Add organization users and manage access

Azure DevOps Services

Learn how to add users to your organization and manage user access through direct assignment. For an overview of adding users and related concepts, see About organization management in Azure DevOps. Users can include human users, service accounts, and service principals.

The following types of users can join your Azure DevOps Services organization for free:

• Five users who get Basic features, such as version control, tools for Agile, Java, build, release, and more
• Unlimited users who get Stakeholder features, such as working with your backlog, work items, and queries. Don't use Stakeholder access as a substitute for more limited permissions, as users with a Visual Studio subscription or a GitHub Enterprise license automatically get upgraded from Stakeholder when they sign in. For more information, see Stakeholder access quick reference.
• Unlimited Visual Studio subscribers who also get Basic or Basic + Test Plan features, depending on their subscription level.
• Unlimited GitHub Enterprise users who also get Basic features when they sign in with their GitHub Enterprise account.

Need more users with Basic features?

Note

For information about inviting external users, see Add external user.

Prerequisites

Category	Requirements
Permissions	Member of the Project Collection Administrators group. Organization owners are automatically members of this group.
Organization	An organization.

For an overview of the methods supported for adding users to an organization, see Add and manage user access.

Add users to your organization

Administrators can efficiently manage user access by adding users to an organization, granting them access to the appropriate tooling extensions and service access levels, and assigning them to relevant groups—all from a single view. This streamlined process ensures that new users have the necessary permissions and resources to start contributing immediately.

Note

If you have a Microsoft Entra ID-backed organization and need to add users who are external to Microsoft Entra ID, first add external users. On the Tell us about this user page, under Type of user, choose User with an existing Microsoft account. After completing those steps, follow these instructions to add the Microsoft Entra ID user to Azure DevOps.

You can add up to 50 users in a single transaction. When you add users, each user receives a notification email with a link to the organization page, allowing them to easily access and start using the organization's resources.

Browser

To give other users access to your organization, do the following steps:

1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

2. Select Organization settings.

   

3. Select Users > Add users.

   

4. Enter the following information.

   

   • Users: Enter the email addresses (Microsoft accounts) or GitHub usernames of the users. You can add multiple email addresses by separating them with a semicolon ;. Accepted email addresses appear in red. For more information about GitHub authentication, see Connect to GitHub/FAQs. To add a service principal, enter the display name of the application or managed identity.
     • Access level: Set the access level to Basic for users who contribute to the code base. For more information, see About access levels.
   • Add to projects: Select the project to which you want to add the users.
   • Azure DevOps Groups: Leave as Project Contributors, the default security group for users who contribute to your project. For more information, see Default permissions and access assignments.

   Note

   Add email addresses for personal Microsoft accounts and IDs for GitHub accounts unless you plan to use Microsoft Entra ID to authenticate users and control organization access. If a user doesn't have a Microsoft or GitHub account, ask them to sign up for a Microsoft account or a GitHub account.

5. Select Add to complete your invitation.

Azure DevOps CLI

Add a user | List users | Remove a user | Update a user | Show users

Add a user

You can add users to an organization by using the az devops user add command. To get started, see Azure DevOps CLI.

Azure CLI

az devops user add –-email-id 
		   --license-type {advanced, earlyAdopter, express, professional, stakeholder}
		   [--send-email-invite {false, true}]
           [--org]

Parameters

• email-id: Required. Enter the Microsoft account's email address for the user organization.
• license-type: Required. Enter stakeholder, express, professional, or advanced based on the mapping provided in the following table. For Users who contribute to the code base require express or higher level of license-type. For more information, see About access levels.
• send-email-invite: Optional. Specify whether to send email invite for new user or not.
• org: Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up using git config. Example: --org https://dev.azure.com/MyOrganizationName/.

The following table provides a mapping of the access level selected through the user interface and the AccountLicenseType parameter.

Access level (user interface)	AccountLicenseType
Stakeholder	stakeholder
Basic	express
Basic + Test Plans	advanced

Note

The earlyAdopter AccountLicenseType is an internal value used solely by Microsoft.

Example

The following command adds the user with the email address contoso@contoso.com to your organization. It grants stakeholder level access to the user and shows the result in table format.

Azure CLI

az devops user add --email-id contoso@contoso.com --license-type stakeholder --output table

ID                                    Display Name          Email                 License Type    Access Level    Status

------------------------------------  --------------------  --------------------  --------------  --------------  --------
35b1952b-ca8c-45b5-a60c-d6b0086aa584  contoso@contoso.com   contoso@contoso.com   stakeholder     Stakeholder     pending 

You can also add the user to the project-level Contributors group, the default Azure DevOps security group for people who contribute to your project. For more information, see Add or remove users or groups, manage security groups.

Azure CLI

az devops security group membership --group-id vssgp.Uy0xLTktMTU1MTM3NDI0NS0xMTM1NzQ1NzUzLTExNDI0NTQwOTQtMjQ4MjkwODAwNS0xNDU4NjAwODE1LTEtMTY5NTI2NTAyNi00MjM0Mzc1NS0yMTY5ODM4OTczLTI0NDk3NzU5NDE --member-id contoso@contoso.com

You can see all security groups in a project using the az devops security group list command.

For more information about user access, read about access levels.

Note

You can add people to projects instead of to your organization. Users are automatically assigned Basic features if your organization has seats available, or Stakeholder features if not. Learn how to add members to projects.

When a user no longer needs access to your organization, delete them from your organization.

Manage users

From your web browser, you can view and edit certain user information. Using the Azure DevOps CLI, you can see details about a specific user and update their access level.

The Users view displays key information for each user in a table. In this view, you can:

• See and modify assigned service extensions and access levels.
• Multi-select users and bulk edit their extensions and access levels.
• Filter by searching for partial user names, access levels, or extension names.
• See the last access date for each user. This information can help you identify users to remove or lower their access to stay within your license limits. For more information, see Permissions and access.

