Configuring access levels in Azure DevOps is a straightforward process that can be tailored to your organization's specific needs.
You can create up to five access levels in Azure DevOps, each with its own set of permissions and restrictions.
The Basic access level is the most restricted, granting only the most essential permissions, while the Global access level is the most permissive, offering full access to all features and resources.
To get started, you'll need to navigate to the Organization settings in Azure DevOps and select the Permissions page.
Prerequisites
To set up Azure DevOps access levels, you'll need to meet some prerequisites. To manage access for a large group of users, create either a Windows group, a group in Active Directory, or Azure DevOps security group, and then add users to those groups.
You must be a member of the Administrators group to manage access levels. If you aren't a member, get added now.
Here are the specific groups you'll need to be a part of or create:
- Project Collection Administrators group (organization owners are automatically members)
- Administrators group
Users must be added to a project to access Azure DevOps. To set up licensing, have it set up for your organization via Azure.
Set Default
Setting the default access level for new users in Azure DevOps can be a bit tricky, but don't worry, it's easy to do. To change the default access level for new users added to projects, sign in to your organization, select Organization settings, and then select Billing.
You can change the default access level from Basic to Stakeholder, but keep in mind that only users with Basic or higher levels will have access to more features than Stakeholder. To do this, select the dropdown menu next to Default access level for new users and choose Basic.
If you set Stakeholder as the default access level, you'll need to add Azure DevOps service accounts to the Basic or an advanced access level group. This is because service accounts get added to the default access level.
Here's a quick rundown of the access levels you can set as the default:
- Basic
- Stakeholder
Note that the default access level should be the same as the access you're licensed for. This ensures that users have the correct level of access to features and functionality.
Multi-Organization Access
If you're a member of more than one Azure DevOps organization, you can turn on multi-organization billing and pay for each Basic or Basic + Test Plans human user once, for all organizations under the same billing Azure subscription.
This feature is super helpful if you have multiple organizations to manage, and you don't want to pay for each user separately. However, multi-organization billing doesn't apply to service principals, which you must pay for each organization the service principal was added to where the service principal has Basic or Basic + Test Plans.
To enable multi-organization billing, sign in to your organization, select Organization settings, then Billing, and finally Configure user billing. From there, simply select Multi-organization and save your changes.
Here's a quick rundown of the steps to follow:
- Sign in to your organization (https://dev.azure.com/{yourorganization}).
- Select Organization settings.
- Select Billing.
- Select Configure user billing.
- Select Multi-organization, and then select Save.
It's worth noting that a user can join only the organization for which the user paid for Basic access, but they can join any organization where free users with Basic access are still available.
Access Control
Access control is a crucial aspect of Azure DevOps access levels. Changes you make to access level settings take effect immediately.
To add a user or group to an access level, select the access level you want to manage, enter the name of the user or group into the text box, and choose the matches that meet your choice. You can enter several identities into the text box, separated by commas.
To verify if a user can't see a project, check if they are added to a group where the project-level "View project-level information" permission isn't set or is set to Deny. This permission is crucial to ensure users can view project information.
Here's a summary of how to restrict project visibility:
- By default, project visibility in Azure DevOps is set to private.
- You can change the setting to prevent users from making any project in your organization public.
- To do this, navigate to Organization Settings → Policies → Security Policies → Allow public projects.
Add or Group
Adding users or groups to an access level is a straightforward process. You can do this by selecting the access level you want to manage and then clicking "Add" to add a group.
To add a user or group, enter their name into the text box, separated by commas. The system will automatically search for matches, allowing you to choose the ones that meet your criteria.
Changes made to access level settings take effect immediately, so you can see the results of your changes right away. This means you can test and refine your access controls without delay.
If you need to add more users with Basic access, you'll need to set up billing in Azure. This will allow you to pay for additional users and assign them Basic access. You can add unlimited Stakeholders and Visual Studio subscribers for no extra charge, though.
You can also create custom security groups with access controls tailored to your team's workflows. This can be done by logging into your Azure DevOps portal and clicking on Project Settings.
Here's a quick rundown of the steps to create a custom security group:
- Login to your Azure DevOps portal and click Project Settings in the left-hand navigation.
- Click Permissions.
- Click the New Group button.
- Give the group a name, add members and a description if needed, and click Create.
- Click the new group and use the Permissions tab to grant or deny permissions.
Remember, a permission that's "Not set" is effectively an implicit deny, meaning users without explicit permission won't have access by default.
Permission Management: Restricting
Permission management is a crucial aspect of access control in Azure DevOps. You can restrict access to specific Azure DevOps features by using security groups.
By default, a set of security groups are created when you create an Azure DevOps project, each with default permissions that cover many basic use cases. You can also create custom security groups with access controls optimized for your team's workflows.
To create a custom security group, log in to your Azure DevOps portal and click Project Settings in the left-hand navigation. Then, click Permissions and create a new group with a name, add members, and a description.
Members of a security group will have access to Azure DevOps resources based on the permissions defined for that group. A permission that is "Not set" is effectively an implicit deny, meaning users with a "Not set" permission don't have access by default, but may be granted access by inheriting it from another group.
Here's a breakdown of how to grant or deny permissions to a security group:
To grant or deny permissions, click the Permissions tab on the security group and explicitly set the permissions you want to apply.
Authentication and Permissions
Authentication and permissions are the foundation of a strong security posture in Azure DevOps. Azure DevOps uses Microsoft accounts and Azure Active Directory (AD) for authentication.
You can create policies at the individual user level or integrate your own AD domain with Azure AD, depending on the size and complexity of your organization.
To manage permissions, you can create custom security groups with access controls optimized for your team's workflows. Members of these groups will have access to Azure DevOps resources based on the permissions you define.
Here's a quick rundown of how to create a custom security group:
- Login to your Azure DevOps portal and click Project Settings in the left-hand navigation
- Click Permissions
- Click the New Group button to create a new security group
- Give the group a name and optionally add members and a description, then click Create
- Use the Permissions tab to explicitly grant or deny permissions to the group
A permission that is "Not set" is effectively an implicit deny, so be sure to explicitly grant or deny permissions to avoid any confusion.
Authentication
Authentication is key to a strong security posture in any IT infrastructure. Azure DevOps uses Microsoft accounts and Azure Active Directory (AD) for authentication.
You can create policies at the individual user level or integrate your own AD domain with Azure AD, depending on the size and complexity of your organization.
Personal access tokens contain the security credentials for Azure DevOps and identify your SonarCloud instance as an accessible organization to define its scope of access.
Personal access tokens are a more convenient and secure replacement for alternate authentication credentials, allowing you to limit a token's use to a specific lifetime, organization, and scope of activities.
Subscriber Change After Sign In
If you're a Visual Studio subscriber, you might have noticed that your access levels change after you sign in to Azure DevOps. This is because Azure DevOps recognizes Visual Studio subscribers and grants access based on their subscription, not on the current access level assigned to the user.
Users automatically have access to certain features based on their subscription, which can include Basic, Advanced, and Visual Studio Enterprise subscriber access levels. Make sure to set each user's access level based on what you've purchased for that user.
Here's a quick rundown of the access levels you can assign to users or groups:
- Basic access includes all Stakeholder features - Basic + Test Plans.
- Advanced and Visual Studio Enterprise subscriber access levels include all Basic features.
Organization Management
Organization Management is crucial to maintaining control and security within your Azure DevOps organization. There are 3 access levels available to restrict access for newly created users.
To manage users at the organization level, you must be a member of the Project Collection Administrators group or organization Owner. This is a requirement to ensure that only authorized personnel can assign access levels to new users.
To assign an access level to a new user, follow these steps: From your organization's homepage, click Organization Settings, then click Users on the left-hand navigation and click the Add users button. In the Add new users widget, input the information for the new user(s), select an Access level from the drop-down, and then click the Add button.
Creating an Organization
Creating an organization can be a straightforward process, but you might encounter some restrictions.
If you're unable to create an organization, it's likely due to a tenant policy set by your administrator.
Your administrator might be using the Microsoft Entra tenant policy to restrict new organization creation, so it's worth checking on that.
Don't hesitate to reach out to your administrator for more information on their policy settings.
Security and Compliance
In Azure DevOps, controlling who can view source code is crucial for commercial software projects. Code Leak Prevention is a key aspect of this, and you can restrict project visibility to keep confidential information secure.
