Permissions

The current permissions are governed by the requirements of the TFS Client Object Model from Microsoft. While Microsoft announced the deprecation of the WIT and Test Client OM in 2020, it remains the only consistent method for interacting with versions of TFS from 2010 to 2018.

Last updated: June 27, 2025 | Edit this page | Discuss this page

The current permissions are governed by the requirements of the TFS Client Object Model from Microsoft. While Microsoft announced the deprecation of the WIT and Test Client OM in 2020, it remains the only consistent method for interacting with versions of TFS from 2010 to 2018. We are in the process of migrating our tools to the REST API, but this is a large effort and will take some time to complete.

The Azure DevOps Migration Tools use a flag to bypass the Work Item rules engine, allowing data to be written into TFS/VSTS in ways that might not comply with the usual rules. For example, you can directly transition an item into the Closed state without starting at New. This is highly beneficial for migrations but requires specific pre-requisites.

Note: According to the Azure DevOps product team, the Object Model API only works with full-scoped PATs, meaning it is incompatible with PATs that have limited scopes.

top

Source Permissions

The current minimum required permissions for running the tools are:

  • Membership in the “Project Collection Administrator” group – This will override any ‘denied’ permissions, ensuring a smooth migration.
  • A PAT (Personal Access Token) with “full access.”

Note: Although we do not write data to the source system, we still require a PAT with full access.

top

Target Permissions

The current minimum required permissions for running the tools are:

  • Membership in the “Project Collection Administrator” group – This overrides any ‘denied’ permissions and allows the tools to bypass the Work Item rules engine.
  • Membership in the “Project Collection Automation” group – This grants the “Make requests on behalf of others” permission.
  • A PAT with “full access.”
top

Unsupported Permissions for Scoped PATs

In some cases, the tools may function with fewer permissions, but the following configurations have not been fully tested and are not officially supported:

  • Project and Team (Read, Write, and Manage)
  • Work Items (Read, Write, and Manage)
  • Identity (Read and Manage)
  • Security (Manage)

If you try these settings, please share your results with us!

top

Granting “Make requests on behalf of others” in Older TFS Versions

To set the “Changed by” field to a user other than the one running the migration, you must grant the user the “Make requests on behalf of others” permission. This permission is not included by default for “Project Collection Administrator” users. In older versions of TFS, it can only be assigned by adding the user to the “Project Collection Service Accounts” group.

You can use the following command to do this:

tfssecurity /g+ "Project Collection Service Accounts" n:domainusername ALLOW /server:http://myserver:8080/tfs

This step is not required for Azure DevOps Service targets, as tfssecurity is not available in that environment.

Previous Install Azure DevOps Migration Tools on Windows
Next Reflected WorkItem Id
Project Information
Azure DevOps Marketplace
Visual Studio Marketplace Stars View Extension
YouTube Channel
Youtube Subscribers Youtube Views
Maintainer

Created and maintained by Martin Hinshelwood of nkdagility.com

Getting Support
Community Support
Questions & Discussions

The first place to look for usage, configuration, and general help.

Commercial Support

We provide training, ad-hoc support, and full service migrations through our professional services.

Azure DevOps Migration Services
Documentation