Azure DevOps Migration Tools

v16.0.7

Azure DevOps Migration Tools allow you to migrate Teams, Backlogs, Tasks, Test Cases, and Plans & Suits from one Project to another in Azure DevOps / TFS both within the same Organisation, and between Organisations.

Azure DevOps Migration Services
Home
 › 
Learn
 › 
Overview
 › 
Setup
 › 
Permissions
Overview

Permissions

Article

  

2 minutes to read

  

2024-11-05 16:27:45 +0000

The current permissions are governed by the requirements of the TFS Client Object Model from Microsoft. While Microsoft announced the deprecation of the WIT and Test Client OM in 2020, it remains the only consistent method for interacting with versions of TFS from 2010 to 2018. We are in the process of migrating our tools to the REST API, but this is a large effort and will take some time to complete.

The Azure DevOps Migration Tools use a flag to bypass the Work Item rules engine, allowing data to be written into TFS/VSTS in ways that might not comply with the usual rules. For example, you can directly transition an item into the Closed state without starting at New. This is highly beneficial for migrations but requires specific pre-requisites.

Note: According to the Azure DevOps product team, the Object Model API only works with full-scoped PATs, meaning it is incompatible with PATs that have limited scopes.

Source Permissions

The current minimum required permissions for running the tools are:

  • Membership in the “Project Collection Administrator” group – This will override any ‘denied’ permissions, ensuring a smooth migration.
  • A PAT (Personal Access Token) with “full access.”

Note: Although we do not write data to the source system, we still require a PAT with full access.

Target Permissions

The current minimum required permissions for running the tools are:

  • Membership in the “Project Collection Administrator” group – This overrides any ‘denied’ permissions and allows the tools to bypass the Work Item rules engine.
  • Membership in the “Project Collection Automation” group – This grants the “Make requests on behalf of others” permission.
  • A PAT with “full access.”

Unsupported Permissions for Scoped PATs

In some cases, the tools may function with fewer permissions, but the following configurations have not been fully tested and are not officially supported:

  • Project and Team (Read, Write, and Manage)
  • Work Items (Read, Write, and Manage)
  • Identity (Read and Manage)
  • Security (Manage)

If you try these settings, please share your results with us!

Granting “Make requests on behalf of others” in Older TFS Versions

To set the “Changed by” field to a user other than the one running the migration, you must grant the user the “Make requests on behalf of others” permission. This permission is not included by default for “Project Collection Administrator” users. In older versions of TFS, it can only be assigned by adding the user to the “Project Collection Service Accounts” group.

You can use the following command to do this:

tfssecurity /g+ "Project Collection Service Accounts" n:domainusername ALLOW /server:http://myserver:8080/tfs

This step is not required for Azure DevOps Service targets, as tfssecurity is not available in that environment.

...
Getting Support

Community Support

Question & Discussion - The first place to look for usage, configuration, and general help.

Commercial Support

We provide training, ad-hoc support, and full service migrations through Azure DevOps Migration Services

In this article
Contribute