You may find this article useful if you maintain automation that manages Git policy configurations in Azure Repos<\/a> using REST API.<\/p>\n Git policies are crucial for maintaining high quality of code and preventing malicious changes. They define rules enforced before code can land in repos and protected branches.<\/p>\n Azure Repos has a rich policy engine that lets you configure things like a minimum number of reviewers, specific reviewers who must sign off when certain parts of the code are updated, checking for credentials and secrets on push, and much more.<\/p>\n When the number of products, services and repos outgrows a certain point, ensuring the right policies are configured becomes a challenge. Human errors are unavoidable: it\u2019s very easy to misconfigure something, for example, the service\u2019s behavior when follow-up changes are pushed to an already approved pull request. Even if the initial state across the repos is correct, configuration often drifts over time when managed manually.<\/p>\n Microsoft offers a wide range of products. Our own code is exclusively hosted in Azure Repos and GitHub, across hundreds of thousands of Git repos, ranging from tiny polyrepos to the largest Git monorepos in the world.<\/p>\n For these reasons, we and many other big enterprises rely on the REST API in Azure DevOps and GitHub to audit and mitigate policy misconfiguration and drift across the entire portfolio of repos. A dedicated service defines the target state of policies and automatically updates them when the actual state drifts from the target.<\/p>\n Let me walk you through how the policies are stored and retrieved.<\/p>\n There are two types of Git policies in Azure Repos: push and branch policies. They can also be called repository and pull request policies.<\/p>\n Push policies define the rules of what can enter repos and what cannot, no matter the branch. For example, if someone is trying to push new commits containing any secrets, such a push is rejected, even when pushed to a user branch.<\/p>\n Branch policies, on the other hand, protect specific branches (like In short, different types of policies affect either entire repos or branches inside them.<\/p>\n The policy engine also supports different scopes and inheritance. You can define a policy for a specific branch Two kinds of policies and support of inheritance define the architecture of how the policies are stored.<\/p>\n Each project has its own logical container for the policies, instead of each repo or branch having its own container. This helps to power cross-repo policies as well as support branch glob patterns like With that, all the policy configurations are linked to a specific project, but not a repo or branch. Then how does the engine know which ones to check for a specific operation, like a push or PR completion attempt? This is where the This is a simple string that specifies where in the inheritance hierarchy a given policy is defined<\/em>. It contains one or two parts separated by a colon:<\/p>\n An example of a Such a value makes the branch policy apply only to the A couple of edge cases:<\/p>\n The last piece of the puzzle: the available endpoints to fetch the policies.<\/p>\n Azure DevOps offers two REST API endpoints to list policy configurations:<\/p>\n The The other endpoint is If the first endpoint is useful to fetch which policies are defined<\/em> at a specific scope, the second one is useful to fetch which apply<\/em> to a specific scope by using inheritance-aware filtering.<\/p>\n If you pass Thanks to filtering by multiple scope values dynamically, it helps to answer the question \u201cWhat protects my With that context, here\u2019s the problem with policy management at scale.<\/p>\n The enterprise policy management service described earlier has one repo as a unit of work. It takes one specific repo, computes the target state of policies using predefined rules, retrieves the effective state currently configured in Azure DevOps, and then issues a set of policy create\/update\/delete requests if the effective state is misaligned with the target state. The service needs to see every single policy that applies to the repo as a whole, as well as any branch in that repo.<\/p>\n The only problem is\u2026 There was no way to ask the REST API \u201cGive me all the policies that apply to a given repo and any of its branches\u201d. At least, not until now.<\/p>\n As previously mentioned, the first endpoint ( How did our service work before the change? The only option was to query all the policies for the entire project using the first endpoint, and perform client-side filtering. This is not critical for most projects, but becomes a big challenge for the ones with thousands of repos and hundreds of thousands of policies. The service ended up serializing and returning hundreds of megabytes of data for every request, and the client had to deserialize and process it. This implied massive overhead, much longer execution time, and more CPU cycles spent by the server and the client.<\/p>\n The second inheritance-aware endpoint ( Internally, the service takes all the policies in a project and only keeps the ones with scope starting with After switching the policy management client to using The drop in total wall-clock time across all requests is even more impressive \u2013 from 1-3 thousand hours per day down to only ~100-150, more than 10x-15x improvement!<\/p>\n For enterprises with large engineering teams, automated policy governance becomes a necessity. The new For more information about Git policies, see these docs on Microsoft Learn:<\/p>\n Let me know in the comments below if your team faces similar challenges. I\u2019ll be happy to chat and answer your questions.<\/p>\n The post Optimizing Git policy management at scale<\/a> appeared first on Azure DevOps Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" With just a single improvement in the REST API of Azure DevOps, we achieved a massive reduction in CPU usage […]<\/p>\n","protected":false},"author":1,"featured_media":3904,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3903","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3903","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=3903"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3903\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/3904"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=3903"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=3903"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=3903"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Git policy governance at a big enterprise<\/h2>\n
