Azure-devops-docs: Required Permissions

@emptypockets304 Thank you for the question, assigning this to the author for review.

@emptypockets304 ,

Thank you for your question. To create subscriptions in Azure Pipelines app for Microsoft Teams, one has to be part of 'Project Administrators' group. We understand that this could be a matter of concern for few customers. Hence we are working on a set of features that would allow 'Team admins' (lesser privileges) to create subscriptions. This will take few weeks.

Any updates on this? Our Org is managed centrally and we only get Team Admins access, not Project Admins, so it would be great if we didn't need to provide Project Admin permissions

@trevvv123 ,
Ability to allow Team admins to create subscriptions will be live in Jan.

@rgkarthik, is there any way we can create a security group to provide appropriate permissions to create the subscriptions? We don't like tying this ability to Team Admin role because that opens up entirely too many other permissions just to accomplish this task.

@towerbe ,
Connecting with you over email.

Any updates on this?

@dianareider

Expected release date got pushed by few weeks. This feature will be out soon.

@rgkarthik,
Can you provide an update on the ETA for pushing the fix?

@RGKarthik,
Could you also answer the last part of the original question more explicitly:
"Exactly what permissions, accessible from the Azure DevOps Project Settings page, are required to subscribe to a pipeline through the teams app? What is the minimum required access for the account being used to subscribe?"
A user in the Project Administrators group for my project tried to perform the "@Azure Pipelines subscribe" command and it still failed with the extremely unhelpful message: "You are not authorized to access one or more resources required to complete this action."

@slifland37 ,
A user in the 'Project Administrators' group should be able to create subscriptions. Nothing else is needed. Can you please provide more details around the issue you are facing?

Hi @RGKarthik,
The issue in my case was that my organization hadn't enabled "Third party application access via OAuth." I see now that there is an instruction to do so buried deep near the bottom of that article in a "note" (https://docs.microsoft.com/en-us/azure/devops/pipelines/integrations/microsoft-teams?view=azure-devops#commands-reference). That note should be transformed into a "Prerequisites" section and should be near the top rather than buried like that and not even visible in the article navigation on the right. Also the error message that we encountered in Teams was still incredibly unhelpful.

@RGKarthik
We are still hoping to be able to grant access to users to subscribe to pipelines in MS Teams without granting full Project Administrator permissions. Is this possible at this time?

The work to support team admin to subscribe is in progress and will be available in few weeks.

The work to support team admin to subscribe is in progress and will be available in few weeks.

So will this be in the April 24th release?

yes it should be. I will update this issue if anything changes here.

Support for team admins to create subscriptions is released now, would request you to let us know if it isnt working as expected.

Support for team admins to create subscriptions is released now, would request you to let us know if it isnt working as expected.

As a Team Admin, I can now use the Azure DevOps and create a connector into a Teams channel, but I am still not able to use @Azure Pipelines bot within teams to subscribe to pipeline events. I get the following message:

[9:24 AM] Azure Pipelines This channel has 2 subscriptions from 1 pipelines. Since you are not an administrator of any of the parent projects or teams, you cannot manage these subscriptions. To subscribe to a new pipelines, please use: @Azure Pipelines subscribe [pipeline url/ project url], Example: https://dev.azure.com/myorg/myproject/_build?definitionId=123

@divyankam can you please look into this.

Hi @stevengibbszions You will not be able to manage the subscriptions added by the project admin. However, you can now subscribe to the project/pipeline events (using subscribe command and then Add subscription button) and manage the subscriptions added by you.
So, I request you to use subscribe command to subscribe to the required project/pipeline. And then add the subscriptions as per your requirement. You will then be able to manage these subscriptions.

Hi @divais and @DivyankaM ,

Can you please reflect this change in the docs? The page still doesn't explicitly mention the required permission. The only place that mentions Team administrators is this:

[!NOTE] Team administrators aren't able to remove or modify subscriptions created by Project administrators.

Additionally, the original posters question still isn't resolved:

To subscribe to a pipeline, the account signed into the Azure Pipelines teams app 'must be an admin' of the project containing the pipeline, but it's not clear exactly what this means.

It would be great with a dedicated section stating the required permissions to setup subscriptions.