Redaguoti

Bendrinti naudojant


Assign access levels with group rules

Azure DevOps Services

Azure DevOps provides group-based access levels for Microsoft Entra groups and Azure DevOps groups, allowing you to manage permissions efficiently by assigning access levels to entire groups of users. This article explains how to add a group rule to assign an access level to a group of users. Azure DevOps resources are assigned to all members of a group.

Assign a group rule to manage both access levels and project memberships. When a user is assigned to multiple rules or Microsoft Entra groups with different access levels, they receive the highest access level among them. For example, if John is assigned to two Microsoft Entra groups with different group rules—one specifying Stakeholder access and the other Basic access—John receives Basic access.

When a user leaves a Microsoft Entra group, Azure DevOps adjusts their access level according to the group's defined rules. If the group was the user's sole source of access, Azure DevOps automatically removes them from the organization. If the user belongs to other groups, their access level and permissions are reevaluated.

Note

  • Changes made to project readers through group rules don't persist. To adjust project readers, consider alternative methods such as direct assignment or custom security groups.
  • Regularly review the rules listed on the "Group rules" tab of the "Users" page. Changes to Microsoft Entra ID group membership will appear in the next re-evaluation of the group rules, which can be done on-demand, when a group rule is modified, or automatically every 24 hours. Azure DevOps updates Microsoft Entra group membership every hour, but it may take up to 24 hours for Microsoft Entra ID to update dynamic group membership.

Prerequisites

Permissions: Be a member of the Project Collection Administrators group. Organization owners are automatically members of this group.

Add group rule

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Screenshot showing highlighted Organization settings button.

  3. Select Permissions, and then verify that you're a member of the Project Collection Administrators group.

    Screenshot showing project collection administrators group members.

  4. Select Users, and then select Group rules. This view shows you all of your created group rules. Select Add a group rule.

    Screenshot showing selected Add a group rule button.

    Group rules appear only if you're a member of the Project Collection Administrators group.

  5. Complete the dialog box for the group for which you want to create a rule. Include an access level for the group and any optional project access for the group. Select Add.

    Screenshot showing Add a group rule dialog.

    A notification displays, showing the status and outcome of the rule. If the assignment couldn't be completed, select View status to see the details.

    Screenshot showing Group rule completed.

Important

  • Group rules only apply to users without direct assignments and to users added to the group going forward. Remove direct assignments so the group rules apply to those users.
  • Users don't appear in All users until they attempt to sign in for the first time.

Manage group members

  1. Select Group rules > > Manage members. Screenshot shows highlighted group rule for managing members.

    Keep the existing automation for managing user access levels running as-is (for example, PowerShell scripts). The goal is to ensure that the same resources applied by the automation are accurately reflected for those users.

  2. Add members, and then select Add.

    Screenshot of Adding a group member.

    When you assign the same access level to a user, they consume only one access level, regardless of whether the assignment is made directly or through a group.

Verify group rule

Verify that the resources are applied to each group and individual user. Select All users, highlight a user, and then select Summary.

Screenshot showing verification of user summary for group rule.

Remove direct assignments

To manage a user's resources solely through their group memberships, remove any direct assignments. Resources assigned to a user individually remain assigned, regardless of changes to the user's group memberships.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Screenshot showing highlighted Organization settings button.

  3. Select Users.

    Screenshot showing selected Users tab.

  4. Select all users with resources for management only by groups.

    Screenshot showing Selected group rules for migration.

  5. To confirm that you want to remove the direct assignments, select Remove.

    Screenshot of confirmation to Remove.

    Direct assignments get removed from the users. If a user isn't a member of any groups, then the user isn't affected.

FAQs

Q: How do Visual Studio Subscriptions work with group rules?

A: Visual Studio Subscribers are always directly assigned via the Visual Studio Admin Portal and take precedence in Azure DevOps over access levels assigned directly or via group rules. When you view these users from the Users Hub, the License Source always shows as Direct. The only exception are Visual Studio Professional subscribers who are assigned Basic + Test Plans. Since Basic + Test Plans provides more access in Azure DevOps, it takes precedence over a Visual Studio Professional subscription.