az repos policy required-reviewer update resets "Allow requestors to approve their own changes" to default #31734
Description
Describe the bug
When using the az repos policy required-reviewer update command in the Azure DevOps CLI, the "Allow requestors to approve their own changes" setting is reset to its default value, even though this option is not explicitly passed as a flag and is currently not exposed in the CLI.
Steps to Reproduce:
- Create a required reviewer policy in Azure DevOps UI with "Allow requestors to approve their own changes" unchecked.
- Run
az repos policy required-reviewer updatewith only a subset of flags (e.g., just updating the requiredReviewerIds). - After the update, inspect the policy settings, "Allow requestors to approve their own changes" will be checked.
Related command
az repos policy required-reviewer update --id $PolicyId
--branch $OfficialBranchName --branch-match-type "exact"
--detect $autoDetectOrg --org $OrgUrl
--path-filter $pathFilter --project $ProjectName
--repository-id $RepoId
Errors
No errors
Issue script & Debug output
cli.knack.cli: Command arguments: ['repos', 'policy', 'required-reviewer', 'update', '--id', 'XXXX', '--branch', 'refs/heads/BRANCH_NAME', '--branch-match-type', 'exact', '--detect', 'False', '--org', 'https://dev.azure.com/ORGANIZATION/', '--path-filter', ';!/path/to/file1.h;!/path/to/folder/;!/path/to/another/folder/;!/path/to/test/folder/;!/.config/;!/tools/configs/;!/data/folder/;!pattern1;!pattern2', '--project', 'PROJECT_NAME', '--repository-id', 'REPO_ID_GUID', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0xMEMORY_ADDRESS>, <function OutputProducer.on_global_arguments at 0xMEMORY_ADDRESS>, <function CLIQuery.on_global_arguments at 0xMEMORY_ADDRESS>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'repos': ['azext_devops']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: azure-devops 0.062 60 192 C:\Users\USERNAME.azure\cliextensions\azure-devops
cli.azure.cli.core: Total (1) 0.062 60 192
cli.azure.cli.core: Loaded 60 groups, 192 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : repos policy required-reviewer update
cli.azure.cli.core: Command table: repos policy required-reviewer update
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0xMEMORY_ADDRESS>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\USERNAME.azure\commands\2025-06-27.14-48-11.repos_policy_required-reviewer_update.10772.log'.
az_command_data_logger: command args: repos policy required-reviewer update --id {} --branch {} --branch-match-type {} --detect {} --org {} --path-filter {} --project {} --repository-id {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0xMEMORY_ADDRESS>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0xMEMORY_ADDRESS>, <function register_cache_arguments..add_cache_arguments at 0xMEMORY_ADDRESS>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0xMEMORY_ADDRESS>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0xMEMORY_ADDRESS>, <function CLIQuery.handle_query_parameter at 0xMEMORY_ADDRESS>, <function register_ids_argument..parse_ids_arguments at 0xMEMORY_ADDRESS>, <function DevCommandsLoader.post_parse_args at 0xMEMORY_ADDRESS>]
az_command_data_logger: extension name: azure-devops
az_command_data_logger: extension version: 1.0.2
cli.azext_devops.dev.common._credentials: Getting credential: azdevops-cli:https://dev.azure.com/ORGANIZATION
keyring.backend: Loading KWallet
keyring.backend: Loading SecretService
keyring.backend: Loading Windows
win32ctypes.core.cffi: Loaded cffi backend
keyring.backend: Loading chainer
keyring.backend: Loading macOS
cli.azext_devops.dev.common.credential_store: Keyring backend : keyring.backends.Windows.WinVaultKeyring (priority: 5)
cli.azext_devops.dev.common.services: PAT is present which can be used against this instance
cli.azure.cli.core: Current cloud config:
AzureCloud
cli.azext_devops.dev.common.services: trying to get token (temp) for tenant TENANT_ID and user [email protected]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\USERNAME\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\USERNAME.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/TENANT_ID
