Remove Azure DevOps Account when remove from company AD

Question

Is there a automatic(script or similar) way of removing account subscription from Azure DevOps when account removed from company AD. Today this is a manual effort in our company and not very effective.

Answer 1

If you want to delete service connections of subscriptions, you can use some REST APIs.

Step1. Get the project id where you want to delete connections

GET https://dev.azure.com/{organization}/_apis/projects/{projectName}?api-version=6.1-preview.4

Step2. Get a list of service connection ids in the project:Endpoints - Get Service Endpoints list

GET https://dev.azure.com/{organization}/{project}/_apis/serviceendpoint/endpoints?api-version=6.1-preview.4

Or you can get a specific service connection id by its name: Endpoints - Get Service Endpoints By Names:

GET https://dev.azure.com/{organization}/{project}/_apis/serviceendpoint/endpoints?endpointNames={endpointNames}&api-version=6.1-preview.4

Step3: Delete service connections: Endpoints - Delete:

DELETE https://dev.azure.com/{organization}/_apis/serviceendpoint/endpoints/{endpointId}?projectIds={projectIds}&api-version=6.1-preview.4

Multiple service connections can be quickly deleted by using the service connection id as the {endpointId} and repeating this REST API.

Answer 2

Thanks, this partly answers my questions. In the best of worlds I would however the account be removed from the AzDO organisation (automatically) when removed from AD. Using group rule for example does not remove the users from the organization.

It would also be OK to have a script that checks if user is part of AD and then removes from AzDO organization if not available in the AD.