How can we improve Azure DevOps?

Make TFS more Audit Friendly

This suggestion is migrated to Developer Community. Please use below link to view the current status.
We have outside auditors come in and they want to see stuff like who gave Jerry Project admin rights and when and how long did he have it? Items like that It would be nice to find info like that. It would also be nice to be able to export all of the users of a project in the groups that they are in.

355 votes
Sign in
Sign in with: facebook google
Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: facebook google
Signed in as (Sign out)
  • Carlo Reggiani commented  ·   ·  Flag as inappropriate

    We have both TFS onpremise and VSTS (federated hybrid domain): there is any possibility to have an API/Webservice to obtain audit information from both the services? Expecially user/access level (license)/groups/Team Projects/Last Access in each Team Project

  • Wilco commented  ·   ·  Flag as inappropriate

    There is a function to export all users and subscriptions. That's a great start. For ISO27001, I need one list of all users and their role(s) in all project(s).

  • Negatar commented  ·   ·  Flag as inappropriate

    We are driving access using AAD groups so we can audit from AD. However, we can't find a way to prevent users from being added in the UI as well. Is there any feature that would turn on AAD access only?

  • Oskar Mamrzynski commented  ·   ·  Flag as inappropriate

    We have a need to retrieve which users are members of which VSTS groups and what permissions they get as a result. However, this is only good for the first-time audit.

    We have created a solution that pulls this information out via the API, but it's not a complete picture and having something integrated would work better.

    Also, change management is an important requirement. Getting notified of who changed what permissions, and on which resource, being able to pipe that information into external audit logging, would be a good feature to have.

  • Doug Punchak commented  ·   ·  Flag as inappropriate

    There is currently a minimal activity\audit capability (2 days) but it needs to go back longer than that. Any public company needs to have this for SarbOx. I've voted for this one but I also posted one for extending the audit functionality if they think this one's satisfied with the 2 day audit report.

  • Pieter Gheysens commented  ·   ·  Flag as inappropriate

    It would also be very good to know who (and when) sets the VSTS access levels, especially for companies having multiple VSTS Administrators. I have witnessed already some internal discussions about reshuffling access levels for existing users.

  • David Jobling commented  ·   ·  Flag as inappropriate

    This is an enterprise feature and as such I don't expect it to gather as many votes as the more popular mainstream ideas. It is also very boring. But as many of these comments say, it is an absolute requirement for VSTS to be an enterprise product. Not being able to see who give permissions to whom is a huge security hole and it will continue to limit the propagation of the service into the enterprise. As I understand it, all these actions are executed as REST services and thus the logs are available upon request. But they should be available in the UI.

  • Pierre Donyegro commented  ·   ·  Flag as inappropriate

    This is a frequent request for large financial organizations. Users access associated with project names with a least a year of historical data.

  • Anthony Gregg commented  ·   ·  Flag as inappropriate

    This would be great for when we do our true up with Microsoft. We need to know who is using TFS since we have no control over what users are added by Project Admins.

  • Anonymous commented  ·   ·  Flag as inappropriate

    The ability to audit who created. modified, and/or deleted access to a user/role in TFS which would include security changes made to Release Management as well would be very useful.

  • Christian Guldbæk commented  ·   ·  Flag as inappropriate

    It would also be relevant (for the situation I'm in) to have tracking of which files a user has viewed / downloaded.

← Previous 1

Feedback and Knowledge Base