Restrict organization creation via Microsoft Entra tenant policy
Azure DevOps Services
Learn how to turn on the Microsoft Entra tenant policy, which restricts users from creating an organization in Azure DevOps. This policy is turned off, by default.
Prerequisites
| Category | Requirements |
|---|---|
| Permissions | Azure DevOps Administrator in Microsoft Entra ID. To check your role, sign in to the Azure portal, and go to Microsoft Entra ID > Roles and administrators. If you're not an Azure DevOps administrator, you can't see the policies. Contact your administrator, if necessary. The Project Collection Administrator role isn't required. |
Turn on the policy
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.
Select Microsoft Entra ID, and then switch the toggle to turn on the policy, restricting organization creation.
Optional
Create allowlist
Warning
We recommend using groups with your tenant policy allowlist. If you use a named user, a reference to the named user's identity resides in the United States, Europe (EU), and Southeast Asia (Singapore).
When the policy is enabled, only users in the allowlist and users assigned to the Azure DevOps Administrator role can create new organizations. To grant exceptions, add users to an allowlist. Users on the allowlist can create new organizations but can't manage the policy.
Select Add Microsoft Entra user or group.
For more information, see Add organization users and manage access.
Create error message
To customize the error message, do the following steps:
In the policy settings in Azure DevOps, select Edit display message.
Enter your customized message, and then select Save.
The error message is customized.
