Edit

Restrict organization creation via Microsoft Entra tenant policy

  • Article

Azure DevOps Services

Learn how to turn on the Microsoft Entra tenant policy, which restricts users from creating an organization in Azure DevOps. This policy is turned off, by default.

Prerequisites

You must be an Azure DevOps Administrator in Microsoft Entra ID to manage this policy. It isn't a requirement to be a Project Collection Administrator.

If you don't see the policy section in Azure DevOps, then you aren't an administrator. To check your role, sign in to the Azure portal, and then choose Microsoft Entra ID > Roles and administrators. In case that you aren't an Azure DevOps administrator, talk to your administrator.

Check Microsoft Entra roles and administrators

Turn on the policy

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Screenshot showing highlighted Organization settings button.

  3. Select Microsoft Entra ID, and then switch the toggle to turn on the policy, restricting organization creation.

    Turn on Microsoft Entra policy

Optional

Create allowlist

Warning

We recommend using groups with your tenant policy allow list(s). If you use a named user, be aware that a reference to the named user's identity will reside in the United States, Europe (EU), and Southeast Asia (Singapore).

With the policy turned on, all users are restricted from creating new organizations. Grant an exception to users with an allowlist. Users on the allowlist can create new organizations, but they can't manage the policy.

  1. Select Add Microsoft Entra user or group.

Option, Create allow list and add Microsoft Entra users or groups

Create error message

When administrators, who aren't on the allowlist, try to create an organization they get an error similar to the following example.

Error message example

Customize this error message in the policy settings in Azure DevOps.

  1. Select Edit display message.

    Select Edit display message to customize

  2. Enter your customized message, and then choose Save.

    Customize error message dialog

The error message is customized.

Customized error message

Note

Administrators, who aren't on the allow list, can't connect their organization to the Microsoft Entra tenant where the policy is turned on.

Connection failed error