msal.authority: openid_config("https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/TENANT_ID/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/TENANT_ID/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('499b84ac-1321-427f-aa17-267ca6975798/.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['499b84ac-1321-427f-aa17-267ca6975798/.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: CORRELATION_ID
cli.azext_devops.dev.common.services: instance recieved in validate_token_for_instance https://dev.azure.com/ORGANIZATION/
cli.azext_devops.dev.common.services: instance processed in validate_token_for_instance https://dev.azure.com/ORGANIZATION/
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
azext_devops.devops_sdk._file_cache: Loading cache file: C:\Users\USERNAME.azure-devops\python-sdk\cache\resources.json
azext_devops.devops_sdk._file_cache: attempting to read file C:\Users\USERNAME.azure-devops\python-sdk\cache\resources.json as utf-8-sig
azext_devops.devops_sdk.connection: File cache hit for resources on: https://dev.azure.com/ORGANIZATION
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
azext_devops.devops_sdk._file_cache: Loading cache file: C:\Users\USERNAME.azure-devops\python-sdk\cache\options.json
azext_devops.devops_sdk._file_cache: attempting to read file C:\Users\USERNAME.azure-devops\python-sdk\cache\options.json as utf-8-sig
azext_devops.devops_sdk.client: File cache hit for options on: https://DEVOPS_SERVER.visualstudio.com
azext_devops.devops_sdk.client: Route template: _apis/{resource}/{projectId}
azext_devops.devops_sdk.client: Api version '5.0'
azext_devops.devops_sdk.client: GET https://DEVOPS_SERVER.visualstudio.com/_apis/projects?stateFilter=all&$top=1&$skip=0
azext_devops.devops_sdk.client: Request content: None
msrest.universal_http: Configuring redirects: allow=True, max=30
msrest.universal_http: Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http: Configuring proxies: ''
msrest.universal_http: Evaluate proxies against ENV settings: True
urllib3.connectionpool: Starting new HTTPS connection (1): DEVOPS_SERVER.visualstudio.com:443
urllib3.connectionpool: https://DEVOPS_SERVER.visualstudio.com:443 "GET /_apis/projects?stateFilter=all&$top=1&$skip=0 HTTP/1.1" 200 338
azext_devops.devops_sdk.client: Response content: b'{"count":1,"value":[{"id":"PROJECT_ID","name":"PROJECT_NAME","url":"https://DEVOPS_SERVER.visualstudio.com/_apis/projects/PROJECT_ID","state":"wellFormed","revision":171274031,"visibility":"private","lastUpdateTime":"2019-08-20T11:06:16.753Z"}]}'
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
cli.azext_devops.dev.common.telemetry: Azure devops telemetry enabled.
cli.azext_devops.dev.common.telemetry: Logging telemetry to azure devops server.
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
azext_devops.devops_sdk.client: File cache hit for options on: https://dev.azure.com/ORGANIZATION
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
azext_devops.devops_sdk.connection: File cache hit for resources on: https://dev.azure.com/ORGANIZATION
azext_devops.devops_sdk.client: Route template: _apis/{area}/{resource}
msrest.universal_http.requests: Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
azext_devops.devops_sdk.client: Api version '5.0-preview.1'
azext_devops.devops_sdk.client: Route template: {project}/_apis/{area}/{resource}/{configurationId}
azext_devops.devops_sdk.client: Api version '5.0'
azext_devops.devops_sdk.client: GET https://DEVOPS_SERVER.visualstudio.com/PROJECT_NAME/_apis/policy/configurations/POLICY_ID
azext_devops.devops_sdk.client: Request content: None
msrest.universal_http: Configuring redirects: allow=True, max=30
msrest.universal_http: Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http: Configuring proxies: ''
msrest.universal_http: Evaluate proxies against ENV settings: True
azext_devops.devops_sdk.client: POST https://dev.azure.com/ORGANIZATION/_apis/CustomerIntelligence/Events