Limiting project visibility is essential for teams who need to keep their information private. You can do this by disabling forking for your Azure DevOps projects.
Restricting project visibility and disabling forking helps ensure that only authorized users can access sensitive information. This is particularly important for teams working on confidential projects.
Visual Studio Subscription Options
If you're a Visual Studio subscriber, you have access to Azure DevOps benefits.
You can use Azure DevOps with various Visual Studio subscriptions. Check the Azure DevOps benefits for Visual Studio subscribers for more information.
Your access level in Azure DevOps is automatically determined by your Visual Studio subscription, not by a separate access level assigned to you.
If you have an active, valid Visual Studio subscription, you can access Azure DevOps with the email address associated with your subscription.
You should assign the "Visual Studio/MSDN Subscriber" access level to users with active, valid Visual Studio subscriptions.
Users without a valid, active Visual Studio subscription can only work as Stakeholders in Azure DevOps.
Membership and Roles
There are 3 access levels available in Azure DevOps, which provide a simple way to restrict access for newly created users.
You can assign an access level to a new user at the organization level, from the organization's homepage. Click Organization Settings, then Users, and finally Add users.
To manage access levels, select the level you want to manage and then choose Save changes. Changes take effect immediately.
Here are the 3 access levels available:
- Basic
- Stakeholder
- Contributor
Group-Based Licensing
Group-Based Licensing is a crucial aspect of managing your project's members and roles. Users in a group won't have access to group resources if they haven't been explicitly assigned to those resources or through a different group rule.
You don't have to worry about your groups getting deleted, so feel free to create and manage them as needed.
I Manage
As a Project Collection Administrator, you have the power to manage users and access levels at the organization level. You must be a member of this group or organization Owner to manage users.
To add new users, you can assign an access level to them at the organization level. There are three access levels available: Basic, Stakeholder, and Project Administrator.
You can assign an access level to a new user by following these steps: from your organization's homepage, click Organization Settings, then click Users on the left-hand navigation, and finally click the Add users button.
If you're trying to manage users, but can't, it's likely because you're not a member of the Project Collection Administrators group or organization Owner.
To manage users, you need to be a member of the Project Collection Administrators group or organization Owner. If you're not, you can ask to be added.
If you're having trouble adding users, it might be because your organization is free for the first five users with Basic access. After that, you need to set up billing in Azure to pay for more users.
Here are the different access levels and the users who can be assigned to each level:
You can add a user or group to an access level by selecting the access level, entering the user or group name, and choosing Save changes. Changes take effect immediately.
Membership in Other Organizations
If you're wondering how membership works across different organizations, here's what you need to know. A user who paid for Basic access can join only the organization they paid for, but they can join any organization that still offers free Basic access.
If you're part of an organization that offers Basic access for free, you're in luck - you can join that organization without paying a dime. This means you can explore multiple organizations without breaking the bank.
As a user with Basic access, you can only join the organization you paid for, but you can join as a user with Stakeholder access for free in other organizations.
Frequently Asked Questions
What is the difference between basic and stakeholder in Azure DevOps?
The main difference between Basic and Stakeholder access levels in Azure DevOps is that Basic provides full access to most services, while Stakeholder offers partial support for Azure Boards and Pipelines. If you need full access to Azure services, choose Basic, but if you just need to track progress, Stakeholder might be sufficient.
What is a stakeholder in Azure DevOps?
A stakeholder in Azure DevOps is a user with limited access to features and functions, allowing them to contribute to projects and view dashboards. They can add and modify work items, manage pipelines, and more, making them a valuable part of the development process.
What are the different types of access in Azure DevOps?
There are three main access levels in Azure DevOps: Stakeholder, Basic, and Basic + Test Plans. Each level grants varying degrees of access to features, with Stakeholder providing free access to a limited set of features for an unlimited number of users.
Sources
- https://learn.microsoft.com/en-us/azure/devops/organizations/billing/buy-basic-access-add-users
- https://learn.microsoft.com/th-th/azure/devops/organizations/security/change-access-levels
- https://spectralops.io/resources/the-ultimate-azure-devops-security-checklist/
- https://docs.sonarsource.com/sonarcloud/getting-started/azure-devops/
- https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/faq-user-and-permissions-management
Featured Images: pexels.com