a Python app, or whether you are targeting app services, virtual machines, or containers in Azure using Visual Studio Team Services (VSTS) behind the scenes. DevOps Projects help you get up and running with a new app and a full DevOps pipeline in just a few minutes. Azure DevOps Project helps you launch an app on an Azure App Service of your choice in a few quick steps and set you up with everything you need for developing, deploying, and monitoring your app. Creating a DevOps Project provisions Azure resources and comes with a Git code repository, Application Insights integration and a continuous delivery pipeline setup to deploy to Azure. The DevOps Project dashboard lets you monitor code commits, builds and, deployments, from a single view in the Azure portal.

Create your application and release pipeline on any Azure service in just three steps—simply select an application language, a runtime, and an Azure service. Start small and scale up as needed using Azure DevOps Projects.

Deploy SSIS packages in VSTS/TFS

If you need to deploy SSIS packages using VSTS/TFS, try using the following build task:

The task allows you to deploy ISPAC file to SSIS instance. When deploying you need to specify:

  • path to .ispac file to be deployed
  • name of the catalog folder where the package will be deployed
  • name of SSIS server where the package will be deployed
  • name of the SSIS project
  • name of the SSIS environment
  • project and package parameters to ignore during the deployment

Also, the task allows you to deploy SSIS package using a remote machine. To deploy SSIS package using remote machine, make sure Authentication required checkbox checked and specify:

  • name of the remote server to use to deploy SSIS package
  • remote user account
  • and remote user password
  • Oh yes, and you have an option to connect to remote machine using SSL, if you want


Have fun.

How to get rid of /tfs in TFS URL

There are two ways to get rid of /tfs in TFS URL. First is to unconfigure TFS application tier and pick a URL without /tfs when re-run TFS application tier configuration wizard, and second is configure IIS TFS site without /tfs.

In the first option, to unconfigure TFS application tier open the Team Foundation Administration Console on the Application Tier machine. Click on the server name and click on "Remove Feature". You can do the same from command prompt, execute TfsConfig setup /uninstall:ApplicationTier command to unconfigure TFS Application Tier. By removing the feature, we will be removing:

  • The Application Tier configuration from the server (but we don't remove the binaries)
  • Connection with Data tier (but the databases won't be deleted)
  • TFS Website.
  • TFS Application Pools
  • TFS Services (The Visual Studio Team Foundation Server Job Agent)

Then, when re-running the configuration wizard, pick the URL you want on the website settings page.

In the second option, first add port 80 and 443 to the list of TFS IIS ports

  1. Open IIS Management Console
  2. Browse to Team Foundation Server site
  3. Click on Bindings
  4. Add port 80 to http
  5. Add port 443 to https. Make sure pick the proper SSL certificate from the list

 Then, switch to / for TFS instead of /tfs

  1. Open IIS Management Console
  2. Browse to Team Foundation Server site, then /tfs web app under it
  3. Click on Basic Settings on the left menu
  4. Copy Physical Path value
  5. Go to up to Team Foundation Server site, click on Basic Settings on the left menu
  6. Replace Physical Path value with the one copied from /tfs web app
  7. Click OK to Save the changes
  8. Click on Authentication
  9. Make sure Windows and Anonymous authentication options are enabled
  10. Remove /tfs web app
  11. Update TFS Admin Console to use new public URL

I prefer the second option, but both options are good. Also, consider putting effort into redirecting old URLs to new ones.

Encrypt remote web.config

Deploying websites using VSTS/TFS is a breeze. Whether you deploy on premises or in the cloud. Quite often though, when you deploy on premises, you had to encrypt certain sections of web.config files for security reasons. There is no built in task in TFS/VSTS to do that. And, since this activity came up more and more, I've decided to write another build task and share it with the world. Introducing Encrypt Remote Web Config task:

When use the task, specify the following:

  • Folder path to where web.config resides
  • Section(s) of the web.config file you would like to encrypt. You can specify more than one comma separated sections at a time
  • Remote server name or IP address where website resides. You can specify more than one comma separated remote server at a time
  • Remote user name
  • Remote user password. Please use variables to store password securely.

Did I mention that the task is free?

VSTS Time Zone Settings

There seems to be a bit of confusion about time zone settings in VSTS. The confusion comes from the fact that there are two places where time zone settings can be configured for VSTS users: VSTS account time zone setting and VSTS user profile time zone setting.

VSTS account time zone setting is the MAIN time zone setting. This time zone setting is used by VSTS account for storing all date/time data. In other words, when you set your VSTS account time zone to EST, all timestamps in VSTS will be stored in EST time zone. Another good example of when VSTS account time zone setting is used is when you configure iteration dates, build/release schedules, etc. Account time zone setting is configured on the Account Settings page: https://*

VSTS user profile time zone setting is used to make user experience more personal to the user and display the VSTS time stamps for when a user browsing VSTS using time zone configured for that specific user. So, if my VSTS account time zone is set to EST, but my user profile time zone setting is set to PST, then when I'm browsing the VSTS all date/time fields will be displayed in PST time zone. VSTS user profile time zone setting can be configured on user profile page (, by clicking your name on the top-right corner of your VSTS page, then clicking on My Profile | Edit profile | Preferences option. Set your user time zone setting and click Save.

VSTS Sync Migration Tools

If you need to bulk edit and migrate data between Team Projects on both Microsoft Team Foundation Server (TFS) and Visual Studio Team Services (VSTS), try VSTS Sync Migration Tools. It's not the most user friendly tool to use, but it's VERY powerful and flexible.

What can you do with this tool?