![Screenshot from Azure Repos UI showing \"Require a minimum number of reviewers\" policy that is configured to require at least one approval on the last iteration when new changes are pushed](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/04\/Pasted-image-20260418182608-300x216.webp\")
<\/a><\/p>\nHow policies relate to projects, repos and branches<\/h2>\n
main<\/code>) and require all changes to go via pull requests. For example, they can enforce that code builds and all the tests are green before letting a change land on a protected branch.<\/p>\n![\"Visualization](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/04\/Drawing-2026-04-18-18.30.31.excalidraw-300x147.webp\")
<\/a><\/p>\nmain<\/code> in a specific repository, or you can configure a policy that will affect all branches matching releases\/*<\/code> in all repos in a project. The support of cross-repo policies and glob patterns partially solves the maintenance burden described earlier, but is not enough, especially when the repos are spread across many different projects and Azure DevOps organizations.<\/p>\nreleases\/*<\/code>.<\/p>\nScope<\/code> field comes into play.<\/p>\nPolicy scope<\/h2>\n
\n
Scope<\/code> value for a branch policy:<\/p>\n2c938d1f6e6f458d816484fc51e7cf74:refs\/heads\/main\n<\/code><\/pre>\nmain<\/code> branch in the repo with ID 2c938d1f-6e6f-458d-8164-84fc51e7cf74<\/code>.<\/p>\n\n
2c938d1f6e6f458d816484fc51e7cf74<\/code> \u2013 a push policy for the repo with that ID \u2013 doesn\u2019t contain the ref part.<\/li>\n*:refs\/heads\/releases\/*<\/code> \u2013 cross-repo branch policy that applies to the branches matching releases\/v1<\/code>, releases\/v2<\/code>, etc.<\/li>\n<\/ul>\nQuerying the policies with REST API<\/h2>\n
GET \/_apis\/policy\/configurations<\/code><\/a> is an older endpoint that allows querying all the policies in a project, with optional scope filtering without support of inheritance<\/strong>. If you pass 2c938d1f6e6f458d816484fc51e7cf74:refs\/heads\/releases\/v1<\/code>, it will only return the policies with that exact value of the scope, but it won\u2019t return a policy with the scope of *:refs\/heads\/releases\/*<\/code>, which also applies to that branch.<\/p>\nGET \/_apis\/git\/policy\/configurations<\/code><\/a> (mind the \/git\/<\/code>). Instead of the single exact value of scope<\/code>, it accepts the repositoryId<\/code> \/ refName<\/code> pair.<\/p>\n![Visualization showing git policy inheritance hierarchy: policies at Project scope are inherited by repos, branch folders like releases\/* and individual branches like releases\/v1. The \"GET \/_apis\/git\/policy\/configurations\" endpoint returns all policies including inherited while the \"GET \/_apis\/policy\/configurations\" endpoint only returns policies defined at requested scope without inherited policies.](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/04\/Drawing-2026-04-20-08.40.11.excalidraw-300x128.webp\")
repositoryId=2c938d1f-6e6f-458d-8164-84fc51e7cf74<\/code> and refName=refs\/heads\/releases\/v1<\/code>, it will return all the policies defined at the following scopes:<\/p>\n\n
2c938d1f6e6f458d816484fc51e7cf74<\/code><\/li>\n*<\/code><\/li>\n2c938d1f6e6f458d816484fc51e7cf74:refs\/heads\/releases\/v1<\/code><\/li>\n*:refs\/heads\/releases\/v1<\/code><\/li>\n2c938d1f6e6f458d816484fc51e7cf74:refs\/heads\/releases\/*<\/code><\/li>\n*:refs\/heads\/releases\/*<\/code><\/li>\n2c938d1f6e6f458d816484fc51e7cf74:refs\/heads\/*<\/code><\/li>\n*:refs\/heads\/*<\/code><\/li>\n2c938d1f6e6f458d816484fc51e7cf74:refs\/*<\/code><\/li>\n*:refs\/*<\/code><\/li>\n<\/ul>\nreleases\/v1<\/code> branch in repo X?\u201d, instead of \u201cWhich policies are defined at the level of releases\/v1<\/code> branch in repo X?\u201d. It takes into account both the policies defined at that exact scope and any policies inherited from parent scopes.<\/p>\nThe Problem: Querying all the policies for one repo<\/h2>\n
GET \/_apis\/policy\/configurations<\/code><\/a>) can only filter by the exact value of the scope, but many possible scope values can match a repo, and you can\u2019t predict them all. You can pass repositoryId<\/code> without specifying refName<\/code> to the second endpoint (GET \/_apis\/git\/policy\/configurations<\/code><\/a>), but you will only see the policies that apply to the repository as a whole: direct and inherited push policies. Branch policies aren\u2019t included because they don\u2019t affect the whole repository.<\/p>\nThe Solution<\/h2>\n
GET \/_apis\/git\/policy\/configurations<\/code><\/a>) now supports a special value ~all<\/code> for the refName<\/code> parameter. When passed together with repositoryId<\/code>, it returns every single branch policy affecting any branch in the repo, as well as any push policy affecting the entire repo, inherited and defined at the scopes within the repo.<\/p>\n*<\/code> (project-level policies affecting all the repos) or with 2c938d1f6e6f458d816484fc51e7cf74<\/code>. This includes both push and branch policies.<\/p>\nrefName=~all<\/code> instead of doing client-side filtering, the overall server-side CPU consumption dropped by half, across all the endpoints for this client.<\/p>\n![\"Time](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/04\/Pasted-image-20260413004123-300x167.webp\")
![\"Time](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/04\/Pasted-image-20260413011224-300x153.webp\")
Conclusion<\/h2>\n
refName=~all<\/code> feature further simplifies this process and can significantly improve the performance of your automation. Make use of our REST API to achieve that:<\/p>\n\n
\/_apis\/policy\/<\/code> set of endpoints<\/a><\/li>\n\/_apis\/git\/policy\/configurations<\/code> endpoint<\/a><\/li>\n<\/ul>\n\n