Automating Azure DevOps Task Tracking: A Complete PowerShell Solution

Automating Azure DevOps Task Tracking: A Complete PowerShell Solution

param(

    [Parameter(Mandatory = $false)]

    [Alias('From')]

    [AllowNull()][object]$FromDate,

    [Parameter(Mandatory = $false)]

    [Alias('To')]

    [AllowNull()][object]$ToDate,

    [string]$OutputPath = ".",

    [string]$TeamsWebhookUrl = '',

    [string]$PatToken = ''

)

# Configuration

$organization = "organization"

$project = "project"

$iterationPath = "iterationPath"

$TeamsWebhookUrl = "TeamsWebhookUrl"

$PatToken=''

# Default to today if no dates provided, and last 40 days for FromDate

if (-not $ToDate) { $ToDate = Get-Date }

#if (-not $FromDate) { $FromDate = $ToDate.AddDays(-39) }  # 40 days including today

if (-not $FromDate) { $FromDate = $ToDate }  # 40 days including today

# Normalize to Date objects

if ($ToDate -is [string]) { $ToDate = Get-Date $ToDate }

if ($FromDate -is [string]) { $FromDate = Get-Date $FromDate }

# Use date-only bounds for today

$fromDay = $FromDate.Date

$toDay = $ToDate.Date.AddDays(1).AddSeconds(-1)

Write-Host "Collecting burned hours for tasks and bugs between $($fromDay.ToString('yyyy-MM-dd')) and $($toDay.ToString('yyyy-MM-dd'))" -ForegroundColor Cyan

# Acquire ADO access token via Azure CLI or use provided PAT token

if ($PatToken) {

    $basicToken = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$PatToken"))

    $authHeader = @{ Authorization = "Basic $basicToken" }

} else {

    try {

        $accessToken = az account get-access-token --resource https://app.vssps.visualstudio.com --query accessToken -o tsv

    } catch {

        Write-Error "Failed to get Azure access token. Ensure 'az' is installed and you are logged in (az login)."

        exit 1

    }

    $authHeader = @{ Authorization = "Bearer $accessToken" }

}

# WIQL to find tasks and bugs in the iteration

$wiql = @"

SELECT [System.Id]

FROM WorkItems

WHERE [System.WorkItemType] IN ('Task', 'Bug')

  AND [System.IterationPath] = '$iterationPath'

"@

$wiqlBody = @{ query = $wiql } | ConvertTo-Json

$wiqlUrl = "https://dev.azure.com/$organization/$project/_apis/wit/wiql?api-version=6.0"

$wiqlResult = Invoke-RestMethod -Method Post -Uri $wiqlUrl -Headers $authHeader -Body $wiqlBody -ContentType "application/json"

if (-not $wiqlResult.workItems -or $wiqlResult.workItems.Count -eq 0) {

    Write-Host "No tasks or bugs changed in the specified date range." -ForegroundColor Yellow

    return

}

$ids = $wiqlResult.workItems | Select-Object -ExpandProperty id

# Azure DevOps API has a limit of 200 work items per request, so batch the requests

$batchSize = 200

$allWorkItems = @()

for ($i = 0; $i -lt $ids.Count; $i += $batchSize) {

    $batchEnd = [Math]::Min($i + $batchSize - 1, $ids.Count - 1)

    $batchIds = $ids[$i..$batchEnd] -join ','

   

    Write-Host "Fetching batch $([Math]::Floor($i / $batchSize) + 1) of $([Math]::Ceiling($ids.Count / $batchSize)): items $($i + 1) to $($batchEnd + 1)" -ForegroundColor Gray

   

    $fieldsList = "System.Id,System.AssignedTo"

    $detailsUrl = "https://dev.azure.com/$organization/$project/_apis/wit/workitems?ids=$batchIds&fields=$fieldsList&api-version=6.0"

   

    try {

        $detailsResult = Invoke-RestMethod -Method Get -Uri $detailsUrl -Headers $authHeader

        if ($detailsResult -and $detailsResult.value) {

            $allWorkItems += $detailsResult.value

        }

    } catch {

        $errMsg = if ($_.Exception) { $_.Exception.Message } else { $_.ToString() }

        Write-Warning "Failed to fetch batch starting at item $($i + 1): $errMsg"

        continue

    }

}

if (-not $allWorkItems -or $allWorkItems.Count -eq 0) {

    Write-Host "No work item details returned from ADO." -ForegroundColor Yellow

    return

}

# Prepare output

$out = @()

