microsoft
diff --git a/‎.github/copilot-instructions.md‎
Lines changed: 15 additions & 0 deletions b/‎.github/copilot-instructions.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.github/skills/ado-assessment/SKILL.md‎
Lines changed: 127 additions & 0 deletions b/‎.github/skills/ado-assessment/SKILL.md‎
Lines changed: 127 additions & 0 deletions
diff --git a/‎.github/skills/ado-assessment/references/agent-pool-controls.md‎
Lines changed: 126 additions & 0 deletions b/‎.github/skills/ado-assessment/references/agent-pool-controls.md‎
Lines changed: 126 additions & 0 deletions
@@ -0,0 +1,15 @@
+## Versioning
+
+This repository uses Semantic Versioning.
+
+For deployable or user-visible changes:
+- Update the root `VERSION` file using `X.Y.Z` format only.
+- Update `CHANGELOG.md` under `## [Unreleased]` using Keep a Changelog categories: `Added`, `Changed`, `Deprecated`, `Removed`, `Fixed`, `Security`.
+- Choose the bump level as follows:
+	- `MAJOR` for breaking changes or required migration.
+	- `MINOR` for backward-compatible features or enhancements.
+	- `PATCH` for bug fixes, documentation updates, refactors, and non-breaking maintenance.
+- If the correct bump level is ambiguous, ask before changing `VERSION`.
+- Do not describe or rely on versioning behaviors that are not implemented in this repository.
+
+When making version-related edits, keep changelog entries user-facing rather than implementation-focused.
@@ -0,0 +1,127 @@
+---
+name: ado-assessment
+description: 'Review an Azure DevOps organization or project for adherence to Azure DevOps best practices. Use when: running an ADO Quick Review, evaluating org or project configuration, checking adoption of recommended settings, identifying improvement opportunities, ADO best practices, org review, project review.'
+---
+
+# Azure DevOps Quick Review
+
+Review an Azure DevOps organization or project for adherence to **Azure DevOps best practices** by collecting settings via Azure CLI / REST API and evaluating them against documented Microsoft recommendations.
+
+**This skill does NOT call AzSK.ADO.** It brings best-practice knowledge derived from those controls and uses native Azure CLI and REST API calls to collect and evaluate settings.
+
+## Workflow
+
+### Phase 1 — Collect Settings
+
+Gather the current configuration of an ADO organization or project using `az devops` CLI commands and REST API calls. The reference files below contain the exact commands and API endpoints for each resource type.
+
+### Phase 2 — Assess Against Best Practices
+
+Compare collected settings against the best-practice controls documented in the reference files. Each control has a severity (High/Medium/Low), a rationale, and remediation guidance. Generate a report showing which best practices have been adopted and which remain as improvement opportunities.
+
+## Prerequisites
+
+```powershell
+# Azure CLI 2.81.0+
+az version
+
+# Azure DevOps extension
+az extension add --name azure-devops
+
+# Login
+az login
+
+# Set defaults
+az devops configure --defaults organization=https://dev.azure.com/<YourOrg> project=<YourProject>
+```
+
+## Authentication
+
+```powershell
+# Interactive login
+az login
+
+# PAT-based login (for automation)
+$env:AZURE_DEVOPS_EXT_PAT = '<your-pat>'
+az devops login
+
+# Get REST API bearer token
+$token = az account get-access-token --resource "499b84ac-1321-427f-aa17-267ca6975798" --query accessToken -o tsv
+```
+
+## Resource Types Covered
+
+| Resource | Controls | Scope |
+|---|---|---|
+| Organization | 35+ controls | Auth, users, extensions, pipelines, feeds, audit |
+| Project | 25+ controls | Visibility, admins, pipelines, permissions, credential scanning |
+| Build Pipelines | 20+ controls | Secrets, permissions, forks, branches, task groups |
+| Release Pipelines | 12+ controls | Secrets, approvals, permissions, task groups |
+| Service Connections | 15+ controls | Auth, scope, access, permissions, branches |
+| Agent Pools | 10+ controls | Permissions, auto-provision, patching, secrets |
+| Repos / Feeds / Secure Files / Environments | 20+ controls | Access, permissions, branches, approvals |
+| Variable Groups | 10+ controls | Secrets, permissions, access, branches |
+| Users / PATs | 6+ controls | PAT scope, expiry, alternate credentials |
+
+Each resource is evaluated against documented Microsoft best practices.