  • Assist in Bulk Editing of Work Items
  • Migrate Work Items & Test Management from one Team Project to another
  • Merge Team Projects
  • Migrate Work Items & Test Management from one account or collection to another
  • Assist in changing process templates


You can install this tool, by simply running Chocolatey command as such: choco install vsts-sync-migrator or download the latest release from GitHub and unzip. You can also obviously contribute to the tool:

A few tips on using the tool:

  • You need to add the account that you use to Project Collection Services Accounts group using tfssecurity command
  • You also need to add ReflectWorkItemID field to your source and destination. This field is technically not required, but since it is used to make sure that work items are not migrated more than once when you re-run the tool more than once, I find it very important to add. Add this field to the destination if you're syncing work items one way, and add this field to both source and destination if you're syncing bi-directionally. More information about server configuration for the tool, see
  • This tool is based on processors where you can load a specific processor to do something you need:
    • Use WorkItemMigrationContext processor to migrate the tip revisions of the work items
    • Use WorkItemRevisionReplayMigrationContext processor to migrate the work items with history
    • Use WorkItemUpdate processor to bulk edit the work items
    • Use AttachementExportMigrationContext processor to export all work items attachments to the migration machine. This is used in partnership with the AttachmentImportMigrationContext
    • Use AttachementImportMigrationContext processor to import all work items attachments from the migration machine. This is used in partnership with the AttachementExportMigrationContext
    • Use LinkMigrationContext processor to migrate all the work item links, both between work items and external links.
    • Use WorkItemQueryMigrationContext processor to migrate all shared work item queries

This tool has a bunch of other processors dealing with test objects, Git links, teams, etc. as well as various field mapping options as I said this tool is very powerful. We'll cover those in one of the future posts.




witadmin and Visual Studio 2017

Ordinarily, witadmin tool is stored under %programfiles(x86)%\Microsoft Visual Studio XX.0\Common7\IDE path as per, but in case of the Visual Studio 2017 it's stored under %programfiles(x86)%\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer. Notice it's now stored in the same folder where all Visual Studio extensions are stored. This makes sense considering that Process Editor is now a Visual Studio extension instead of a separate install/download. It's a small, but important change. Just thought I'd share. Thanks for reading.

Another task in VSTS/TFS

As I help people create awesome build and release pipelines, I have found myself quite often needing to download something from somewhere to do something awesome. So, I have decided to write a build task to make it easier. Along came the Download File task: This task allows you to download a file from anonymous sources or authenticated sources like Artifactory, or Nexus, or whatever. It's simple and yet pretty good task.

Later, I have realized that quite often when I download the file as a part of my build/release, I need to extract that file. So, I have released another task called Download and Extract File: Yes, I know it's not very creative name, but it's very descriptive. This task allows you to download a file from anonymous or authenticated sources and then extract it to the specified folder. This is a better task, I think.

Thanks for using my tasks. And, again thanks for reading.

Azure AD sync errors for administrative user accounts

This is a follow up blog post to the "Insufficient access rights to perform the operation error in Azure AD Connect" blog post I did a little while back. The original blog post covered Azure AD sync errors. For the most part, anyways, because we kept seeing sync errors for specific users. After doing a bit of digging, we have learned that the users that kept getting sync errors belong to Active Directory Administrators or Domain Admins groups. This lead our troubleshooting journey to learning about Active Directory Protected Groups.

As it turns out, if a user is a member of Active Directory Administrators or Domain Admins groups, then Active Directory will overwrite any ACL changes that you make with predefined ACL template on a regular basis. So, if we make ACL changes like grant additional permissions on those accounts or enable permissions inheritance on those accounts in order to allow Azure AD Connector to update source anchor (ms-ds-consistencyGuid) attribute, this change will be overwritten by Active Directory, which brings us back to square one. To bypass this issue, you can do the following:

  • Change ACL template in Active Directory to include the changes you need like Replicate Directory Changes and Replicate Directory Changes All permissions for Azure AD Connector account and write permissions for source anchor (ms-ds-consistencyGuid) attribute. This would work, but in my opinion, it's a bit too drastic
  • Or, remove the users from Active Directory Administrators or Domain Admins groups, if you can.
  • Or, you can make the permissions changes on those accounts and immediately force Azure AD Connect sync using the following PowerShell command: Start-ADSyncSyncCycle -PolicyType Initial. Azure AD Connect should have enough time to write to source anchor attribute and complete the sync without errors. After the initial sync is complete, AD can reset ACL back on those account all it wants since we only need to write to source anchor attribute once.

I prefer the last option, since it's simple and it works. More information about AD protected groups can be found at

Thanks for reading.

Insufficient access rights to perform the operation error in Azure AD Connect

If you're getting Insufficient access rights to perform the operation in your Azure AD Connect synchronization logs, do the following:

  • Make sure you have the latest version of Azure AD Connect installed:
  • If you're syncing passwords, make sure that your sync service account has Replicate Directory Changes and Replicate Directory Changes All permissions in your on premises Active Directory
  • Make sure that your sync service account has write permissions on your sourceAnchor attribute (which is most likely set to ms-ds-consistencyGuid). You can do that either using the user interface, or PowerShell, which is easier:

    $accountName = "DOMAINNAME\USERNAME" #[this is the account that will be used by Azure AD Connect Sync to manage objects in the directory.


    $cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"

    Invoke-Expression $cmd

  • Make sure that inheritance is turned on for the AD objects that get errors in the synchronization logs. To do that
    • Open Active directory Users and Computers
    • Enable the Advanced features in the View settings and,
    • Open up the user object that can't sync.
    • Go to the security tab and then into advanced
    • Check to make sure the box is checked to inherit permissions. But before you do that make sure that the enabling inheritance will not bring down some permissions that you do not want to be there

That's all. Thanks for reading.