Share via

How to find the number of security groups a specific user is assigned to in Azure DevOps

Yash Tiwari 240 Reputation points
2025-06-18T08:34:36.2066667+00:00

I would like to check how many security groups a specific user is assigned to in Azure DevOps, both through the UI and using the REST API. Could you please guide me on the steps or the appropriate API endpoints to retrieve this information?

Also from my understanding i found that if the user is present in multiple groups let's say 4 , and in any group the permission is denied e.g. View project-level permission is denied in 1 group but is allowed in the other three then the overall permission will be denied for this user. Is this understanding correct?

Azure DevOps
0 comments
Answer accepted by question author
  1. Durga Reshma Malthi 11,595 Reputation points Microsoft External Staff Moderator
    2025-06-18T09:30:05.53+00:00

    Hi Yash Tiwari

    To check how many security groups a specific user is assigned to in Azure DevOps, you can do this both through the Azure DevOps UI and using the REST API.

    Checking Security Groups through the UI:

    Go to Azure DevOps -> Select your Project -> Project Settings -> Permissions -> Users -> Click on your username -> Member of -> you can see which security groups belong to.

    Checking Security Groups using the REST API:

    1. First, you need to get the user's ID. You can use the following endpoint to get the user details: 
         GET https://dev.azure.com/{organization}/_apis/userentitlements?api-version=6.0
    2. Once you have the user ID, you can retrieve the security groups the user is a member of using the following endpoint: 
         GET https://vssps.dev.azure.com/{organization}/_apis/graph/memberships/{userId}?api-version=6.0

    Alternatively, you can use the Graph API to list group memberships:

    • Get the User Descriptor: 
        GET https://vssps.dev.azure.com/{organization}/_apis/graph/users?api-version=7.1-preview.1
    • List Groups for the User: 
        GET https://vssps.dev.azure.com/{organization}/_apis/graph/memberships/{userDescriptor}?direction=up&api-version=7.1-preview.1

    In Azure DevOps, an explicit “Deny” always overrides “Allow”, even if the user is in multiple groups.

    Additional References:

    https://learn.microsoft.com/en-us/rest/api/azure/devops/memberentitlementmanagement/user-entitlements/get-user-entitlements?view=azure-devops-rest-5.0

    Hope this helps!

    Please Let me know if you have any queries.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Durga Reshma Malthi 11,595 Reputation points Microsoft External Staff Moderator
    2025-06-18T12:54:06.0033333+00:00

    Hi Yash Tiwari

    Currently there is no single Azure DevOps REST API that directly returns all group names for a user without first returning descriptors and then resolving them individually.

    For each group descriptor you retrieved, call this endpoint:

    GET https://vssps.dev.azure.com/{organization}/_apis/graph/groups/{groupDescriptor}?api-version=7.1-preview.1

    This will return a response like:

    {
  "descriptor": "vssgp.Uy0xLTkt...",
  "displayName": "Project Administrators",
  "principalName": "[TEAM FOUNDATION]\\Project Administrators",
  ...
}

    Here displayName -> user-friendly group name and principalName -> full path, useful if you want project-scoped groups.

    Hope this helps!

    Please Let me know if you have any queries.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.