+
+## Reference Files
+
+Read the relevant reference file based on the user's assessment scope.
+
+| File | Keywords | Covers |
+|---|---|---|
+| [references/org-settings.md](./references/org-settings.md) | organization, org, AAD, external users, public projects, extensions, audit, OAuth, SSH, feeds, conditional access, admin | Organization-level settings — collection commands and best-practice controls |
+| [references/project-settings.md](./references/project-settings.md) | project, visibility, admin, credential scanner, permissions, pipeline scoping, inactive | Project-level settings — collection commands and best-practice controls |
+| [references/build-controls.md](./references/build-controls.md) | build, pipeline, CI, secrets, fork, task group, variable, branch, YAML | Build pipeline best-practice controls — collection commands and assessments |
+| [references/release-controls.md](./references/release-controls.md) | release, deployment, approval, CD, production, stage | Release pipeline best-practice controls — collection commands and assessments |
+| [references/service-connection-controls.md](./references/service-connection-controls.md) | service connection, endpoint, SPN, certificate, subscription, ARM | Service connection best-practice controls — collection commands and assessments |
+| [references/agent-pool-controls.md](./references/agent-pool-controls.md) | agent, pool, self-hosted, auto-provision, auto-update | Agent pool best-practice controls — collection commands and assessments |
+| [references/repo-feed-environment-controls.md](./references/repo-feed-environment-controls.md) | repository, repo, feed, artifact, secure file, environment, branch protection | Repos, feeds, secure files, and environment best-practice controls |
+| [references/variable-group-controls.md](./references/variable-group-controls.md) | variable group, secret, key vault, linked | Variable group best-practice controls |
+| [references/user-pat-controls.md](./references/user-pat-controls.md) | user, PAT, personal access token, alternate credentials, inactive | User and PAT hygiene best-practice controls |
+| [references/errors.md](./references/errors.md) | error, 401, 403, permission denied, troubleshoot | Common errors and troubleshooting |
+
+## Assessment Output Format
+
+When reporting results, use this format for each control:
+
+```
+| Status | Severity | Control | Finding |
+|--------|----------|---------|---------|
+| PASS   | High     | AAD authentication enabled | Organization uses AAD-backed auth |
+| FAIL   | High     | External user access | 3 external users found with access |
+| FAIL   | Medium   | Audit streaming | Audit streaming is not configured |
+```
+
+Summarize at the end with counts: `X PASS | Y FAIL | Z NOT CHECKED`
+
+## Saving Results
+
+After the assessment completes, save the results as Markdown files **in the workspace root**. Create separate files for the organization and each project:
+
+| File | Contents |
+|---|---|
+| `{org-name}-org-assessment.md` | Organization-level controls (auth, users, extensions, pipelines, feeds, audit, agent pools, PATs) |
+| `{org-name}-{project-name}-assessment.md` | Project-level controls (visibility, admins, pipeline settings, permissions) **plus** all project-scoped resources: build pipelines, release pipelines, service connections, repos, feeds, environments, variable groups, secure files |
+
+### File naming
+
+- Use the organization short name and project name, lowercased and with spaces replaced by hyphens.
+- Examples for org `pbi-demo` with projects `eShop Web Demo` and `CL-DEMO`:
+  - `pbi-demo-org-assessment.md`
+  - `pbi-demo-eshop-web-demo-assessment.md`
+  - `pbi-demo-cl-demo-assessment.md`
+
+### File structure
+
+Each file must include:
+
+1. **Header** — assessment date, organization/project name, assessor
+2. **Control results table** — the standard `Status | Severity | Control | Finding` table
+3. **Summary counts** — `X PASS | Y FAIL | Z NOT CHECKED`
+4. **Critical findings** — list of FAIL items sorted by severity (High first) with remediation steps
+
+### When to write
+
+Write the files at the end of Phase 2 (after all controls are assessed and results are shown to the user). Always create the files — do not ask for confirmation.
