Add a group rule to assign access levels and extensions
Azure DevOps Services
Azure DevOps includes group-based licensing for Azure Active Directory (Azure AD) groups and Azure DevOps groups. You can add a group rule to assign an access level or extension to a group. Resources in Azure DevOps are assigned to all members of the group. Group rules can also be used to add users to team projects and other specific groups, like Contributors, Readers, and Administrators.
When users leave the group, the licenses are freed and returned to your pool. You don't need to automate license management to reflect changes in your organizational structure on a per-user basis.
We recommend that you reevaluate rules regularly on the Group rules tab of the Users page. Clarify whether any group membership changes in Azure AD might affect your organization. Automated reevaluation occurs every six hours and any time the group rule changes.
To manage licenses and group rules, you must be a Project Collection Administrator (PCA) for the organization. If you're not a member of the Project Collection Administrators group, get added as one. To assign an extension to a user (and consequently, a group) a PCA must first install the extension on the organization.
Add group rule
Sign in to your organization (
Select Organization settings.
Go to the Security page and check the membership of the Project Collection Administrators group.
Select Users > Group rules. This view shows you all of your created group rules.
Select Add a group rule.
Complete the dialog box for the group for which you want to create a rule. Include an access level for the group and any optional project access or extensions for the group. Select Add.
A notification displays, showing the status and outcome of the rule. If the assignment couldn't be completed (for example, because your organization didn't have enough purchased licenses), select View status to see the details.
Resolve assignment errors
As users sign in to your organization, they're assigned access levels and extensions based on their group memberships. If there aren't enough licenses or extensions to assign the specified resources to the user, based on their group memberships, Azure DevOps notifies all Project Collection Administrators via email that they must make a purchase. To find users in an error state, the Project Collection Administrator can do the following steps:
- Go to the Users page in Organization settings. A notification on the page indicates there are users who are missing extensions or access levels.
- To see how many of each resource are missing, choose Fix assignment errors.
- Complete purchases for any missing resources, and then choose Fix errors to have the purchases automatically assigned to the specified users.
Manage group members
Highlight a group rule and from the command bar, select Manage members.
Leave existing automation for managing access levels or extensions for users running as-is (for example, PowerShell). The goal is to reflect the same resources that the automation is applying to those users.
Add members and select Add.
When the same access level or extension is assigned to the user, both directly and through a group, the user consumes only one access level or extension. No additional licenses are required.
Verify group rule
Verify that the resources are applied to each group. On the Group rules tab, highlight a group and select Summary.
Verify individual user resources. On the Users page, highlight a user and select Summary.
Verify that no assignments have failed. On the Users page, on the Groups tab, check for assignment errors.
Your group rule is in effect.