Add organization users and manage access
Azure DevOps Services
Learn how to add users to your organization and manage user access through direct assignment. For an overview of adding users and related concepts, see About organization management in Azure DevOps. Users can include human users, service accounts, and service principals.
The following types of users can join your Azure DevOps Services organization for free:
- Five users who get Basic features, such as version control, tools for Agile, Java, build, release, and more
- Unlimited users who get Stakeholder features, such as working with your backlog, work items, and queries
- Unlimited Visual Studio subscribers who also get Basic or Basic + Test Plan features, depending on their subscription level.
For information about inviting external users, see Add external user.
- You must have an organization. If you don't have an organization yet, create one.
- You must be a member of the Project Collection Administrators group. Organization owners are automatically members of this group.
For an overview of the methods supported for adding users to an organization, see About organization management, Add and manage user access.
Add users to your organization
Administrators can add users to an organization, grant access to appropriate tooling extensions and service access levels, and add users to groups - all in one view.
If you have an Azure Active Directory (Azure AD)-backed organization, and you need to add users who are external to Azure AD, first add external users. On the Tell us about this user page, under Type of user, be sure to choose User with an existing Microsoft account. After you complete those steps, use the following steps to add the Azure AD user to Azure DevOps.
You can add up to 50 users in a single transaction. When you add users, each user receives a notification email with a link to the organization page.
To give other users access to your organization, add their email addresses.
Sign in to your organization (
Select Organization settings.
Select Users, and then select Add users.
Enter the following information.
- Users: Enter the email addresses (Microsoft accounts) or GitHub usernames for the users. You can add several email addresses by separating them with a semicolon (;). An email address appears in red when it's accepted. For more information about GitHub authentication, see FAQs. To add a service principal, enter the display name of the application or managed identity.
- Access level: Leave the access level as Basic for users who contribute to the code base. To learn more, see About access levels.
- Add to projects: Select the project you want to add them to.
- Azure DevOps Groups: Leave as Project Contributors, the default security group for users who contribute to your project. To learn more, see Default permissions and access assignments.
Add email addresses for personal Microsoft accounts and IDs for GitHub accounts unless you plan to use Azure Active Directory (Azure AD) to authenticate users and control organization access. If a user doesn't have a Microsoft or GitHub account, ask the user to sign up for a Microsoft account or a GitHub account.
Select Add to complete your invitation.
For more information about user access, read about access levels.
You can add people to projects instead of to your organization. Users are automatically assigned Basic features if your organization has seats available, or Stakeholder features if not. Learn how to add members to projects.
When a user no longer needs access to your organization, delete them from your organization.
From your web browser, you can view and edit certain user information. From the Azure DevOps CLI command, you can see details about a specific user and update their access level.
The Users view shows key information per user in a table. In this view, you can do the following tasks:
- See and modify assigned service extensions and access levels.
- Multi-select users and bulk edit their extensions and access.
- Filter by searching for partial user names, access level, or extension names.
- See the last access date for each user. This information can help you choose users to remove access from or lower access to stay within your license limits. For more information, see Manage access with Azure AD.
Sign in to your organization (
Select Organization settings.
Select a user or group of users. Then, select Actions ... at the end of the Name column to open the context menu.
In the context menu, select one of the following options:
Change access level
Remove direct assignments
Remove from organization (deletes user)
Save your changes.
Restrict user view to organization projects
To limit select users access to organizational information, enable the Limit user visibility and collaboration to specific projects preview feature and add the users to the Project-Scoped Users group. Once added, users in that group can't access projects that they haven't been added to.
Users and groups added to the Project-Scoped Users group have limited access to project and organization information as well as limited access to select identities through the people picker. For more information, see Manage your organization, Limit user visibility for projects and more.
Complete the following steps to add users to the new Project-Scoped Users group:
Sign in to your organization (
Enable the Limit user visibility and collaboration to specific projects preview feature for the organization. To learn how, see Manage or enable features.
The Project-Scoped Users group only appears under Permissions > Groups once Limit user visibility and collaboration to specific projects preview feature is enabled.
Add users or groups to your project(s) as described in Add users to a project or team. Users added to a team are automatically added to the project and team group.
Open Organizations Settings, choose Organization settings.
Open Security>Permissions and choose Project-Scoped Users. Choose the Members tab. Add all users and groups that you want to scope to the project(s) you've added them to.
- The limited visibility features described in this section apply only to interactions through the web portal. With the REST APIs or
azure devopsCLI commands, project members can access the restricted data.
- Guest users who are members in the limited group with default access in Azure AD, can't search for users with the people picker. When the preview feature's turned off or when guest users aren't members of the limited group, guest users can search all Azure AD users, as expected.
For more information, see Add or remove users or groups, manage security groups.
When the Limit user visibility and collaboration to specific projects preview feature is enabled for the organization, project-scoped users are unable to search for users who were added to the organization through Azure Active Directory group membership, rather than through an explicit user invitation. This is an unexpected behavior and a resolution is being worked on. To self-resolve this issue, disable the Limit user visibility and collaboration to specific projects preview feature for the organization.
Q: Which email addresses can I add?
If your organization is connected to Azure Active Directory, you can add only email addresses that are internal to the directory.
If your organization is connected to your directory, all users must be directory members. They must sign in to Azure DevOps with work or school accounts managed by your directory. If they aren't members, they need to be added to the directory.
After you add members to your project, each member gets an invitation email that links to your organization. They can use this link to sign in to your organization and find your project. First-time members might be asked for extra details when they sign in to personalize their experience.
Q: What if they don't get or lose the invitation email?
For Organizations connected to Azure AD: If you're inviting users from outside your Azure AD, they must use the email. Removing users from the organization removes both their access and their license. However, any artifacts that were assigned to them remain unchanged. You can always invite users back into the organization if they exist in the Azure AD tenant. After they're removed from Azure AD, you can't assign any artifacts (work items, pull requests, and so forth) to them. We preserve the history of artifacts that have already been assigned to the users.
For Organizations with Microsoft accounts: You can send a link to the project page, which the email contains, to the new team members. Removing users from the organization removes both their access and their licenses. You can no longer assign any artifacts (work items, pull requests, and so forth) to these users. However, any artifacts that were assigned to them remain unchanged.
Q: Why can't I add any more members?
Q: How is access different from permissions?
A: Access levels control user access to select web portal features, based on the user's subscription. Permissions control a user's access to select operations, based on security group membership or specific Access Control Level (ACL) assignments made to a specific user or group.