$todayString = $fromDay.ToString('yyyy-MM-dd')

foreach ($item in $allWorkItems) {

    $workItemId = $item.id

    $assigned = if ($item.fields.'System.AssignedTo') { $item.fields.'System.AssignedTo'.displayName } else { 'Unassigned' }

    # Get revisions for this work item and compute CompletedWork delta within the day

    $revisionsUrl = "https://dev.azure.com/$organization/$project/_apis/wit/workItems/$workItemId/revisions?api-version=6.0"

    try {

    $revs = Invoke-RestMethod -Method Get -Uri $revisionsUrl -Headers $authHeader

    } catch {

        $errMsg = if ($_.Exception) { $_.Exception.Message } else { $_.ToString() }

        Write-Warning ("Failed to fetch revisions for {0}: {1}" -f $workItemId, $errMsg)

        continue

    }

    # Ensure revisions were returned

    if (-not $revs -or -not $revs.value) { continue }

    # To include closed tasks where CompletedWork was updated at close, compute delta between

    # the revision just before the window start (or earliest known) and the last revision up to window end.

    $allRevs = $revs.value | Where-Object { $_.fields -and $_.fields.'System.ChangedDate' } | Sort-Object { Get-Date $_.fields.'System.ChangedDate' }

    if (-not $allRevs -or $allRevs.Count -eq 0) { continue }

    # Find the last revision strictly before the window start (baseline)

    $baselineRev = $allRevs | Where-Object { (Get-Date $_.fields.'System.ChangedDate') -lt $fromDay } | Select-Object -Last 1

    # If none, use the first revision available as baseline

    if (-not $baselineRev) { $baselineRev = $allRevs[0] }

    # Find the last revision at or before the window end

    $endRev = $allRevs | Where-Object { (Get-Date $_.fields.'System.ChangedDate') -le $toDay } | Select-Object -Last 1

    if (-not $endRev) { continue }

    $firstCompleted = 0.0

    $lastCompleted = 0.0

    if ($baselineRev.fields.'Microsoft.VSTS.Scheduling.CompletedWork') { $firstCompleted = [double]$baselineRev.fields.'Microsoft.VSTS.Scheduling.CompletedWork' }

    if ($endRev.fields.'Microsoft.VSTS.Scheduling.CompletedWork') { $lastCompleted = [double]$endRev.fields.'Microsoft.VSTS.Scheduling.CompletedWork' }

    $burned = [math]::Round(($lastCompleted - $firstCompleted), 2)

    if ($burned -le 0) { continue }

    $out += [PSCustomObject]@{

        TodayDate = $todayString

        TaskId    = $workItemId

        BurnedHrs = $burned

        AssignedTo = $assigned

        LastChangedBy = if ($endRev.fields.'System.ChangedBy') { $endRev.fields.'System.ChangedBy'.displayName } else { '' }

    }

}

if ($out.Count -eq 0) {

    Write-Host "No burned hours recorded for tasks or bugs today." -ForegroundColor Yellow

    return

}

$csvFile = Join-Path $OutputPath ("today-burned-tasks-{0}.csv" -f (Get-Date -Format "yyyyMMddHHmmss"))

$outSorted = $out | Sort-Object -Property AssignedTo

$outSorted | Export-Csv -Path $csvFile -NoTypeInformation

Write-Host "Report generated: $csvFile" -ForegroundColor Green

 

# If a Teams incoming webhook URL was provided, post the report content (not the file)

if ($TeamsWebhookUrl -and $TeamsWebhookUrl.Trim() -ne '') {

    try {

        # Build a concise text message. Limit displayed rows to avoid extremely long messages.

        $maxLines = 50

        $lines = $outSorted | ForEach-Object { "Work Item $($_.TaskId): $($_.BurnedHrs) hrs - $($_.AssignedTo)" }

        if ($lines.Count -gt $maxLines) {

            $displayLines = $lines[0..($maxLines - 1)] + ("...and $($lines.Count - $maxLines) more tasks")

