Azure DevOps Roles and Responsibilities

In Azure DevOps, there are several roles and responsibilities that define how teams collaborate and work together. The Project Administrator role has full control over the project, including managing permissions, groups, and settings.

A Project Administrator can add or remove team members, assign roles, and configure project settings. They are also responsible for creating and managing teams, as well as assigning users to teams.

The Project Collection Administrator role has a broader scope, managing multiple projects and collections within an organization. They can create and manage collections, as well as assign permissions and roles to users across multiple projects.

Azure DevOps Roles allow users to manage various aspects of Azure DevOps, including enterprise policies, project resources, and custom security attributes.

The Azure DevOps Administrator role grants users the ability to manage all enterprise Azure DevOps policies, applicable to all Azure DevOps organizations backed by Microsoft Entra ID. This role can be claimed by users who need to manage these policies across multiple organizations.

Users with the DevOps Engineer role are software engineers who specialize in the practices and tools that enable the continuous delivery of software. They are responsible for designing and implementing applications, software, and services for their organization.

Here are some key roles and their corresponding actions:

These roles and actions provide a foundation for understanding the various responsibilities and permissions within Azure DevOps.

As a Deployment Environments User in Azure DevOps, you'll have access to manage environment resources. This role is perfect for teams that need to deploy and manage environments for their applications.

You'll be able to get a specific project using the Microsoft.DevCenter/projects/read action. This will give you a detailed view of the project's settings and configuration.

One of the key actions you'll have is getting or listing resource groups using the Microsoft.Resources/subscriptions/resourceGroups/read action. This is useful for organizing and managing resources across your subscription.

You'll also be able to read roles and role assignments using the Microsoft.Authorization/*/read action. This will help you understand the permissions and access levels of other users in your organization.

Here are some of the key actions you'll have as a Deployment Environments User:

These actions will give you the flexibility to manage environments and resources as needed, without overstepping your permissions.

As a DevCenter Project Admin, you have a crucial role in managing project resources. You have access to Microsoft.DevCenter/projects/*, which allows you to manage project resources.

You can read roles and role assignments using Microsoft.Authorization/*/read. This is essential for understanding the permissions and access levels of team members. You can also create and manage deployments using Microsoft.Resources/deployments/*, and get or list resource groups using Microsoft.Resources/subscriptions/resourceGroups/read.

One of the key responsibilities of a DevCenter Project Admin is to manage Dev Box resources. You can start any Dev Box resource using Microsoft.DevCenter/projects/users/devboxes/adminStart/action, stop any Dev Box resource using Microsoft.DevCenter/projects/users/devboxes/adminStop/action, and read access to any Dev Box resource using Microsoft.DevCenter/projects/users/devboxes/adminRead/action.

You can also customize your own Dev Box resources using Microsoft.DevCenter/projects/users/devboxes/userCustomize/action, and read dev box actions using Microsoft.DevCenter/projects/users/devboxes/userActionRead/action. Additionally, you can skip or delay dev box actions using Microsoft.DevCenter/projects/users/devboxes/userActionManage/action.

Here are some key actions you can perform as a DevCenter Project Admin:

As a DevCenter Project Admin, you also have access to environment management actions. You can read all of the environments in a project using Microsoft.DevCenter/projects/users/environments/adminRead/action, write the environments you have access to in a project using Microsoft.DevCenter/projects/users/environments/userWrite/action, and delete the environments you have access to in a project using Microsoft.DevCenter/projects/users/environments/userDelete/action.

As an Attack Payload Author, you have a crucial role in creating attack payloads for Attack Simulator. You can create attack payloads but not actually launch or schedule them.

These payloads are then available to all administrators in the tenant who can use them to create a simulation. For more information, see Microsoft Defender for Office 365 permissions in the Microsoft 365 Defender portal and Permissions in the Microsoft Purview compliance portal.

You can perform the following actions as an Attack Payload Author:

These actions allow you to create and manage attack payloads, which are essential for creating simulations. By performing these actions, you can contribute to the security of your tenant by providing administrators with the tools they need to test and improve their defenses.

In Azure DevOps, the Attribute Definition Administrator role allows users to define a valid set of custom security attributes that can be assigned to supported Microsoft Entra objects. This role can also activate and deactivate custom security attributes.

Users with this role can manage all aspects of attribute sets, including custom security attribute definitions. They can perform tasks such as managing all properties and all tasks related to attribute sets.

The Attribute Definition Administrator role has the following actions:

This role is essential for organizations that need to customize their security attributes to meet specific requirements. By defining and managing custom security attributes, organizations can enhance their security posture and comply with regulatory requirements.

