Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services | Azure DevOps Server | Azure DevOps Server 2022 | Azure DevOps Server 2020
This article explains how to manage permissions and access by using security groups. You can use default or custom groups to set permissions. You can add users and groups to multiple groups. For instance, you add most developers to the Contributors group. When they join a team, they also join the team’s group.
For more information, see the following articles:
- Add an Active Directory / Microsoft Entra group to a built-in security group
- Add organization users and manage access
- Add users or groups to a team or project
- Remove user accounts
- Manage access to specific features using permissions
- Change project-level permissions
- Change permissions at the organization or collection-level
Users inherit permissions from the groups that they belong to. If a permission is set to Allow for one group and Deny for another group to which the user belongs, then their effective permission assignment is Deny. To learn more about inheritance, see About permissions and security groups.
How Azure DevOps uses security groups
Azure DevOps uses security groups for the following purposes:
- Determine permissions allocated to a group or user
- Determine access level allocated to a group or user
- Filter work item queries based on membership within a group
- Use
@mentionof a project-level group to send email notifications to members of that group - Send team notifications to members of a team group
- Add a group to a role-based permission
- Set object-level permissions to a security group
Prerequisites
| Category | Requirements |
|---|---|
| Permissions | - To manage permissions or groups at the project level: Member of the Project Administrators security group. - To manage permissions or groups at the collection level: Member of the Project Collection Administrators group. Organization owners are automatically members of this group. |
Create a custom security group
Create a project-level group when you want to manage permissions at the project or object level for a project. Create a collection-level group when you want to manage permissions at the collection level. For more information, see Change project-level permissions and Change permissions at the organization or collection-level.
Add users or groups to a security group
As roles and responsibilities change, you might need to change the permission levels for individual members of a project. The easiest way to do that is to add the user or a group of users to either a default or custom security group. If roles change, you can then remove the user from a group.
The following steps show how to add a user to the built-in Project Administrators group. The method is similar no matter what group you're adding. If your organization is connected to Microsoft Entra ID or Active Directory, then you can add security groups defined in those directories to Azure DevOps security groups. For more information, see Add Active Directory / Microsoft Entra users or groups to a built-in security group.
If you need to add more than 10k users or groups to an Azure DevOps security group, we recommend adding an Azure Directory / Microsoft Entra group containing the users, instead of adding the users directly.
Change permissions for a user or group
Because permissions are defined at different levels, review the following articles to open the dialog for the permissions you want to change: