Share via

evolute rules in azure devops

Varma 1,620 Reputation points
2026-03-19T14:42:58.3266667+00:00

WHy we use evalute rules in azure devops security groups?

Please give me scenario

Azure DevOps

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rakesh Mishra 9,685 Reputation points Microsoft External Staff Moderator
    2026-03-20T16:31:56.23+00:00

    Hi Varma,

    Thanks for your question! To make sure we give you the most accurate answer, could you clarify what you mean by "Evaluate Rules" in Azure DevOps? The term could refer to a few different things:

    1. The "Evaluate Rules" on-demand button under Organization Settings → Users → Group Rules, which manually re-triggers group rule evaluation for access levels.
    2. The automatic rule evaluation that happens when work item field rules (like REQUIRED or READONLY) are applied based on a user's security group membership.
    3. The "Evaluate" option in repository or branch security settings, which calculates a user's effective permissions by combining all Allow/Deny rules.

    Could you let us know:

    • Where exactly are you seeing "Evaluate Rules" in Azure DevOps? (e.g., Organization Settings, Project Settings, Repo Security, Work Item Process)
    • Are you working with Azure DevOps Services (cloud) or Azure DevOps Server (on-premises)?
    • A screenshot of the screen you are referring to would also be very helpful!

    This will help us point you to the right explanation and scenario. Looking forward to your response!

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-03-19T14:43:13.9733333+00:00

    “Evaluate rules” in the context of Azure DevOps work item rules and security groups refers to how Azure DevOps checks whether a rule that depends on user or group membership applies to the current user when they modify a work item.

    Why this is used

    Rules can be scoped so they only apply to certain users or groups. For example:

    • Make a field required only for a specific group.
    • Make a field read-only for everyone except a specific group.

    To do this, Azure DevOps must evaluate (check) the current user’s group membership when the rule runs. That is the “evaluation” of the rule against security groups.

    How rule evaluation works with groups

    From the context:

    • When a work item is modified via web portal, REST API, or azure boards command, Azure DevOps calls Microsoft Entra ID / Active Directory to check if the user is in the specified group.
    • When modified via older clients using the WIT Client Object Model (Visual Studio, Excel, custom tools), evaluation uses a client-side cache that does not understand AD groups.

    Because of this, guidance is:

    • Use Azure DevOps security groups (not raw AD groups) in rules that depend on membership. This avoids inconsistent behavior across clients.

    Concrete scenarios

    1. Make a field required only for a specific group (on-premises XML example)
    <FIELD name="Second Approver">
  <REQUIRED for="Example1\Junior Analysts"/>
</FIELD>

    Scenario: Only “Junior Analysts” must fill in “Second Approver”. When a user edits the work item, Azure DevOps evaluates whether the user is in Example1\Junior Analysts. If yes, the REQUIRED rule applies; if not, it does not.

    1. Make a field read-only for everyone except a triage group
    <FIELD name="Triage Description">
  <READONLY not="[Project]\\Triage Committee" />
</FIELD>

    Scenario: Only members of [Project]\Triage Committee can edit “Triage Description”. For all other users, the field is read-only. Azure DevOps evaluates whether the current user is in that group each time the work item is edited.

    1. Different behavior for different groups on the same field
    <FIELD name="Severity">
  <REQUIRED for="[Project]\\Project Members" not="[Global]\\Project Admins"/>
</FIELD>

    Scenario: “Severity” is required for normal project members but not required for project admins. If a user belongs to both groups, the for condition wins and the field is required. Again, this is decided by evaluating group membership when the rule runs.

    Why this matters

    • Security and governance: Ensures only the right people can change critical fields or are forced to provide certain data.
    • Consistency: Using Azure DevOps security groups ensures rule evaluation works reliably across different clients (web, REST, etc.).
    • Least privilege: Combined with security groups, rules help enforce that only specific roles can perform sensitive updates.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.