In Azure DevOps, the Application role is a privileged position that allows users to create application registrations, consent to applications accessing company data, and more. This role is essential for managing enterprise applications and application registrations.

Users in the Application Developer role can create all types of applications, including service principals and OAuth 2.0 permission grants, and are added as owners when creating new application registrations.

Here are some specific actions that users with the Application Developer role can perform:

The Cloud Application Administrator role also has a significant impact on application management. Users in this role have the same permissions as the Application Administrator role, excluding the ability to manage application proxy. This role grants the ability to create and manage all aspects of enterprise applications and application registrations.

Here are some specific actions that users with the Cloud Application Administrator role can perform:

As a DevOps Engineer, you'll wear many hats. In fact, the role of a DevOps Engineer involves coordinating efforts between product design and development with operations and production to achieve successful new product launches.

DevOps Engineers design and develop an organization's infrastructure, deploying automation to reduce risk management and uphold the infrastructure of the organization.

Collaboration is key in this role, requiring extensive collaboration with technical analyses to deployment and monitoring to enhance overall system reliability and scalability.

DevOps engineers must stay on top of industry trends and best practices to recognize opportunities for automation, design development, and other solutions to boost operational efficiency.

A DevOps Engineer is a software engineer who specializes in the practices and tools that enable the continuous delivery of software, responsible for the design and implementation of applications, software, and services for their organization.

Implementing Application Infrastructure is a critical part of this role, involving designing an infrastructure and configuration management strategy, implementing Infrastructure as Code (IaC), managing Azure Kubernetes Service infrastructure, and implementing infrastructure compliance and security.

Some of the key actions of a DevOps Engineer include:

In addition to these technical responsibilities, DevOps Engineers also have to be adaptive and take on a variety of work, as well as create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID.

The Knowledge Manager role is a crucial part of Azure DevOps, allowing users to create and manage content with full rights to topic management actions.

These actions include confirming a topic, approving edits, or deleting a topic, ensuring the quality and structure of knowledge are maintained.

A Knowledge Manager can also manage taxonomies as part of the term store management tool and create content centers, making it easier to organize and categorize knowledge.

Here are some specific actions a Knowledge Manager can perform:

Knowledge Managers can also manage taxonomies, which is essential for maintaining a well-organized and easily searchable knowledge base.

By having full rights to topic management actions, Knowledge Managers can ensure the quality and structure of knowledge are maintained, making it easier for others to find and use the information they need.

The Message Center Privacy Reader role in Azure DevOps is a unique one. It allows users to monitor all notifications in the Message Center, including data privacy messages.

These users get email notifications related to data privacy and can unsubscribe using Message Center Preferences. They can also view groups, domains, and subscriptions.

One key aspect of this role is that only the Global Administrator and the Message Center Privacy Reader can read data privacy messages. This indicates a high level of trust and responsibility associated with this role.

To give you a better idea of what this role entails, here are some key permissions:

This role does not have permission to view, create, or manage service requests.

The Tier 2 Support role in Azure DevOps is a powerful tool, but it's not something you want to use unless absolutely necessary. This role can reset passwords and invalidate refresh tokens for all users, including administrators.

One of the key features of the Tier 2 Support role is its ability to reset passwords for all users, which is a capability that's also available to administrators. This can be a lifesaver in emergency situations where users need to regain access to their accounts quickly.

The Tier 2 Support role also has the ability to invalidate refresh tokens for all users, which can be used to force sign-out and reset user sessions. This is a critical capability for maintaining security and preventing unauthorized access.

Here's a list of some of the key actions that the Tier 2 Support role can perform:

As you can see, the Tier 2 Support role has a wide range of capabilities that make it a powerful tool for managing user accounts and maintaining security in Azure DevOps. However, it's worth noting that this role is deprecated and should not be used unless absolutely necessary.

In Azure DevOps, the License Administrator role allows users to manage license assignments on users and groups. This role has specific permissions that enable them to read, add, remove, and update license assignments.

With the License Administrator role, you can assign product licenses to groups for group-based licensing. This is a crucial task that requires careful management to ensure that users have the necessary licenses to access the services they need.

The License Administrator role also includes the ability to reprocess license assignments for group-based licensing. This ensures that any changes to license assignments are reflected accurately and promptly.

To manage user licenses, the License Administrator role provides the permission to manage user licenses. This includes the ability to assign licenses to users and update their usage location.

Here are some key actions associated with the License Administrator role:

Note that this role does not grant the ability to purchase or manage subscriptions, create or manage groups, or create or manage users beyond the usage location.