I always need this and for some reason keep forgetting so storing it and will hopefully remember it's here, missing meta info but enough to remember this with 😁

Azure DevOps Descriptors.cs

public class Descriptors
{
	/* List
	 * ====
	 * scp      Project
	 * aad      Azure Active Directory User
	 * msa      Microsoft Account User
	 * aadgp    Azure Active Directory Group
	 * vss 	    Azure DevOps User
	 * svc      Azure DevOps Service Identity
         * imp      Imported Identity
	 * 
	 * User Descriptors
	 * ================
	 * aad.ODcxMWYxZDItOxxxxxxxxxxxxxxxxxxxxxx
	 * Microsoft.IdentityModel.Claims.ClaimsIdentity;72aa0d83-xxxxxxxxxxxxxxxxxxxxxx\\Gordon.Beeming@company.com
	 * Microsoft.IdentityModel.Claims.ClaimsIdentity;domain\\principalName
	 *	 
	 * msa.ODcxMWYxZDItOxxxxxxxxxxxxxxxxxxxxxx
	 * Microsoft.IdentityModel.Claims.ClaimsIdentity;00037xxxxxxxxx@live.com
	 * Microsoft.IdentityModel.Claims.ClaimsIdentity;originId@live.com
	 * 
	 * AD Groups
	 * =========
	 * aadgp.Uy0xLTktMTU1MTM3xxxxxxxxxxxxxxxxxxxxxx
	 * Microsoft.TeamFoundation.Identity;S-1-9-1551xxxxxxxxxxxxxxxxxxxxxx
	 * 
	 */


	public static (string origin, string localId) Decode(string descriptor)
	{
		var indexOfDot = descriptor.IndexOf(".");
		if (indexOfDot == -1)
		{
			throw new Exception($"Invalid descriptor '{descriptor}'.");
		}
		int attempts = 0;
		while(attempts <= 2)
		{
			try
			{
				return (descriptor.Remove(indexOfDot), Encoding.UTF8.GetString(Convert.FromBase64String(descriptor.Remove(0, indexOfDot + 1) + new string('=',attempts))));
			}
			catch 
			{
				attempts++;				
			}
		}
		return (descriptor.Remove(indexOfDot),"error");
	}

	public static string Create(string origin, string localId)
	{
		return $"{origin}.{Convert.ToBase64String(Encoding.UTF8.GetBytes(localId)).TrimEnd('=')}";
	}
}

SecurityNamespaces.cs

// https://dev.azure.com/{{org_name}}/_apis/securitynamespaces
public class SecurityNamespaces
{
  public const string Identity = "5a27515b-ccd7-42c9-84f1-54c998f03866";
}