Add AD/Azure AD users or groups to a built-in security group

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

As described in About security and identity, there are two main types of built-in security groups: project-level and collection-level. In general, you add users and groups to a project-level group such as Contributors and Readers. For users that need to administrate select features and functions, add them or associated groups to the Build Administrators or Project Administrators groups.

Review Default permissions and access to gain insight into the default permissions provided to the built-in, project-level security groups.

In this article, learn how to do the following task:

  • Add an Azure AD user or group to a built-in security group

In this article, learn how to do the following task:

  • Add an Active Directory user or group to a built-in security group

The method for adding a user or group to a built-in security group is the same, no matter at what level you add them.

Add Azure AD user or group to a built-in security group

Important

If you are adding a user to Azure DevOps for the first time, see Add users for Azure DevOps. To manage the permissions of an Azure AD group in Azure DevOps, you must first add the Azure AD group to a built-in security group. Once you complete this task, you can then manage your Azure AD group permissions throughout Azure DevOps.

Note

To enable the new user interface for the Project Permissions Settings Page, see Enable preview features.

  1. Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.

  2. Choose Project settings, and then Permissions.

    Choose Project settings, and then Permissions

  3. Open Security and under the Groups section, choose one of the following:

    • To add users who require read-only access to the project, choose Readers.
    • To add users who need to contribute fully to the project or who have been granted Stakeholder access, choose Contributors.
    • For users who need to administrate the project, choose Project Administrators.
  4. Next, choose the Members tab.

    Here we choose the Contributors group.

    Admin context, Security page, Contributors group, Membership page

    By default, the default team group and all other teams you add to the project are included as members of the Contributors group. So, you can choose to add a new user as a member of a team instead, and the user would automatically inherit Contributor permissions.

  5. Choose  Add to add a user or a user group.

  6. Enter the name of the user into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the match(es) that meets your choice.

    Add users and group dialog

    Note

    The first time you add a user or group, you can't browse to it or check the friendly name. After the identity has been added, you can just enter the friendly name.


Add an Active Directory user or group to a built-in security group

  1. Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.

  2. Choose Project Settings, and then Security.

    Project Settings>Security

  3. Open Security and under the Groups section, choose one of the following:

    • To add users who require read-only access to the project, choose Readers.
    • To add users who need to contribute fully to the project or who have been granted Stakeholder access, choose Contributors.
    • For users who need to administrate the project, choose Project Administrators.
  4. Next, choose the Members tab.

    Here we choose the Contributors group.

    Admin context, Security page, Contributors group, Membership page

    By default, the default team group and all other teams you add to the project are included as members of the Contributors group. So, you can choose to add a new user as a member of a team instead, and the user would automatically inherit Contributor permissions.

  5. Choose  Add to add a user or a user group.

  6. Enter the name of the user into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the match(es) that meets your choice.

    Add users and group dialog

    Note

    The first time you add a user or group, you can't browse to it or check the friendly name. After the identity has been added, you can just enter the friendly name.

Add an Active Directory user or group to a built-in security group

  1. Open the web portal and choose the project where you want to add users or groups. To choose another project, see Switch project, repository, team.

  2. Choose the  gear icon to open Project Settings.

    Open Project Settings, horizontal nav

  3. Open Security and under the Groups section, choose one of the following:

    • To add users who require read-only access to the project, choose Readers.
    • To add users who need to contribute fully to the project or who have been granted Stakeholder access, choose Contributors.
    • For users who need to administrate the project, choose Project Administrators.
  4. Next, choose the Members tab.

    Here we choose the Contributors group.

    Admin context, Security page, Contributors group, Membership page

    By default, the default team group and all other teams you add to the project are included as members of the Contributors group. So, you can choose to add a new user as a member of a team instead, and the user automatically inherits Contributor permissions.

  5. Choose  Add to add a user or a user group.

  6. Enter the name of the user into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the match(es) that meet your choice.

    Add users and group dialog

    Note

    The first time you add a user or group, you can't browse to it or check the friendly name. After the identity has been added, you can just enter the friendly name.

Next steps