Skip to main content

Managing access for a migration from Azure DevOps

Before you use GitHub Enterprise Importer, make sure you have appropriate access to both the source and destination of your migration.

About required access for GitHub Enterprise Importer

To protect your data, GitHub enforces specific access requirements to use GitHub Enterprise Importer. These requirements vary based on the task you are trying to perform. To prevent errors, you should review this article carefully and verify that you meet all of the requirements for the task you want to complete.

To migrate a repository from Azure DevOps to GitHub, you need sufficient access to both the source (an organization on Azure DevOps) and the destination (an organization on GitHub). To have sufficient access, you'll need all of the following things.

  • A required role in the destination organization on GitHub
  • A personal access token that can access the destination organization on GitHub
    • The personal access token must have all the required scopes, which depend on your role and the task you want to complete.
    • If the destination organization uses SAML single sign-on for GitHub, you must authorize the personal access token for SSO.
  • A personal access token that can access the source organization on Azure DevOps

Additionally, if you use IP allow lists with the source or destination, you may need to configure the allow lists to allow access by GitHub Enterprise Importer.

About the migrator role

To remove the need for organization owners to complete migrations, GitHub includes a distinct role for using GitHub Enterprise Importer.

Granting the migrator role allows you to designate other teams or individuals to handle your migrations.

  • You can only grant the migrator role for an organization on GitHub.com or GHE.com.
  • You can grant the migrator role to an individual user or a team. We strongly recommend that you assign the migrator role to a team. Then, you can further customize who can run a migration by adjusting team membership. See Adding organization members to a team or Removing organization members from a team.
  • The migrator must use a personal access token that meets all the requirements for running migrations.

Warning

When you grant the migrator role in an organization to a user or team, you are granting them the ability to import or export any repository in that organization.

To grant the migrator role, see Granting the migrator role.

Required roles for GitHub

For the destination organization on GitHub, different roles are required for different tasks.

The following table lists which tasks can be performed by which role.

TaskOrganization ownerMigrator
Assigning the migrator role for repository migrations
Running a repository migration
Downloading a migration log
Reclaiming mannequins

Required scopes for personal access tokens

To run a migration, you need one personal access token that can access the destination organization on GitHub, and another personal access token that can access the source organization on Azure DevOps.

For other tasks, such as downloading a migration log, you only need one personal access token that can access the destination organization on GitHub.

Personal access tokens for GitHub

The scopes that are required for your GitHub personal access token (classic) depend on your role and the task you want to complete.

Note

You can only use a personal access token (classic), not a fine-grained personal access token. This means that you cannot use GitHub Enterprise Importer if your organization uses the "Restrict personal access tokens (classic) from accessing your organizations" policy. For more information, see Enforcing policies for personal access tokens in your enterprise.

TaskOrganization ownerMigrator
Assigning the migrator role for repository migrationsadmin:org
Running a repository migration (destination organization)repo, admin:org, workflowrepo, read:org, workflow
Downloading a migration logrepo, admin:org, workflowrepo, read:org, workflow
Reclaiming mannequinsadmin:org

Personal access tokens for Azure DevOps

Your Azure DevOps personal access token must have work item (read), code (read), and identity (read) scopes.

If you want to use the --rewire-pipelines flag when generating a migration script, you will also need Build (Read) scope. To use the inventory-report and --integrate-boards flags, you will need to grant full access to your personal access token.

If you want to migrate from multiple organizations, allow the personal access token to access all accessible organizations. For more information, see Use personal access tokens in Microsoft Docs.

Granting the migrator role

To allow someone other than an organization owner to run a migration or download migration logs, you can grant the migrator role to a user or team. For more information, see About the migrator role.

You can grant the migrator role using either the ADO2GH extension of the GitHub CLI or the GraphQL API.

Granting the migrator role with the ADO2GH extension

To grant the migrator role using the CLI, you must have installed the ADO2GH extension of the GitHub CLI. For more information, see Migrating repositories from Azure DevOps to GitHub Enterprise Cloud.

  1. On GitHub, create and record a personal access token that meets all the requirements for granting the migrator role. For more information, see Creating a personal access token for GitHub.

  2. Set the personal access token as an environment variable, replacing TOKEN in the commands below with the personal access token you recorded above.

    • If you're using Terminal, use the export command.

      Shell
      export GH_PAT="TOKEN"
      
    • If you're using PowerShell, use the $env command.

