Restrict organization creation via Azure AD tenant policy
Azure DevOps Services
Learn how to turn on the Azure Active Directory (Azure AD) tenant policy, which restricts users from creating an organization in Azure DevOps. This policy is turned off, by default.
You must be an Azure DevOps Administrator in Azure AD to manage this policy. It isn't a requirement to be a Project Collection Administrator.
If you don't see the policy section in Azure DevOps, then you aren't an administrator. To check your role, sign in to the Azure portal, and then choose Azure Active Directory > Roles and administrators. In case that you aren't an Azure DevOps administrator, talk to your administrator.
You can also check your role using the Azure AD PowerShell module.
For more information about the new built-in Azure AD roles, see Administrator role permissions in Azure Active Directory.
An Azure DevOps Administrator can only restrict new organization creation for individual users, rather than groups at this time.
Turn on the policy
Sign in to your organization (
Select Organization settings.
Select Azure Active Directory, and then switch the toggle to turn on the policy, restricting organization creation.
We recommend using groups with your tenant policy allow list(s). If you use a named user, be aware that a reference to the named user's identity will reside in the United States, Europe (EU), and Southeast Asia (Singapore).
With the policy turned on, all users are restricted from creating new organizations. Grant an exception to users with an allowlist. Users on the allowlist can create new organizations, but they can't manage the policy.
- Select Add AAD user or group.
Create error message
When administrators, who aren't on the allowlist, try to create an organization they get an error similar to the following example.
Customize this error message in the policy settings in Azure DevOps.
Select Edit display message.
Enter your customized message, and then choose Save.
The error message is customized.
Administrators, who aren't on the allow list, can't connect their organization to the Azure AD tenant where the policy is turned on.