Change access levels

Azure DevOps Server 2022 - Azure DevOps Server 2019


This article applies to Azure DevOps Server (on-premises). To manage access levels for Azure DevOps Services (cloud), see Add users to your organization or project.

Access levels grant or restrict access to use the functions and features that Azure DevOps Server provides. Access levels are in addition to permissions granted through security groups, which provide or restrict specific tasks. In this article, learn how to change access levels for users and groups. For more information, see About access levels.

For a simplified overview of the permissions that are assigned to the most common groups—Readers, Contributors, and Project Administrators—and the Stakeholder access group, see Permissions and access.


Select a version from Azure DevOps Content Version selector.

Select the version of this article that corresponds to your platform and version. The version selector is above the table of contents. Look up your Azure DevOps platform and version.


Open access levels

You can manage access levels for the collections defined on the application tier. The default access level affects all the projects in all the collections. When you add users or groups to teams, projects, or collections, they get the default access level. To give a different access level to a certain user or group, you need to add them to a non-default access level.

  • From the web portal home page for a project collection (for example, http://MyServer:8080/tfs/DefaultCollection/), open Access levels. If you're at a project level, choose the Azure DevOps logo and then choose Access levels.

    Screenshot of web portal, Open Access levels dialog.

    If you don't see Access levels, you aren't an administrator and need to get permission.

Add a user or group to an access level

Changes you make to the access level settings take effect immediately.

  1. Select the access level you want to manage.

    For example, here we choose Basic, and then Add to add a group to Basic access.

    Screenshot of Basic access level, adding group.

  2. Enter the name of the user or group into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the matches that meet your choice.

    Screenshot of Add users and group dialog.

  3. Choose Save changes.

Change the access level for a user or group

To assign a different access level to a user or group, you need to first delete their current access level and then grant them the new one.

Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features - Basic + Test Plans. Advanced and Visual Studio Enterprise subscriber access levels include all Basic features.

  1. Choose the user or group and then select Remove.

    Screenshot of Collection level permissions and groups page.

  2. Add the user or group to the other access level following the steps provided in the previous section.

Change the default access level

Make sure the default access level is the same as the access you're licensed for. When you set the default access level to Stakeholder, only the users who are given the Basic or a higher level can access more features than the Stakeholder level.

You can set an access level from its page. Choose Set as default access level as shown.

Screenshot of Stakeholder access level, set as default.


Service accounts get added to the default access level. If you set Stakeholder as the default access level, you must add the Azure DevOps service accounts to the Basic or an advanced access level group.