In this post id like to show how you can use a Logic App to query Azure DevOps with a managed identity.

At the top level I have a helper Logic App which I can reuse for multiple different queries for DevOps. You can see below that I have an HTTP call where I will execute a Work Item Query Language query. I will then loop over the results.

The input to this work flow is a WIQL query in a format similar to the below.


SELECT
    [System.Id],
    [System.Title],
    [System.State]
FROM workitems
WHERE
[System.TeamProject] = '[Add your team project here['
AND [System.WorkItemType] = 'Feature'
AND [Custom.DisplayinPublicRoadmap] = true
ORDER BY [System.ChangedDate] DESC

I need to format the query inside a json message body for the HTTP request like below.

I have then configured the HTTP action to call Azure DevOps.

To make the call I supply the name of my DevOps organization and the json message containing the WIQL query.

Authentication with DevOps

For authentication, I have created a user assigned managed identity which is assigned to the Logic App.

In Azure DevOps I have assigned the user assigned identity to the readers group for the DevOps project.

DevOps Response

The response from DevOps via the API doesnt return all of the fields for the query, its list a list of work item ID’s and links. You can parse them with json schema like below.

{
  "type": "object",
  "properties": {
    "workItems": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "id": {
            "type": "integer"
          },
          "url": {
            "type": "string"
          }
        },
        "required": [
          "id",
          "url"
        ]
      }
    }
  }
}

I will then loop over the results and call the DevOps API to get the work item details, again using the Managed Identity for security.

I can then parse and map just the fields I want from the response and build up an array of work items for my response from the helper logic app.

Thoughts on using the user assigned managed identity

I choose to use the user assigned identity rather than the system assigned in this case so that I can reuse that identity if I needed to build other workflows that did different kinds of queries.

 

Buy Me A Coffee