Edit

Add Active Directory / Microsoft Entra users or groups to a built-in security group

  • Article

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

As described in About security, authentication, and authorization, there are two main types of built-in security groups: project-level and collection-level. In general, you add users and groups to a project-level group such as Contributors and Readers. For users that need to administrate select features and functions, add them or associated groups to the Build Administrators or Project Administrators groups.

Review Default permissions and access to gain insight into the default permissions provided to the built-in, project-level security groups.

Learn how to do the following task:

  • Add a Microsoft Entra user or group to a built-in security group

Learn how to do the following task:

  • Add an Active Directory user or group to a built-in security group

The method for adding a user or group to a built-in security group is the same, no matter at what level you add them.

Note

If the Limit user visibility and collaboration to specific projects preview feature is enabled for the organization, users added to the Project-Scoped Users group won't be able to access projects that they haven't been added to. For more information, see Manage your organization, Limit user visibility for projects and more.

Warning

When the Limit user visibility and collaboration to specific projects preview feature is enabled for the organization, project-scoped users are unable to search for users who were added to the organization through Microsoft Entra group membership, rather than through an explicit user invitation. This is an unexpected behavior and a resolution is being worked on. To self-resolve this issue, disable the Limit user visibility and collaboration to specific projects preview feature for the organization.

Add Microsoft Entra user or group to a built-in security group

Important

If you're adding a user to Azure DevOps for the first time, see Add users for Azure DevOps. To manage the permissions of a Microsoft Entra group in Azure DevOps, you must first add the Microsoft Entra group to a built-in security group. Once you complete this task, you can then manage your Microsoft Entra group permissions throughout Azure DevOps.

Note

To enable the Project Permissions Settings Page preview page, see Enable preview features.

  1. Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.

  2. Choose Project settings, and then Permissions.

    Choose Project settings, and then Permissions

  3. Open Security and under the Groups section, choose one of the following actions:

    • To add users who require read-only access to the project, choose Readers.
    • To add users who need to contribute fully to the project or who have been granted Stakeholder access, choose Contributors.
    • For users who need to administrate the project, choose Project Administrators.

  4. Next, choose the Members tab.

    Here we choose the Contributors group.

    Admin context, Security page, Contributors group, Membership page

    By default, the default team group and all other teams you add to the project are included as members of the Contributors group. So, you can choose to add a new user as a member of a team instead, and the user would automatically inherit Contributor permissions.

  5. Choose Add to add a user or a user group.

  6. Enter the name of the user into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the match(es) that meets your choice.

    Add users and group dialog

    Note

    The first time you add a user or group, you can't browse to it or check the friendly name. After the identity has been added, you can just enter the friendly name.

Add an Active Directory user or group to a built-in security group

  1. Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.

  2. Choose Project Settings, and then Security.

    Project Settings>Security

  3. Open Security and under the Groups section, choose one of the following actions:

    • To add users who require read-only access to the project, choose Readers.
    • To add users who need to contribute fully to the project or who have been granted Stakeholder access, choose Contributors.
    • For users who need to administrate the project, choose Project Administrators.

  4. Next, choose the Members tab.

    Here we choose the Contributors group.

    Admin context, Security page, Contributors group, Membership page

    By default, the default team group and all other teams you add to the project are included as members of the Contributors group. So, you can choose to add a new user as a member of a team instead, and the user would automatically inherit Contributor permissions.

  5. Choose Add to add a user or a user group.

  6. Enter the name of the user into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the match(es) that meets your choice.

    Add users and group dialog

    Note

    The first time you add a user or group, you can't browse to it or check the friendly name. After the identity has been added, you can just enter the friendly name.

Next steps

Request an increase in permission levels