Access with Microsoft Entra groups
Azure DevOps Services
Do you want an easier way to control who can access your team's critical resources and key business assets in Azure DevOps Services? If you already use Microsoft services like Microsoft 365 or Microsoft Entra ID, you can use the same identities with your organization. Microsoft Entra ID works with your organization to control access and authenticate users.
When you organize directory members with Microsoft Entra groups, you can reuse those groups to manage permissions in bulk for your organization. Add those groups to the group that you want. For example, add them to built-in groups like Project Collection Administrators or Contributors, or manually created groups like your project management team. Microsoft Entra group members inherit permissions from the Azure DevOps group, so you don't have to manage group members one at a time.
Not familiar with Microsoft Entra ID, but want to check it out? Learn more about Microsoft Entra ID benefits and differences in how you control organization access with Microsoft accounts or with Microsoft Entra ID.
Note
Due to a functional limitation on Microsoft Graph, service principals will not appear in any list of Microsoft Entra group members on Azure DevOps. Permissions set on any Microsoft Entra groups will still apply to any service principals in the group that have been added to the organizations, even if they are not displaying on the web UI.
Prerequisites
- Your organization must be connected to Microsoft Entra ID. My organization uses Microsoft accounts only. Can I switch to Microsoft Entra ID?. Learn how to connect your organization to Microsoft Entra ID.
- You must be a member of the Project Collection Administrators group. Organization owners are automatically members of this group. You must also have at least Basic access, not Stakeholder.
- To create and manage Microsoft Entra groups, you need Microsoft Entra administrator permissions or have the directory administrator delegate those permissions to you in the Azure portal.
- Microsoft Entra ID changes might take up to 1 hour to be visible in Azure DevOps, but you can immediately reevaluate your permissions.
Add a Microsoft Entra group to an Azure DevOps group
Note
To enable the preview feature, Organization Permissions Settings Page v2, see Enable preview features.
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Why am I asked to choose between my work or school account and my personal account?
Go to Organization settings.
Choose Permissions, and then select the group you want to add a member to.
Select Members, and then select Add.
You invite guests into Microsoft Entra ID and into your Microsoft Entra ID-backed organizations, without waiting for them to accept. This invitation allows you to add those guests to your organization, grant access to projects, assign extensions, and more.
Add users or groups, and then Save your changes.