Security quick reference index

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019 | TFS 2018

Use this index to quickly access concepts and tasks related to securing Azure DevOps. If you're new to Azure DevOps, see What is Azure DevOps?

Get started

As individual contributors to Azure DevOps, learn about how permissions and access to features are managed, default permission assignments, how to view your permissions, and how to increase or trace your permissions.

• About permissions, access, & security groups
• Default permissions & access
• View permissions
• Troubleshoot permissions
• Request an increase in permission levels
• Add an alternate account to your Visual Studio subscription

For organization owners or project administrators, learn about authentication and authorization, how to add and manage users and their access, and set organization policies.

• About security, authentication, & authorization
• About access levels
• Add users & manage access (cloud)
• Add users to a project or team

Concepts

---

• Access control entries (ACE)
• Access control list (ACL)
• Access level
• Accounts
• Active Directory
• Auditing
• Authentication
• Authorization
• Azure Active Directory
• Basic access
• Collections
• Conditional access
• Git credential manager

• Inheritance
• Namespaces
• OAuth
• Organizations
• Organization owner
• Permissions
• Permission states
• Personal Access Tokens (PATs)
• Preview features
• Project-scoped User Groups
• Projects
• Resources granted to project members

• Security best practices
• Security groups
• Security policies
• Security roles
• Service accounts
• Service principal
• Secure Sockets Layer (SSL)
• SSH authentication
• Stakeholder access
• Team group
• Tenant
• Token
• Valid users

---

Tasks

The primary tasks for administrators to secure Azure DevOps are to assign access levels, set permissions, assign security roles, and set policies. Development leads and pipeline administrators should become familiar with setting permissions and policies on repositories, branches, and pipeline resources.

---

Access levels

• Change a user's access level
• Provide Stakeholders access to edit pipelines

Set project-level permissions

• Request an increase in permission levels
• Change project-level permissions
• Grant or restrict permissions to select tasks
• Dashboard permissions
• Analytics permissions
• Wiki permissions
• [Feedback permissions]/previous-versions/azure/devops/project/feedback/give-permissions-feedback)

Authentication

• Choose authentication method
• Authenticate access with PATs
• Manage personal access tokens using API
• Use SSH key authentication
• Use OAuth 2.0 to authorize access to REST APIs
• Authorize a service, manage authorizations
• Revoke users' PATs (for admins)
• Set up Git credential manager
• Git authentication
• Authenticate extensions

---

Azure Active Directory

• Connect organization to Azure AD
• Add users to Azure Active Directory
• Add Azure AD security groups to Azure DevOps security groups
• Manage Azure Active Directory groups
• Manage group rules
• Change Azure AD connection
• Disconnect from Azure AD
• List organizations connected to Azure AD

Set organization or collection-level permissions

• Change organization-level permissions
• Change project collection-level permissions
• Change process permissions
• Set permissions to manage extensions
• Enable Project-Scoped Users Group

Set object-level permissions

• Set object-level permissions

Set organization policies

• Manage security & app access policies
• Add external users
• Disable Request Access policy
• Restrict admins from inviting new users
• Restrict users from creating new organizations with Azure Active Directory policy
• Enable Conditional Access or Multi-factor Authentication

Secure data and networks

• Allowed address lists & network connections
• Install and use Visual Studio and Azure Services behind a firewall or proxy server
• Save project data
• Data protection overview
• Data location
• Data Subject Requests for the GDPR & CCPA
• Credential storage

---

---

Set Boards/work tracking permissions

• Create tag definition
• Delete and restore work items
• Delete field from organization
• Delivery plans
• Move work items out of a project
• Manage area and iteration paths
• Modify work items under an area path
• Permanently delete work items
• Process permissions
• Queries and query folders

Set test permissions

• Create, delete, and view test runs
• Manage test configurations
• Manage test environments
• Manage test controllers
• Manage test plans and test suites under an area path
• Set access, license requirements

Set repository and branch permissions

• Git repository permissions
• TFVC repository permissions
• Git branch permissions
• Administer shelved changes (TFVC)
• Administer workspaces (TFVC)
• Create a workspace (TFVC)

Set Git repository and branch policies

• Git repository settings and policies
• Git branch policies
• Git branch policy for an external service
• Use Azure Functions to create custom Git branch policies

Secure code

• Secure Development Documentation
• About Microsoft Security Code Analysis
• Microsoft Threat Modeling Tool
• Security in DevOps (DevSecOps)
• Enable DevSecOps with Azure and GitHub

---

Set pipeline permissions and policies

• Assign pipeline security roles
• Grant version control permissions to the build service
• Administer build resource permissions
• Manage build resources
• Manage pipeline policies
• Use build resources
• View build resources
• Set pipeline permissions

   

• Pipelines security walkthrough
• Approach to securing YAML pipelines
• Repository protection
• Pipeline resources
• Project structure
• Security through templates
• Variables and parameters
• Shared infrastructure
• Other security considerations

---

Set feed permissions

• Secure and share packages using feed permissions

---

Reference

• Permissions lookup guide
• Permissions & groups
• Security management tools
• Security namespaces & permissions
• Manage security groups with CLI
• Manage permissions with CLI

Related articles

• About settings for users, teams, projects, or organizations
• Visual Studio subscriptions
• Azure Boards settings quick reference index