@@ -0,0 +1,126 @@
+# Agent Pool Best-Practice Controls
+
+Collect and assess agent pool settings against Azure DevOps best practices.
+
+## How to Collect Agent Pool Settings
+
+```powershell
+$org = "https://dev.azure.com/{organization}"
+$project = "{project}"
+$header = @{ Authorization = "Bearer $token" }
+
+# List all agent pools (org level)
+Invoke-RestMethod -Uri "$org/_apis/distributedtask/pools?api-version=7.1" -Headers $header
+
+# Get a specific agent pool
+Invoke-RestMethod -Uri "$org/_apis/distributedtask/pools/{poolId}?api-version=7.1" -Headers $header
+
+# List agents in a pool
+Invoke-RestMethod -Uri "$org/_apis/distributedtask/pools/{poolId}/agents?api-version=7.1" -Headers $header
+
+# Get agent details (includes capabilities, status, last completed request)
+Invoke-RestMethod -Uri "$org/_apis/distributedtask/pools/{poolId}/agents/{agentId}?includeCapabilities=true&includeLastCompletedRequest=true&api-version=7.1" -Headers $header
+
+# Check agent pool permissions
+Invoke-RestMethod -Uri "$org/_apis/distributedtask/pools/{poolId}/roles?api-version=7.1" -Headers $header
+
+# Check pipeline permissions for agent pool
+Invoke-RestMethod -Uri "$org/$project/_apis/pipelines/pipelinePermissions/queue/{queueId}?api-version=7.1-preview.1" -Headers $header
+
+# List project-level queues (agent pools visible to a project)
+Invoke-RestMethod -Uri "$org/$project/_apis/distributedtask/queues?api-version=7.1-preview.1" -Headers $header
+```
+
+---
+
+## Best-Practice Controls
+
+### AP-01: Security Patches on Self-Hosted VMs
+| Field | Value |
+|-------|-------|
+| **Severity** | High |
+| **Automated** | No (manual review) |
+| **Check** | Non-hosted agent virtual machines must have all required security patches installed. |
+| **Rationale** | Unpatched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software. |
+| **Collection** | Identify self-hosted agent pools (`isHosted: false`). Check agent OS version and patch level via agent capabilities. |
+| **Remediation** | Implement automated patching for self-hosted agent VMs. Use Azure Update Manager or WSUS. |
+
+### AP-02: Hardened OS Image
+| Field | Value |
+|-------|-------|
+| **Severity** | Medium |
+| **Automated** | No (manual review) |
+| **Check** | Use a security hardened, locked down OS image for self-hosted VMs in agent pool. |
+| **Rationale** | The agent machine is serving as a 'gateway' into the corporate environment. Using a locked-down, secure baseline configuration ensures this machine is not leveraged as an entry point. |
+| **Collection** | Review self-hosted agent OS images for CIS benchmark compliance. |
+| **Remediation** | Use CIS-hardened images for agent VMs. Remove unnecessary software and services. |
+
+### AP-03: Inherited Permissions Disabled
+| Field | Value |
+|-------|-------|
+| **Severity** | High |
+| **Automated** | Yes |
+| **Check** | Do not allow inherited permission on agent pool. |
+| **Rationale** | Disabling inherited permissions lets you finely control access at the agent level. This ensures the principle of least privilege and provides access only to persons that require it. |
+| **Collection** | Check agent pool permissions for inheritance settings. |
+| **Remediation** | Disable inheritance on individual agent pools and set explicit permissions. |
+
+### AP-04: Auto-Provisioning Disabled
+| Field | Value |
+|-------|-------|
+| **Severity** | High |
+| **Automated** | Yes |
+| **Check** | Do not enable auto-provisioning for agent pools. |
+| **Rationale** | By enabling auto-provisioning, the organization agent pool is imported in all new team projects and is accessible immediately. A vulnerability in components used by one project can be leveraged to attack other projects. |