        } else {

            $displayLines = $lines

        }

    # Build a monospaced table for Teams: use a code block so formatting is preserved

        # Determine column widths based on data (with some caps)

        $maxTaskIdWidth = 10

        $maxBurnWidth = 8

        $maxAssignWidth = 30

        function Format-Row($tid, $burn, $assignee) {

            $t = $tid.ToString()

            if ($t.Length -gt $maxTaskIdWidth) { $t = $t.Substring(0,$maxTaskIdWidth) }

            $b = $burn.ToString()

            if ($b.Length -gt $maxBurnWidth) { $b = $b.Substring(0,$maxBurnWidth) }

            $a = $assignee.ToString()

            if ($a.Length -gt $maxAssignWidth) { $a = $a.Substring(0,$maxAssignWidth) }

            return ("{0,-$maxTaskIdWidth} | {1,-$maxBurnWidth} | {2,-$maxAssignWidth}" -f $t, $b, $a)

        }

        $tableLines = @()

        $tableLines += ("Burned hours report for $todayString")

        $tableLines += ("Total tasks: $($outSorted.Count)")

        $tableLines += ''

        $tableLines += ("{0,-$maxTaskIdWidth} | {1,-$maxBurnWidth} | {2,-$maxAssignWidth}" -f 'TaskId','Burned','AssignedTo')

        $tableLines += ('-' * ($maxTaskIdWidth + 3 + $maxBurnWidth + 3 + $maxAssignWidth))

        foreach ($line in $displayLines) {

            # displayLines formatted like: "Work Item 2404990: 3.5 hrs - Alice Smith"

            if ($line -match '^Work Item\s+(\d+):\s+([0-9.]+)\s+hrs\s+-\s+(.*)$') {

                $tid = $matches[1]

                $burn = $matches[2]

                $assignee = $matches[3]

                $tableLines += Format-Row $tid $burn $assignee

            } else {

                # fallback: show the raw line truncated to fit

                $raw = $line

                if ($raw.Length -gt ($maxTaskIdWidth + $maxBurnWidth + $maxAssignWidth + 10)) { $raw = $raw.Substring(0, ($maxTaskIdWidth + $maxBurnWidth + $maxAssignWidth + 7)) + '...' }

                $tableLines += $raw

            }

        }

        if ($lines.Count -gt $maxLines) { $tableLines += "...and $($lines.Count - $maxLines) more tasks" }

    # Wrap the table in a code block so Teams preserves monospace formatting

    $bodyText = @"

```

$($tableLines -join "`n")

```

"@

    $payload = @{ text = $bodyText } | ConvertTo-Json -Depth 4

        Invoke-RestMethod -Method Post -Uri $TeamsWebhookUrl -ContentType 'application/json' -Body $payload -ErrorAction Stop

        Write-Host "Posted report content to Teams webhook." -ForegroundColor Green

    } catch {

        $err = if ($_.Exception) { $_.Exception.Message } else { $_.ToString() }

        Write-Warning "Failed to post report to Teams webhook: $err"

    }

} else {

    Write-Host "No Teams webhook URL provided; skipping Teams post." -ForegroundColor Gray

}

 

 

Building Secure APIs with FastAPI and Azure AD Authentication

Published on September 2, 2025

In today's world of microservices and API-first architecture, securing your endpoints is crucial. In this blog post, we'll explore how to create a simple yet secure FastAPI application that integrates with Azure Active Directory (Azure AD) for authentication using bearer tokens.

What We're Building

Our FastAPI application demonstrates:

• Bearer token authentication using JWT tokens from Azure AD
• Token validation without signature verification (for demonstration purposes)
• User information extraction from the JWT payload
• Protected endpoints that require valid authentication

The Architecture

The application consists of a single FastAPI server with:

• A token verification function that validates Azure AD JWT tokens
• A protected /hello endpoint that returns user information
• Integration with Azure AD using tenant-specific configuration

Key Components

1. Azure AD Configuration

TENANT_ID = "6213dbca-6fe9-42b2-bdaa-ccf2fc2f6332"
AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
APP_ID_URI = "b1c47286-f990-408a-8d6e-938377129947"
CLIENT_ID = "b1c47286-f990-408a-8d6e-938377129947"
SECRET_KEY = "APP Secret Key"

These configuration values connect your application to a specific Azure AD tenant and define the valid audiences for token validation.

