Restrict new user invitations from Project and Team Administrators

Azure DevOps Services

By default, all administrators can invite new users to their Azure DevOps organization. Disabling this policy blocks Team and Project Administrators from inviting new users. Project Collection Administrators (PCAs) can add new users to the organization, regardless of the policy status. If a user is already a member of the organization, Project and Team Administrators can add that user to a project.

Prerequisites

You must be a member of the Project Collection Administrators group. Organization owners are automatically members of this group.

Turn off policy

1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

2. Select Organization settings.

   

3. Under Security, select Policies, and then move the toggle to off.

   

Now, only Project Collection Administrators can invite new users to Azure DevOps.

Note

Project and Team Administrators can directly add users to their projects through the permissions blade. However, if they attempt to add users through the Add Users button located in the Organization settings > Users section, it's not visible to them. Adding a user directly through Project settings > Permissions doesn't result in the user appearing automatically in the Organization settings > Users list. For the user to be reflected in the Users list, they must sign in to the system.

Related articles

• Default permissions and access
• Permission lookup guide
• Get started with permissions, access, and security groups
• Permissions and groups reference
• Change project-level permissions
• Change project collection-level permissions