DevOps updates on behalf of another with Power Automate

Last modified date

I had a need to use automation to do DevOps updates on behalf of another person so when the DevOps adoption metrics were done we the stats were slightly more accurate. This can only be done using REST API and will need permissions. This post is part of the DevOps and Power Automate series.

DevOps with Power Automate posts

YouTube Version

It’s on the backlog!

Permission required to makes updates on behalf of another

The trick to being able update on behalf of another is to update the ChangedBy field to another persons email address. This is not normally allowed, it breaks the rules. So the permission we need is to by pass the rules and make illegal updates.

Setting up permissions in project settings

Permissions are managed in Project Settings, you then click on permissions. Click on Users at the top and then click on the user being used in the flow to show their permissions. Under Boards check the permission for Bypass rules on work item updates. This needs to be set to Allow.

Make Updates on behalf of another

Now we have permission is ignore the rules we can test out a flow. In the REST API documentation for updating an item https://learn.microsoft.com/en-us/rest/api/azure/devops/wit/work-items/update you will see there is a boolean parameter bypassRules. This can be added to the relative URI using & to separate the parameters.

Send an HTTP request to Azure DevOps action with the bypassRules flag added to the URI and in the Body JSON an extra section to update the ChangedBy field. See Code below.

In the body section I have added an update to the ChangedBy field. This update updates the State to active and performs it on behalf of Dan. In the task history we can see the update and see I did it on behalf of Dan.

Work item history showing the line Dan Cooke (via Laura Graham-Brown) changed State from New to Active

Word of caution

By passing the rules also means that the updates behind the scenes that happen are turned off. If we change the state to closed using the same technique the we get an error when we open the work item.

Send an HPPP request to Azure DevOps action with bypassRules=true and changing the state to Closed. Plus a screen shot of the updated task opened and showing an error of Field Closed Date cannot be empty.

So make sure you have checked the updates you are doing and include all the fields you need to update, even the hidden ones.

Second word of warning is no checks are done on the updates. So you can assign a task to an email address that doesn’t have access, or update to a state that is not valid. So treat this one with caution.

Conclusion

This is a very powerful trick. But should be treated with extra caution and it has made me double check permissions on a ew projects so access to by passing the rules is limited.

Over 20 year experience at being passionate about training, solving problems and loving a new challenge especially in the Microsoft's Power Platform suite.