urllib3.connectionpool: Starting new HTTPS connection (1): DEVOPS_SERVER.visualstudio.com:443
azext_devops.devops_sdk.client: Request content: [{'area': 'AzureDevopsCli', 'feature': 'repos', 'properties': {'Command': 'policy required-reviewer update', 'Args': 'policy_id repository_id branch branch_match_type path_filter organization project', 'ShellType': 'cmd', 'IsInteractive': 'True', 'OutputType': 'json', 'OrgPresentInCommand': True, 'ProjectPresentInCommand': True, 'RepoPresentInCommand': False}}]
msrest.universal_http: Configuring redirects: allow=True, max=30
msrest.universal_http: Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http: Configuring proxies: ''
msrest.universal_http: Evaluate proxies against ENV settings: True
urllib3.connectionpool: Starting new HTTPS connection (1): dev.azure.com:443
urllib3.connectionpool: https://dev.azure.com:443 "POST /ORGANIZATION/_apis/CustomerIntelligence/Events HTTP/1.1" 204 0
urllib3.connectionpool: https://DEVOPS_SERVER.visualstudio.com:443 "GET /PROJECT_NAME/_apis/policy/configurations/POLICY_ID HTTP/1.1" 200 1157
azext_devops.devops_sdk.client: Response content: b'{"createdBy":{"displayName":"USER DISPLAY NAME","url":"https://spsprodwus24.vssps.visualstudio.com/INSTANCE_ID/_apis/Identities/USER_ID","_links":{"avatar":{"href":"https://DEVOPS_SERVER.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.ENCODED_USER_ID"}},"id":"USER_ID","uniqueName":"[email protected]","imageUrl":"https://DEVOPS_SERVER.visualstudio.com/_api/_common/identityImage?id=USER_ID","descriptor":"aad.ENCODED_USER_ID"},"createdDate":"2025-06-27T21:47:33.4234168Z","isEnabled":true,"isBlocking":true,"isDeleted":false,"settings":{"requiredReviewerIds":["REVIEWER_ID"],"minimumApproverCount":1,"creatorVoteCounts":false,"message":"Policy Message","scope":[{"refName":"refs/heads/BRANCH_NAME","matchKind":"Exact","repositoryId":"REPO_ID"}],"filenamePatterns":["","!/path/to/file1.h","!/path/to/folder/","!/path/to/another/folder/","!/path/to/test/folder/","!/.config/","!/tools/configs/","!/data/folder/","!pattern1"]},"isEnterpriseManaged":false,"_links":{"self":{"href":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/configurations/POLICY_ID"},"policyType":{"href":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/types/POLICY_TYPE_ID"}},"revision":7,"id":POLICY_ID,"url":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/configurations/POLICY_ID","type":{"id":"POLICY_TYPE_ID","url":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/types/POLICY_TYPE_ID","displayName":"Required reviewers"}}'
azext_devops.devops_sdk.client: Route template: {project}/_apis/{area}/{resource}/{configurationId}
azext_devops.devops_sdk.client: Api version '5.0'
azext_devops.devops_sdk.client: PUT https://DEVOPS_SERVER.visualstudio.com/PROJECT_NAME/_apis/policy/configurations/POLICY_ID
azext_devops.devops_sdk.client: Request content: {'type': {'id': 'POLICY_TYPE_ID'}, 'isBlocking': True, 'isEnabled': True, 'settings': {'scope': [{'repositoryId': 'REPO_ID', 'refName': 'refs/heads/BRANCH_NAME', 'matchKind': 'exact'}], 'requiredReviewerIds': ['REVIEWER_ID'], 'message': 'Policy Message', 'filenamePatterns': ['', '!/path/to/file1.h', '!/path/to/folder/', '!/path/to/another/folder/', '!/path/to/test/folder/', '!/.config/', '!/tools/configs/', '!/data/folder/', '!pattern1', '!pattern2']}}
msrest.universal_http: Configuring redirects: allow=True, max=30
msrest.universal_http: Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http: Configuring proxies: ''
msrest.universal_http: Evaluate proxies against ENV settings: True
urllib3.connectionpool: https://DEVOPS_SERVER.visualstudio.com:443 "PUT /PROJECT_NAME/apis/policy/configurations/POLICY_ID HTTP/1.1" 200 1160
