Restrict organization creation via Azure AD tenant policy

Azure DevOps Services

In this article, learn how to turn on the Azure Active Directory (Azure AD) tenant policy. This policy restricts users from creating an organization in Azure DevOps and is turned off, by default.

Prerequisites

You must be an Azure DevOps Administrator in Azure AD to manage this policy.

For more information about the new built-in Azure AD roles, see Administrator role permissions in Azure Active Directory.

If you don't see the policy section in Azure DevOps, you aren't an administrator. To check your role, sign in to the Azure portal, and then choose Azure Active Directory > Roles and administrators. In case that you aren't an Azure DevOps administrator, talk to your administrator.

Check Azure AD roles and administrators

You can also check your role using the Azure AD PowerShell module. Azure AD PowerShell to enable policy

Turn on the policy

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Open Organization settings

  3. Select Azure Active Directory, and then switch the toggle to turn on the policy, restricting organization creation.

    Turn on Azure AD policy

Optional

Create allow list

With the policy turned on, all users are restricted from creating new organizations. Grant an exception to users or groups with an allow list. Users on the allow list can create new organizations, but they can't manage the policy.

  1. Select Add AAD user or group.

Option, Create allow list and add Azure AD users or groups

Create error message

When administrators, who aren't on the allow list, try to create an organization they get an error similar to the following example.

Error message example

Customize this error message in the policy settings in Azure DevOps.

  1. Select Edit display message.

    Select Edit display message to customize

  2. Enter your customized message, and then choose Save.

    Customize error message dialog

The error message is customized.

Customized error message

Note

Administrators, who aren't on the allow list, can't connect their organization to the Azure AD tenant where the policy is turned on.

Connection failed error