2. Token Verification

The verify_token function is the heart of our authentication system:

• Extracts bearer tokens from the Authorization header
• Decodes JWT tokens without signature verification (⚠️ Note: In production, always verify signatures!)
• Validates the audience to ensure tokens are intended for this application
• Handles common JWT errors like expired or malformed tokens

3. Protected Endpoints

Our /hello endpoint demonstrates how to:

• Require authentication using FastAPI's dependency injection
• Extract user information from the token payload
• Return personalized responses based on the authenticated user

What Makes This Special

1. Simple Integration: Just a few lines of code to secure your endpoints
2. Enterprise Ready: Uses Azure AD, which is widely adopted in corporate environments
3. User Context: Extracts meaningful user information like username and employee ID
4. Scope Awareness: Can handle OAuth scopes for fine-grained permissions

Running the Application

Getting started is straightforward:

# Install dependencies
pip install fastapi uvicorn python-jose[cryptography]

# Run the server
uvicorn main:app --reload --host 0.0.0.0 --port 8000

from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import uvicorn
import jwt
app = FastAPI(title="FastAPI Authentication Example")
security = HTTPBearer()
TENANT_ID = "6213dbca-6fe9-42b2-bdaa-ccf2fc2f6332"
AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
APP_ID_URI = "b1c47286-f990-408a-8d6e-938377129947"  
CLIENT_ID = "b1c47286-f990-408a-8d6e-938377129947"
SECRET_KEY = "APP Secret Key"
VALID_AUDIENCES = [APP_ID_URI, CLIENT_ID]

def verify_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
    """Verify the bearer token using JWT validation"""
    try:
        decoded = jwt.decode(credentials.credentials, options={"verify_signature": False})
        audience = decoded.get("aud")
        
        if audience not in VALID_AUDIENCES:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Invalid token audience",
                headers={"WWW-Authenticate": "Bearer"},
            )
        return decoded
        
    except jwt.ExpiredSignatureError:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Token has expired",
            headers={"WWW-Authenticate": "Bearer"},
        )
    except jwt.InvalidTokenError:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token format",
            headers={"WWW-Authenticate": "Bearer"},
        )
@app.get("/hello")
async def hello_world(decoded_token: dict = Depends(verify_token)):
    """Protected hello world endpoint"""
    username = decoded_token.get("preferred_username", "Unknown User")
    employee_id = decoded_token.get("employeeid", "Unknown")
    
    return {
        "message": "Hello World! You are authenticated.",
        "user": username,
        "employee_id": employee_id,
        "scopes": decoded_token.get("scp", "").split(" ")
    }
if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=8000)

The application will be available at http://localhost:8000, with automatic API documentation at http://localhost:8000/docs.

Testing the Authentication

To test the protected endpoint, you'll need a valid Azure AD token:

curl -H "Authorization: Bearer YOUR_AZURE_AD_TOKEN" \
     http://localhost:8000/hello

A successful response will look like:

{
  "message": "Hello World! You are authenticated.",
  "user": "john.doe@company.com",
  "employee_id": "EMP123",
  "scopes": ["read", "write"]
}

Security Considerations

While this example demonstrates the basics, remember these important points for production use:

1. Always verify token signatures - Don't set verify_signature: False in production
2. Use HTTPS - Never transmit tokens over unencrypted connections
3. Validate all claims - Check issuer, expiration, and other relevant claims
4. Implement rate limiting - Protect against abuse and brute force attacks
5. Log security events - Monitor authentication failures and suspicious activity

Conclusion

FastAPI's elegant dependency injection system makes it incredibly easy to add authentication to your APIs. Combined with Azure AD's robust identity platform, you can quickly build secure, enterprise-ready applications.

This example provides a solid foundation that you can extend with additional features like:

• Role-based authorization
• API key authentication
• Multi-tenant support
• Advanced logging and monitoring

The complete code is available in this repository, ready for you to experiment with and adapt to your specific needs.

---

Ready to secure your APIs? Start with this example and build from there. FastAPI and Azure AD make a powerful combination for modern web applications.

Technologies Used

• FastAPI - Modern, fast web framework for building APIs
• Azure Active Directory - Microsoft's cloud-based identity service
• JWT - JSON Web Tokens for secure information transmission
• Python-JOSE - JWT library for Python
• Uvicorn - Lightning-fast ASGI server

Resources

• FastAPI Documentation
• Azure AD Authentication Documentation
• JWT.io - JWT debugger and documentation