-
Running an Azure DevOps task as a different user
TDLR: use Windows task scheduler.
When an Azure DevOps agent is installed on a server, you get to choose which account the service runs as, however, there might be cases when you would like the agent to run a script or program on a server as another Windows user than the agent is configured with.
I recently wanted to automate the transfer of a database backup via a DevOps release pipeline, the task was automated with a PowerShell script, but the script needed to run as a service account that had specific permissions. Running the agent as the service account was not an option. The server did neither have WinRM nor PowerShell Remoting enabled, which you can use to remotely run a script as another user.
One possible solution mentioned on stack overflow is to set up a PowerShell script on the server which includes the credentials of the service account and with that script launch another process of PowerShell to run the final script. With that approach, there was no easy way to get DevOps to show the task as running and report back errors.
In the end, I set up a task in Windows Task Scheduler on the server that runs as the service account and executes the PowerShell script locally, the DevOps release pipeline starts the task via PowerShell.
The task set up in Task Scheduler The following PowerShell script was used in Azure DevOps to start that task, it shows the task as running, and reports back unsuccessful runs.
$taskName = "Create Database Backup"
Start-ScheduledTask -TaskName $taskName
while ((Get-ScheduledTask -TaskName $taskName).State -eq 'Running') { Write-Verbose -Message "Running task..." }
$taskResult = (Get-ScheduledTaskInfo -TaskName $taskName).LastTaskResult
If($taskResult -ne 0) { throw "Task was not completed successfully." }
The PowerShell task setup in Azure DevOps
-
Idempotent configuration script for redirecting HTTP to HTTPS in IIS
In IIS, the URL Rewrite module can be used to redirect HTTP requests to HTTPS. There exist a lot of information on how to set up rules in the module for HTTP redirection, ssl.com has a good guide.
I wanted to automate the configuration in Azure DevOps, with release pipelines, and preferably in an idempotent way so that the rules are set up with no precondition, and no duplicates rules are created if the HTTP-redirect rule already exists. In the end I used Powershell to catch exit codes from appCmd, and variables that I linked to the release pipeline to insert the website’s name.
# This script sets up HTTP to HTTPS redirect for a website in IIS and can be used in conjunction with Azure DevOps variables
$appCmd = "C:\windows\system32\inetsrv\appcmd.exe"
# Set following variable to the name of the IIS website $websiteName = "NameOfTheIISWebsite"
$_ = & $appCmd set config $websiteName -section:system.webServer/rewrite/rules /+"[name='http_redirect_""$websiteName""',enabled='True']" $_ = & $appCmd set config $websiteName -section:system.webServer/rewrite/rules "/[name='http_redirect_""$websiteName""'].match.url:(.*)" $_ = & $appCmd set config $websiteName -section:system.webServer/rewrite/rules "/[name='http_redirect_""$websiteName""'].conditions.[input='{HTTPS}',pattern='Off']"
<# ERRORLEVEL 4312 occurs when trying to find requested collection element which doesn't exist. This error is expected for idempotency. Element does not exist and needs to be added before changed. #> if( $LASTEXITCODE -eq 4312 ) { $_ = & $appCmd set config $websiteName -section:system.webServer/rewrite/rules "/+[name='http_redirect_""$websiteName""'].conditions.[input='{HTTPS}',pattern='Off']" }
$_ = & $appCmd set config $websiteName -section:system.webServer/rewrite/rules "/[name='http_redirect_""$websiteName""'].action.type:Redirect" ` "/[name='http_redirect_""$websiteName""'].action.url:https://{HTTP_HOST}/{R:1}"
The Azure DevOps release pipeline for the website 
The “Redirect to HTTPS” task