Deployment control using approvals

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

With Azure release pipelines, you can enable manual deployment approvals for each stage in a release pipeline to control your deployment workflow. When you use manual approvals, the deployment is paused at each point where approval is required until the specified approver grants approval, rejects the release, or reassigns the approval to another user.

Deployment approvals

You can set up approvals at the start of a stage (predeployment approvals), at the end of a stage (post-deployment approvals), or for both.

Predeployment approvals

  1. Select your classic release pipeline, and then select the Pre-deployment conditions icon and then select the toggle button to enable Pre-deployment approvals.

  2. Add your Approvers and then choose the Timeout period. You can add multiple users or groups to the list of approvers. You can also select your Approval policies depending on your deployment workflow.

    A screenshot showing how to set up predeployment approvals.

Note

Azure DevOps doesn’t expand Azure Active Directory groups when delivering Notifications. If you must use Azure AD groups, we suggest that you add an email alias as an explicit recipient to your subscription and associate that alias with your AD group, if applicable to your scenario.

Post-deployment approvals

  1. Select your classic release pipeline, and then select the Post-deployment conditions icon and then select the toggle button to enable Post-deployment approvals.

  2. Add your Approvers and then choose the Timeout period. You can add multiple users or groups to the list of approvers. You can also select your Approval policies depending on your deployment workflow.

    A screenshot showing how to set up post-deployment approvals.

Note

Deployment approvers must have View releases permissions.

  • Approvers: When a group is specified as approvers, only one user from that group is needed to approve, resume, or reject deployment.

  • Timeout: If no approval is granted within the Timeout period, the deployment is rejected.

  • Approval policies:

    • For added security, you can add this approval policy to prevent the user who requested the release from approving it. If you're experimenting with approvals, uncheck this option so that you can approve or reject your own deployments. See How are the identity variables set? to learn more about identity variables.
    • This policy lets you enforce multifactor authentication in the release approval flow. If this policy is checked, it prompts approvers to re-sign in before approving releases. This feature is only available in Azure DevOps Services for Microsoft Entra backed accounts only.
    • Reduce user workload by automatically approving subsequent prompts if the specified user has already approved the deployment to a previous stage in the pipeline (applies to predeployment approvals only).

Approval notifications

You can enable notifications from your project settings to subscribe to release events. Emails are sent to approvers with links to the summary page where they can approve/reject the release.

  1. From your project, select gear icon Project settings.

  2. Select Notifications from the left navigation pane, and then select New subscription > Release to add a new event subscription.

    A screenshot showing project notifications.