About organization management in Azure DevOps
Azure DevOps Services
With an organization, you gain access to the platform in which you can do the following:
- Collaborate with others to develop applications by using our cloud service
- Plan and track your work as well as code defects and issues
- Set up continuous integration and deployment
- Integrate with other services by using service hooks
- Obtain additional features and extensions
- Create one or more projects to segment work.
This article applies to the Azure DevOps cloud service. If you manage an on-premises Azure DevOps Server, refer to Administrative tasks quick reference for details on managing the server.
Create your organization
Before you get started, read Plan your organizational structure in Azure DevOps. Then, you can create your organization and invite others so they can access your organization.
Choose Git or Team Foundation version control (TFVC) as your version control, so that Azure DevOps can create your project for code and other assets, like builds, tests, and work items. If you're starting with Visual Studio as your development environment, you can create your organization when you set up Visual Studio.
Your organization includes five free users with Basic access, plus unlimited Visual Studio subscribers and Stakeholders at no extra charge. Your organization also includes free monthly amounts of additional services such as build and deployment.
Connect to your organization
When your organization is created, connect to your projects with tools like Xcode, Eclipse, or Visual Studio, and add code to your project.
Some clients, like Xcode, Git, and NuGet, require basic credentials (a username and password) for you to access Azure DevOps. To connect these clients to Azure DevOps, create personal access tokens to authenticate your identity. Use a credential manager to create, store, and secure your tokens, so you don't have to reenter them every time you push. Or if you don't want to use a credential manager, you can create personal access tokens manually.
Add and manage user access to your organization
You manage who can access your organization by adding them as users of your organization. You manage which features and tasks users can make through access levels and permissions.
In addition, If you manage your user base using Azure Active Directory (Azure AD), you can connect your organization to Azure AD and manage user access and access through Azure AD.
Access, access level, and permissions
Three key definitions to understand when managing your user base are as follows:
- Access indicates a user can sign into your organization, and at a minimum view information about your organization.
- Access levels grant or restrict access to select web portal features. Access levels enable administrators to provide their user base access to the features they need and only pay for those features.
- Permissions, granted through security groups, provide or restrict users from performing specific tasks.
For an overview of default assignments, see Default permissions and access for Azure DevOps.
Direct versus group rule assignments
You can add and assign an access level to users one-by-one. This is referred to as Direct assignment. Or, you can set up one or more Group rules and add and assign access levels to groups of users. This is referred to as a Group Rule assignment.
Add users and assign access: Direct assignment
If you don't use Azure Active Directory (Azure AD), as described in the next section, to manage your user base, then you can add them through the following ways to collaborate on your project.
Add users to your organization from the Organization Settings>Users page. Only organization owners or members of the Project Collection Administration group can add users at this level.
At this level, you specify the access level and the project(s) the user is added to. For details, see Add users to your organization or project.
Add users to one or more teams from the Project>Summary page or to a specific team from the Project Settings>Teams>Team page. Members of the Project Collection Administration or Project Administration groups, or a team administrator can add users to teams.
Unless users are granted an access level directly, or are granted an access level through a group rule, they’ll be assigned the best available access level. If there are no more free Basic slots available, then the user is added as a Stakeholder. The access level can be changed later through the Organization Settings>Users page.
For details, see the following articles:
Add users through Azure Active Directory
You can manage your user base with Azure Active Directory (Azure AD). With Azure AD, you can control access the same way that you do with Microsoft services like Office 365 and Microsoft Azure.
Azure AD is optional, however, if your enterprise already uses a directory managed by Azure AD, you can use your directory to authenticate access to Azure DevOps Services. Recommended practice for managing large user bases is to use Azure AD.
The process of adding users to projects when managing them through Azure AD is as follows:
- First,connect your organization to Azure AD. If you need to set up Azure AD, do that now.
- Go to Azure Active Directory and sign in with your organization account.
- Add organization users to your Azure AD.
- Add an Azure AD group to an Azure DevOps group.
- Perform bulk assignments of access levels to added users,
- Or, define group rules and assign access levels.
You can also add users through the steps outlined in the previous section, Add users and assign access.
Using Azure AD, you can segment access by adding select Azure AD groups to Contributors groups in select projects.
Add users through group rules
A best practice to use when managing users is to manage them through security groups. You can use the default security groups Azure DevOps provides, create custom security groups, or reference Azure AD groups. You can use any of these groups to add and manage user access levels using group rules. To learn more, see Add a group rule to assign access levels and extensions.
Add users implementation notes
The following notes address details specific to adding users at different levels—such as to a team, project, or organization.
- All users that are added at the organization or collection level can be assigned to work items of all projects. However, if the user doesn't have access to the project, then they won't be able to view or edit the work item.
- All users that are invited or added as a member at the project level can be assigned to work items of the project.
Set up billing
If you need more than the free users and amounts of services included with your organization, set up billing for your organization. You can then pay for more users with Basic access, buy more services, and purchase extensions for your organization.
Additional administrative tasks
Manage Azure AD access
Manage group-based licensing