Azure DevOps Migration Tools

v16.0.2

Azure DevOps Migration Tools allow you to migrate Teams, Backlogs, Tasks, Test Cases, and Plans & Suits from one Project to another in Azure DevOps / TFS both within the same Organisation, and between Organisations.

Home
 › 
Learn
 › 
Overview
 › 
Setup
 › 
Permissions
Overview

Permissions

Article

  

2 minutes to read

  

2024-09-10 16:11:58 +0000

The permissions are courently governed by the needs of the TFS Client Object Model from Microsoft. Microsoft Announced the deprecation of the WIT and Test Client OM in 2020, however this is still the only way to interact with versions of TFS from 2010 to 2018 with any consistantcy. We are working on moving our tools to the REST API, but this is a large task and will take some time.

Minimum Permission Requirements

At this time the documented minimum required permissions for running the tools are:

  • Account in both the source and target projects with “Project Collection Administrator” rights
  • PAT with “full access” for both the Source and the Target

Note: I have been informed by the Azure DevOps product team information that ObjectModel API only works with full scoped PATs, so it won’t work with any PAT that has specific scopes.

However! Unsupported Permission Options

We have seen that the tools may work with less permissions however the following has not been full tested and is not currently supported:

  • Project and Team (Read, write, & manage)
  • Work Items (Read, Write & Manage)
  • Identity (Read & Manage)
  • Security (Manage)

If you do try this out then please let us know how you get on!

TFS, VSTS, & Azure DevOps Server Configuration (On-Premises Only)

There are some additional requirements that you will need to meet in order to use the tool against your TFS or VSTS server. The Azure DevOps Migration Tools use a flag to Bypass the Work Item rules engine and write data into TFS\VSTS that may not comply with the rules. For example you can write data directly into the Closed state without starting at New. This is very useful for migrations but requires some pre-requisites.

Bypass Rules

For on-premises instances you need to be part of the Project Collection Service Accounts group. You can do this by calling the following command:

tfssecurity /g+ "Project Collection Service Accounts" n:domainusername ALLOW /server:http://myserver:8080/tfs

This is not required for Azure DevOps Service targets, but you do need to be a Collection Admin on the Target.

...
Getting Support

Community Support

Question & Discussion - The first place to look for usage, configuration, and general help.

Commercial Support

We provide training, ad-hoc support, and full service migrations through Azure DevOps Migration Services