Skip to main content

Set up Maester in Azure DevOps

This guide will walk you through setting up Maester in Azure DevOps and automate the running of tests using Azure DevOps Pipelines.

Why Azure DevOps?​

Azure DevOps is a great way to automate the daily running of Maester tests to monitor your tenant. You can use Azure DevOps to run Maester tests on a schedule, such as daily, and view the results in the Azure DevOps interface.

Azure DevOps comes with a free tier that includes 1,800 minutes of Maester test runs per month (unlimited hours if you use a self-hosted agent).

Azure DevOps has native integration with Microsoft Entra including single sign on, user and group management as well as support for conditional access policies.

Set up the Maester repository in Azure DevOps​

Pre-requisites​

Import the Maester Tests repository​

  • Select Repos from the left-hand menu
  • Select the Import button in the Import a repository section
  • Enter the URL of the Maester repository https://github.com/maester365/maester-tests
  • Select Import to import the repository into your Azure DevOps project.

Set up the Azure Pipeline​

There are many ways to authenticate with Microsoft Entra in Azure DevOps. We recommend using workload identity federation as it is more secure, requires less maintenance and is the easiest to set up.

If you’re unable to use more advanced options like certificates stored in Azure Key Vault, which need an Azure subscription, there’s also guidance available for using client secrets.

  • Workload identity federation (recommended) uses OpenID Connect (OIDC) to authenticate with Microsoft Entra protected resources without using secrets.
  • Client secret uses a secret to authenticate with Microsoft Entra protected resources.

Pre-requisites​

Create an empty Azure Resource Group​

This empty resource group is required to set up workload identity federation authentication. No Azure resources will be created in this resource group and there are no costs associated with it.

  • Browse to the Azure portal and open the Resource groups blade.
  • Select + Create.
  • Enter a name for the resource group (e.g. Maester-Resource-Group)
  • Select any region
  • Select Review + create > Create

Create a new workload identity federation service connection​

  • In the Azure DevOps project, go to Project settings > Service connections.
  • Select New service connection, and then select Azure Resource Manager.
  • Select Workload identity federation (automatic).
  • Specify the following parameters:
    • Subscription: Select an existing Azure subscription.
    • Resource Group: Select the resource group created in the previous step. (e.g. Maester Resource Group) Leaving this field empty will grant Contribute access to all resources in the subscription.
    • Service connection name: A name for this connection (e.g. Maester Service Connection)
  • Select Save to create the connection.

Grant permissions to Microsoft Graph​

  • Select the service connection you created in the previous step (e.g. Maester Service Connection)
    • Service connections are listed under Project settings > Service connections.
  • Select Manage Service Principal to open the Service Principal in the Entra portal.
  • Select API permissions > Add a permission
  • Select Microsoft Graph > Application permissions
  • Search for each of the permissions and check the box next to each permission:
    • Directory.Read.All
    • DirectoryRecommendations.Read.All
    • IdentityRiskEvent.Read.All
    • Policy.Read.All
    • Policy.Read.ConditionalAccess
    • PrivilegedAccess.Read.AzureAD
    • Reports.Read.All
    • RoleEligibilitySchedule.Read.Directory
    • RoleManagement.Read.All
    • UserAuthenticationMethod.Read.All
  • Optionally, search for each of the permissions if you want to allow privileged permissions:
    • RoleEligibilitySchedule.ReadWrite.Directory
      • Required for eligible role assignments (Reference)
  • Select Add permissions
  • Select Grant admin consent for [your organization]
  • Select Yes to confirm

Create Azure Pipeline​

  • Open your Azure DevOps project
  • Select Pipelines > New pipeline
  • Select Azure Repos Git as the location of your code
  • Select the repository where you imported the Maester tests
  • Select Starter pipeline
  • Replace the content of the azure-pipelines.yml file with the code below
  • Verify the azureSubscription value is set to the service connection you created in the previous step (e.g. Maester Service Connection)
  • Select Validate and save > Save
  • Select Run to run the pipeline
  • Select Job to view the test results
# Maester Daily Tests

trigger:
- main

schedules:
- cron: "0 0 * * *"
displayName: Daily midnight build
branches:
include:
- main

pool:
vmImage: ubuntu-latest

steps:
- task: AzurePowerShell@5
displayName: "Run Maester"
inputs:
azureSubscription: "Maester Service Connection"
pwsh: true
azurePowerShellVersion: LatestVersion
ScriptType: InlineScript
Inline: |
# Connect to Microsoft Graph
$accessToken = (Get-AzAccessToken -ResourceTypeName MSGraph).Token | ConvertTo-SecureString -AsPlainText -Force
Connect-MgGraph $accessToken

# Install Maester
Install-Module Maester -Force

# Configure test results
$PesterConfiguration = New-PesterConfiguration
$PesterConfiguration.TestResult.Enabled = $true
$PesterConfiguration.TestResult.OutputPath = '$(System.DefaultWorkingDirectory)/test-results/test-results.xml'

# Run Maester tests
Invoke-Maester -Path $(System.DefaultWorkingDirectory)/tests/Maester/ -PesterConfiguration $PesterConfiguration -OutputFolder '$(System.DefaultWorkingDirectory)/test-results'
- publish: $(System.DefaultWorkingDirectory)/test-results
displayName: Publish Maester Html Report
artifact: TestResults
- task: PublishTestResults@2
displayName: Publish Pester Test Results
inputs:
testResultsFormat: "NUnit"
testResultsFiles: "**/test-results.xml"
failTaskOnFailedTests: true

Viewing test results​

  • Select Pipelines > Runs to view the status of the pipeline
  • Select on a run to view the test results

Summary view​

The summary view shows the status of the pipeline run, the duration, and the number of tests that passed, failed, and were skipped.

Screenshot of Azure DevOps Pipeline Run Summary Page

Maester report​

The Maester report can be downloaded and viewed by selecting the Published artifact.

Screenshot of the downloaded Maester report

Tests view​

The Tests tab shows a detailed view of each test, including the test name, duration, and status.

Screenshot of Azure DevOps Pipeline Tests Page

Logs view​

In the Summary tab select on any of the errors to view the raw logs from Maester.

Screenshot of Azure DevOps Pipeline Logs Page

Keeping your Maester tests up to date​

The Maester team will add new tests over time. To get the latest updates, use the commands below to update your Azure repository with the latest tests.

  • Clone your fork of the maester-tests from Azure DevOps to your local machine. See Clone an existing Git repo.
  • Update the Maester PowerShell module to the latest version and load it.
  • Change to the maester-tests\tests directory.
  • Run Update-MaesterTests.
cd maester-tests\tests

Update-Module Maester -Force
Import-Module Maester
Update-MaesterTests