Maester – Azure DevOps

As I wrote in the first blog post about Maester, I would like to briefly address the topic of Azure DevOps in combination with Maester.

With Azure DevOps, you can run your Maester tests automatically and no longer need to do it on your computer. You can also schedule the pipelines so that maester run once a day, for example.

With the Azure DevOps Free tier you have 1800 minutes (30h) per month free of charge. You can find a more detailed explanation of Azure DevOps here: Understanding Azure DevOps

Prerequisite

• Azure DevOps organization
  • New Project for Maester

Setup Azure DevOps Project

Azure DevOps can be configured very quickly and easily using the repository import function.

1. Switch to Repos -> Top right Import repository
   
   
2. Define clone URL -> https://github.com/maester365/maester-tests -> Import
   
   

Azure DevOps Pipeline

The repository is now set up, the next step is to take care of the Azure DevOps Pipeline for the automated execution of the Maester tests.

There are several different ways to establish a connection from Azure DevOps to your Azure Tenant. In the following step, I will explain authentication using the Workload identity federation.

1. Create an empty Azure Resource group in your Azure Tenant
   
2. Azure DevOps project -> Project settings -> Service connections
   
   
3. Create service connection -> Azure Resource Manager
   
   
4. Choose Workload Identity federation (automatic)
   
   
5. Select Subscription as Scope level, subscription, newly created resource group and define a service connection name
   
6. The workload identity federation to the Azure tenant was successfully established
   
   

The next step is to add Graph Permissions to the service principal.

1. Microsoft Entra ID -> App registrations -> All applications -> Search for your service principal
   
   
2. Switch to API permissions
   
   
3. Add following Microsoft Graph Application permissions
   1. Directory.Read.All
   2. Policy.Read.All
   3. Reports.Read.All
   4. DirectoryRecommendations.Read.All
   5. PrivilegedAccess.Read.AzureAD
   6. IdentityRiskEvent.Read.All
   7. RoleEligibilitySchedule.Read.Directory
   8. RoleManagement.Read.All
   9. Policy.Read.ConditionalAccess
   10. UserAuthenticationMethod.Read.All
       
4. Grant admin consent
   

The prerequisites are in place to configure an Azure DevOps pipeline.

1. Select Pipelines -> Create Pipeline
   
   
2. Choose Azure Repos Git
   
   
3. Select your Maester repository
   
4. Choose Starter Pipeline
   
   
5. Replace the content with following code
   azure-pipelines.yml
6. Important
   Replace azureSubscription value with the service connection name -> Line 20
7. Click Save and run -> Save
   
   
8. Commit changes into branch
   

Run

The pipeline is now fully configured and can be triggered manually and runs every midnight.

Dashboard

After the pipeline run, an artifact is published with the Maester Dashboard which can be downloaded and viewed as HTML on the machine.

Conclusion

Maester can be configured relatively quickly in Azure DevOps for automated tests. I see advantages in the fact that the tests are managed centrally in a Git repository and the pipeline/test can also be triggered and the result is published and saved centrally. This can be particularly helpful in larger teams with several Azure tenants.