Azure DevOps Administrator Essentials and Best Practices

As an Azure DevOps Administrator, it's essential to have a solid understanding of the platform's core features. Azure DevOps is a set of DevOps tools that help you plan, track, and deliver software projects.

One of the key features of Azure DevOps is its ability to integrate with other Microsoft tools, such as Azure and Visual Studio. This integration allows for seamless collaboration and streamlined workflows.

To get started with Azure DevOps, you'll need to set up a project, which can be done in just a few clicks. You can choose from a variety of project templates or create a custom one that suits your needs.

Azure DevOps provides a range of tools and features to help you manage your project, including work items, boards, and reports. These tools enable you to track progress, identify bottlenecks, and make data-driven decisions.

To become an Azure DevOps administrator, you need to meet certain prerequisites. You must be a member of the local Administrators group on the server where you want to open the console.

To ensure you have the necessary permissions, check if you are a member of the Azure DevOps Server Administrators group or if your Edit Server-Level Information permission is set to Allow.

If your deployment uses multiple servers, you need to open the console on the server that is running the component you want to manage. This is because the administration console provides management nodes for all components in your deployment.

To verify your permissions, try opening the console at a command prompt. However, you might not be able to access some or all of the administration console's functionality.

Here are the specific permissions you need to meet the prerequisites:

To access the administration console, you need to have a valid user account on the server or servers on which the console is installed. Anyone with a valid user account can open the admin console, but you'll only be able to perform functions for which you have the required permissions.

You can find the admin console under the "Install, upgrade, and general admin tasks" section, where you'll see options like "Open the Administration Console". This section is a great starting point for administrators who want to get started with the console.

The administration console is a powerful tool that requires permission to access. Members of the Azure DevOps Server Administrators group, for example, have the necessary permissions to perform server-level administrative tasks.

To give you a better idea of what tasks you can perform from the admin console, here's a list of some of the tasks you can do:

Keep in mind that your permissions will determine what tasks you can perform, so make sure you have the necessary permissions before trying to access the console.

Azure DevOps administrators must manage security and permissions to ensure that users have the right level of access to features and tasks.

Permissions are assigned to users or groups through security groups, which get defined at different levels: organization/collection, project, or object. Members inherit the permissions assigned to their security group.

Administrators can define custom security groups to manage permissions for different functional areas. Project Collection Administrators hold the highest authority within an organization or project collection and perform all operations for the entire collection.

Project Administrators operate at the project level and manage security groups and permissions from the Project settings in the web portal. Contributors handle permissions for specific objects they create within the project.

There are two key groups involved in managing permissions in Azure DevOps: Project Collection Administrators and Project Administrators. Project Collection Administrators have the highest authority and perform all operations for the entire collection.

Here are the permission states:

Permissions follow a hierarchy, allowing inheritance from a parent node or overriding it. Explicit permissions always take precedence over inherited ones.

Here's an example of how permission inheritance works:

Security groups assign specific permissions to their members. With the creation of an organization, collection, or project, Azure DevOps creates a set of default security groups, which are automatically assigned default permissions.

Here are the default security groups defined by Azure DevOps:

* Project level:

+ Build Administrators

+ Contributors

+ Project Administrators

+ Project Valid Users

+ Readers

+ Release Administrators

+ TeamName Team

* Collection level:

+ Project Collection Administrators

+ Project Collection Build Administrators

+ Project Collection Build Service Accounts

+ Project Collection Proxy Service Accounts

+ Project Collection Service Accounts

+ Project Collection Test Service Accounts

+ Project Collection Valid Users

+ Security Service Group

Role-based permissions assign user accounts or security groups to a role, with each role assigned one or more permissions. Here are the primary roles:

Membership and Access Management is a crucial aspect of Azure DevOps administration. Azure DevOps controls access through three interconnected functional areas: Membership management, Permission management, and Access level management.

Membership management supports adding individual user accounts and groups to default security groups, each associated with a set of default permissions. All users added to any security group are added to the Valid Users group, which allows them to connect to a project, collection, or organization.

Security groups are used to simplify management across the deployment. You can add users and groups through the web administration context, and permissions are automatically set based on the security group. Security group members can be a combination of users, other groups, and Microsoft Entra groups or Active Directory groups.

To manage users and access, you need to add administration console users, add server-level administrators, change access levels, and set up groups for use in Azure DevOps deployments.

There are three levels of permissions: object, project, and organization or collection. As a Project Administrator, you can grant or restrict permissions for all objects and at the project-level. To delegate specific tasks to others, you can add them to a built-in or custom security group, or add them to a specific role.

Azure DevOps creates a set of default security groups when you create an organization, collection, or project. These default groups are automatically assigned default permissions. You can also create custom security groups at the organization, collection, or project level.

The default security groups for each project and organization include the following: Project Administrators, Project Collection Administrators, Build Administrators, Contributors, Project Valid Users, Readers, Release Administrators, and TeamName Team. You typically add users or groups to the Readers, Contributors, or Project Administrators groups.

To manage organizational access with Microsoft Entra ID, you can add or delete users using Microsoft Entra ID, and troubleshoot access with Microsoft Entra ID. Azure DevOps registers changes made to a Microsoft Entra group within an hour of the change in Microsoft Entra ID.

When you add accounts of users directly to a security group, they automatically get added to one of the following valid user groups: Project Collection Valid Users, Project Valid Users, Server\Azure DevOps Valid Users, ProjectCollectionName\Project Collection Valid Users, or ProjectName\Project Valid Users.

The Project-scoped Users group restricts specific users from accessing Organization settings pages, except for Overview and Projects, and only allows them to access the projects to which they're added.