+| **Collection** | `Invoke-RestMethod -Uri "$org/_apis/distributedtask/pools/{poolId}?api-version=7.1"` — check `autoProvision` property. |
+| **Remediation** | Set `autoProvision: false` on agent pools. Manually grant access per-project. |
+
+### AP-05: Not Accessible to All YAML Pipelines
+| Field | Value |
+|-------|-------|
+| **Severity** | High |
+| **Automated** | Yes |
+| **Check** | Do not make agent pool accessible to all (YAML) pipelines in the project. |
+| **Rationale** | To support security of pipeline operations, agent pools must not be granted access to all YAML pipelines. A vulnerability in one pipeline can be leveraged to attack other pipelines with access to critical resources. |
+| **Collection** | REST: `_apis/pipelines/pipelinePermissions/queue/{queueId}` — check if `allPipelines.authorized` is `true`. |
+| **Remediation** | Disable "Grant access permission to all pipelines". Add individual pipeline authorizations. |
+
+### AP-06: Inactive Agent Pools
+| Field | Value |
+|-------|-------|
+| **Severity** | Medium |
+| **Automated** | Yes |
+| **Check** | Inactive agent pools must be removed if no more required. |
+| **Rationale** | Agent pools may contain potentially sensitive information (such as code, secrets, pre-release information and logs) from previously run pipelines. Each inactive agent pool can increase exposure. |
+| **Collection** | Check agent last completed request date. Flag pools where all agents have no activity in 90+ days. |
+| **Remediation** | Delete inactive agent pools after confirming they are no longer needed. |
+
+### AP-07: Auto-Update Enabled
+| Field | Value |
+|-------|-------|
+| **Severity** | High |
+| **Automated** | Yes |
+| **Check** | Enable auto-update of agents in the pool. |
+| **Rationale** | Unpatched agents are easy targets for compromise. Being on the latest OS version significantly reduces risks from security design issues and bugs present in older versions. |
+| **Collection** | `Invoke-RestMethod -Uri "$org/_apis/distributedtask/pools/{poolId}?api-version=7.1"` — check `autoUpdate` property. Also check individual agent `version` against latest available. |
+| **Remediation** | Enable auto-update on agent pools. Verify agents are running the latest version. |
+
+### AP-08: No Plain Text Secrets in Capabilities
+| Field | Value |
+|-------|-------|
+| **Severity** | High |
+| **Automated** | Yes |
+| **Check** | Secrets and keys must not be stored as plain text in agent capabilities. |
+| **Rationale** | Keeping secrets as plain text in agent capabilities can expose credentials. Any user who can deploy a pipeline to run on such agents can access these secrets and compromise the security of resources involving the secrets. |
+| **Collection** | REST: `_apis/distributedtask/pools/{poolId}/agents/{agentId}?includeCapabilities=true` — inspect `userCapabilities` for values containing keywords like "password", "secret", "key", "token", "connectionstring". |
+| **Remediation** | Remove sensitive data from agent user capabilities. Use pipeline variables or Key Vault instead. |
+
+### AP-09: Broader Group Excessive Permissions
+| Field | Value |
+|-------|-------|
+| **Severity** | High |
+| **Automated** | Yes |
+| **Check** | Broader groups should not have excessive permissions on agent pool. |
+| **Rationale** | If broader groups (e.g., Contributors) have excessive permissions (Admin/User) on an agent pool, integrity can be compromised by a malicious user. Removing unnecessary access minimizes exposure in case of compromise. |
+| **Collection** | Check agent pool role assignments for broad groups (Contributors, Project Valid Users). |
+| **Remediation** | Remove excessive role assignments for broad groups. Grant Reader role only where needed. |