azext_devops.devops_sdk.client: Response content: b'{"createdBy":{"displayName":"USER DISPLAY NAME","url":"https://spsprodwus24.vssps.visualstudio.com/INSTANCE_ID/_apis/Identities/USER_ID","_links":{"avatar":{"href":"https://DEVOPS_SERVER.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.ENCODED_USER_ID"}},"id":"USER_ID","uniqueName":"[email protected]","imageUrl":"https://DEVOPS_SERVER.visualstudio.com/_api/_common/identityImage?id=USER_ID","descriptor":"aad.ENCODED_USER_ID"},"createdDate":"2025-06-27T21:48:10.2522791Z","isEnabled":true,"isBlocking":true,"isDeleted":false,"settings":{"requiredReviewerIds":["REVIEWER_ID"],"minimumApproverCount":1,"creatorVoteCounts":true,"message":"Policy Message","scope":[{"refName":"refs/heads/BRANCH_NAME","matchKind":"Exact","repositoryId":"REPO_ID"}],"filenamePatterns":["","!/path/to/file1.h","!/path/to/folder/","!/path/to/another/folder/","!/path/to/test/folder/","!/.config/","!/tools/configs/","!/data/folder/","!pattern1","!pattern2"]},"isEnterpriseManaged":false,"_links":{"self":{"href":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/configurations/POLICY_ID"},"policyType":{"href":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/types/POLICY_TYPE_ID"}},"revision":8,"id":POLICY_ID,"url":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/configurations/POLICY_ID","type":{"id":"POLICY_TYPE_ID","url":"https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/types/POLICY_TYPE_ID","displayName":"Required reviewers"}}'
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0xMEMORY_ADDRESS>, <function _x509_from_base64_to_hex_transform at 0xMEMORY_ADDRESS>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"createdBy": {
"descriptor": "aad.ENCODED_USER_ID",
"directoryAlias": null,
"displayName": "USER DISPLAY NAME",
"id": "USER_ID",
"imageUrl": "https://DEVOPS_SERVER.visualstudio.com/_api/_common/identityImage?id=USER_ID",
"inactive": null,
"isAadIdentity": null,
"isContainer": null,
"isDeletedInOrigin": null,
"profileUrl": null,
"uniqueName": "[email protected]",
"url": "https://spsprodwus24.vssps.visualstudio.com/INSTANCE_ID/_apis/Identities/USER_ID"
},
"createdDate": "2025-06-27T21:48:10.252279+00:00",
"id": POLICY_ID,
"isBlocking": true,
"isDeleted": false,
"isEnabled": true,
"isEnterpriseManaged": false,
"revision": 8,
"settings": {
"creatorVoteCounts": true,
"filenamePatterns": [
"",
"!/path/to/file1.h",
"!/path/to/folder/*",
"!pattern1",
"!pattern2"
],
"message": "Policy Message",
"minimumApproverCount": 1,
"requiredReviewerIds": [
"REVIEWER_ID"
],
"scope": [
{
"matchKind": "Exact",
"refName": "refs/heads/BRANCH_NAME",
"repositoryId": "REPO_ID"
}
]
},
"type": {
"displayName": "Required reviewers",
"id": "POLICY_TYPE_ID",
"url": "https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/types/POLICY_TYPE_ID"
},
"url": "https://DEVOPS_SERVER.visualstudio.com/PROJECT_ID/_apis/policy/configurations/POLICY_ID"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0xMEMORY_ADDRESS>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.485 seconds (init: 0.526, invoke: 1.959)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3966 in cache file under C:\Users\USERNAME.azure\telemetry\TIMESTAMP
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\USERNAME.azure C:\Users\USERNAME.azure\telemetry\TIMESTAMP"
telemetry.process: Return from creating process PROCESS_ID
telemetry.main: Finish creating telemetry upload process.
Expected behavior
The "Allow requestors to approve their own changes" setting should remain unchanged if it is not explicitly modified and especially since the flag is not exposed in the CLI.
Environment Summary
azure-cli 2.74.0
core 2.74.0
telemetry 1.1.0
Extensions:
azure-devops 1.0.2
Dependencies:
msal 1.32.3
azure-mgmt-resource 23.3.0
Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users{myName}.azure'
Extensions directory 'C:\Users{myName}.azure\cliextensions'
Python (Windows) 3.12.10 (tags/v3.12.10:0cc8128, Apr 8 2025, 12:21:36) [MSC v.1943 64 bit (AMD64)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
This behavior unintentionally weakens branch protection policies, particularly in automated scripts or pipelines where only partial updates are intended. Since the flag is not exposed, users have no way to preserve or restore the original setting via CLI.