Browser

1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

2. Select Organization settings.

   

3. Select Users.

   

4. Select a user or group of users. Then, select Actions ... at the end of the Name column to open the context menu.

In the context menu, choose one of the following options:

• Change access level
• Manage user
• Resend invite
• Remove direct assignments
• Remove from organization (deletes user)

5. Save your changes.

Azure DevOps CLI

Add a user | List users | Remove a user |Update a user | Show users

Update a user

You can update a user's license type with the az devops user update command. To get started, see Get started with Azure DevOps CLI.

Azure CLI

az devops user update  --license-type {advanced, earlyAdopter, express, professional, stakeholder}
                      --user [--org]

Parameters

• license-type: License type for the user. Accepted values are advanced, earlyAdopter, express, professional, and stakeholder.
• user: The email address or ID of the user.
• org: Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL. Required if not configured as default or picked up using git config. Example: --org https://dev.azure.com/MyOrganizationName/.

Example

The following command updates the license type for email address contoso@contoso.com from Basic to Stakeholder and shows the result in table format.

Azure CLI

az devops user update --license-type stakeholder --user contoso@contoso.com --output table

ID                                    Display Name         Email                License Type    Access Level    Status
------------------------------------  -------------------  -------------------  --------------  --------------  --------

35b1952b-ca8c-45b5-a60c-d6b0086aa584  contoso@contoso.com  contoso@contoso.com  stakeholder     Stakeholder     pending

Show users

You can show details for users in your organization with the az devops user show command. To get started, see Azure DevOps CLI.

Azure CLI

az devops user show --user [--org]

Parameters

• user: The email address or ID of the user.
• org: Azure DevOps organization URL. You can configure the default organization using az devops configure -d organization=ORG_URL.

Required if not configured as default or picked up using git config. Example: --org https://dev.azure.com/MyOrganizationName/.

Example

The following command returns user details for the email address contoso@contoso.com in table format.

Azure CLI

az devops user show --user contoso@contoso.com --output table

ID                                    Display Name         Email                License Type    Access Level    Status
------------------------------------  -------------------  -------------------  --------------  --------------  --------

35b1952b-ca8c-45b5-a60c-d6b0086aa584  contoso@contoso.com  contoso@contoso.com  stakeholder     Stakeholder     active

Restrict user visibility to organization and project information

To restrict certain users' access to organizational information, enable the Limit user visibility and collaboration to specific projects preview feature and add the users to the Project-Scoped Users group. Once added, users in that group can't access projects that they aren't explicitly added to.

Note

Users and groups added to the Project-Scoped Users group have limited access to project and organization information. They also have restricted access to specific identities through the people picker. For more information, see Limit user visibility for projects, and more.

To add users to the new Project-Scoped Users group, do the following steps:

1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

2. Turn on the Limit user visibility and collaboration to specific projects preview feature for the organization. For more information, see Manage preview features.

   Tip

   The Project-Scoped Users group only appears under Permissions > Groups once Limit user visibility and collaboration to specific projects preview feature gets enabled.

3. Add users or groups to your project by following the steps in Add users to a project or team. When you add users to a team, they automatically get added to both the project and the team group.

4. Select Organization settings.

   

5. Select Security > Permissions > Project-Scoped Users.

6. Choose the Members tab.

7. Add all users and groups that you want to scope to the project you added them to.

For more information, see Add or remove users or groups, manage security groups.

Warning

Consider the following limitations when using this preview feature:

• The limited visibility features described in this section apply only to interactions through the web portal. With the REST APIs or azure devops CLI commands, project members can access the restricted data.
• Users in the limited group can only select users who are explicitly added to Azure DevOps and not users who have access through Microsoft Entra group membership.
• Guest users who are members in the limited group with default access in Microsoft Entra ID, can't search for users with the people picker.

FAQ

Q: Which email addresses can I add?

A:

• If your organization is connected to Microsoft Entra ID, you can only add email addresses that are internal to the directory.
  • Add email addresses of users who have "personal" Microsoft accounts unless you authenticate users and control access through Microsoft Entra ID using your organization's directory.
• If your organization is connected to your directory, all users must be directory members. They must sign in to Azure DevOps with work or school accounts managed by your directory. If they aren't members, they need to be added to the directory.

After you add members to your project, each member receives an invitation email with a link to your organization. They can use this link to sign in and access your project. First-time members might get asked for more details when they sign in to personalize their experience.

Q: What if users don't get or lose the invitation email?

A:

• For Organizations connected to Microsoft Entra ID: If you're inviting users from outside your Microsoft Entra ID, they must use their email. Removing users from the organization removes both their access and their license. However, any artifacts assigned to them remain unchanged. You can always invite users back into the organization if they exist in the Microsoft Entra tenant. After they're removed from Microsoft Entra ID, you can't assign any new artifacts (work items, pull requests, and so on) to them. The history of artifacts already assigned to the users is preserved.

• For Organizations with Microsoft accounts: You can send a link to the project page, included in the invitation email, to new team members. Removing users from the organization removes both their access and their licenses. You can no longer assign any new artifacts (work items, pull requests, and so on) to these users. However, any artifacts previously assigned to them remain unchanged.

Q: Why can't I add any more members?

A: See Q: Why can't I add any more members to my project?.

Q: How is access different from permissions?

A: Access levels determine a user's access to specific web portal features based on their subscription. Permissions control a user's ability to perform specific operations, which get governed by security group membership or specific Access Control Level (ACL) assignments made to a user or group.

Next steps

Set up billing

Related articles

• Create a project
• Invite external users
• Manage access to specific features and functions
• Delete users from Azure DevOps
• Export a list of users and their access levels