      Shell
      $env:GH_PAT="TOKEN"
      
  3. Use the gh ado2gh grant-migrator-role command, replacing ORGANIZATION with the organization you want to grant the migrator role for, ACTOR with the user or team name, and TYPE with USER or TEAM.

    Shell
    gh ado2gh grant-migrator-role --github-org ORGANIZATION --actor ACTOR --actor-type TYPE
    

    Note

    If you're the granting the migrator role for GHE.com, you must also include the target API URL for your enterprise's subdomain. For example: --target-api-url https://api.octocorp.ghe.com.

Granting the migrator role with the GraphQL API

You can use the grantMigratorRole GraphQL mutation to assign the migrator role and the revokeMigratorRole mutation to revoke the migrator role.

You must use a personal access token (PAT) that meets all access requirements. For more information, see the Required scopes for personal access tokens.

grantMigratorRole mutation

This GraphQL mutation sets the migration role.

mutation grantMigratorRole (
  $organizationId: ID!,
  $actor: String!,
  $actor_type: ActorType!
) {
  grantMigratorRole( input: {
    organizationId: $organizationId,
    actor: $actor,
    actorType: $actor_type
  })
   { success }
}
Query variableDescription
organizationIdThe ownerId (or organization ID) for your organization, from the GetOrgInfo query.
actorThe team or username who you want to assign the migration role to.
actor_typeSpecify whether the migrator is a USER or TEAM.

revokeMigratorRole mutation

This mutation removes the migrator role.

mutation revokeMigratorRole (
  $organizationId: ID!,
  $actor: String!,
  $actor_type: ActorType!
) {
  revokeMigratorRole( input: {
    organizationId: $organizationId,
    actor: $actor,
    actorType: $actor_type
  })
   { success }
}

Creating a personal access token for GitHub

  1. Verify that you have a sufficient role for the task you want to complete. For more information, see Required roles.
  2. Create a personal access token (classic), making sure to grant all the scopes required for the task you want to complete. You can only use a personal access token (classic), not a fine-grained personal access token. For more information, Managing your personal access tokens and Required scopes for personal access token.
  3. If SAML single sign-on is enforced for the organization(s) you need to access, authorize the personal access token for SSO. For more information, see Authorizing a personal access token for use with SAML single sign-on.

Configuring IP allow lists for migrations

If the source or destination of your migration uses an IP allow list (either GitHub's IP allow list feature or your identity provider's (IdP) IP allow list restrictions, such as Azure CAP), you need to configure IP allow lists on GitHub. See Managing allowed IP addresses for your organization and Restricting network traffic to your enterprise with an IP allow list.

  • If you use GitHub's IP allow list feature, you must add the GitHub IP ranges below to the allow list for the source and/or destination organizations.
  • If you use your IdP's IP allow list to restrict access to your enterprise on GitHub, you should disable these restrictions in your enterprise account settings until after your migration is complete.

The IP ranges vary depending on whether the destination of your migration is GitHub.com or GHE.com.

IP ranges for GitHub.com

You'll need to add the following IP ranges to your IP allow list(s):

  • 192.30.252.0/22
  • 185.199.108.0/22
  • 140.82.112.0/20
  • 143.55.64.0/20
  • 40.71.233.224/28
  • 2a0a:a440::/29
  • 2606:50c0::/32
  • 20.125.12.8/29 (active from 00:00 UTC on November 8, 2023)

You can get an up-to-date list of IP ranges used by GitHub Enterprise Importer at any time with the "Get GitHub meta information" endpoint of the REST API.

The github_enterprise_importer key in the response contains a list of IP ranges used for migrations.

For more information, see REST API endpoints for meta data.

IP ranges for GHE.com

You'll need to add the following IP ranges to your IP allow list(s):

  • 192.30.252.0/22
  • 185.199.108.0/22
  • 140.82.112.0/20
  • 143.55.64.0/20
  • 2a0a:a440::/29
  • 2606:50c0::/32
  • 4.231.155.80/29
  • 4.225.9.96/29
  • 51.12.144.32/29
  • 20.199.1.232/29
  • 51.12.152.184/29
  • 20.199.6.80/29
  • 51.12.152.240/29
  • 20.19.101.136/29
  • 51.12.252.16/28
  • 74.241.131.48/28
  • 20.240.211.176/28
  • 108.143.221.96/28
  • 20.61.46.32/28
  • 20.224.62.160/28

Further reading