Change permissions at the organization or collection-level
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
This article shows you how to manage permissions at the organization or collection level. Several permissions are set at these levels. You can only grant these permissions if you're a member of the Project Collection Administrators group.
An organization is the container for several projects that share resources. For more information, see Plan your organizational structure.
A project collection is the container for several projects that share resources. For more information, see About projects and scaling your organization.
You might find the following articles helpful:
- Look up a project collection administrator
- Manage users, groups, and security groups
- Request an increase in permission levels
- Change project-level permissions
- Set object-level permissions
Note
Security groups are managed at the organization level, even if they are used for specific projects. Depending on user permissions, some groups might be hidden in the web portal. To view all group names within an organization, you can use the Azure DevOps CLI tool or our REST APIs. For more information, see Add and manage security groups.
Note
Security groups are managed at the collection level, even if they are used for specific projects. Depending on user permissions, some groups might be hidden in the web portal. To view all group names within a collection, you can use the Azure DevOps CLI tool or our REST APIs. For more information, see Add and manage security groups.
Note
Security groups are managed at the collection level, even if they are used for specific projects. Depending on user permissions, some groups might be hidden in the web portal. To view all group names in a collection, you can use the REST APIs. For more information, see Add and manage security groups.
Collection-level permissions
The following table lists the permissions assigned at the organization or collection level. All permissions, except for Make requests on behalf of others, are granted to members of the Project Collection Administrators group. For more information, see Permissions and groups reference, Groups.
General
- Alter trace settings
- Create new projects
- Delete team project
- Edit instance-level information
- View instance-level information
Service Account
- Make requests on behalf of others
- Trigger events
- View system synchronization information
Boards
- Administer process permissions
- Create process
- Delete field from organization or account
- Delete process
- Edit process
Repos (TFVC)
- Administer shelved changes
- Administer workspaces
- Create a workspace
Pipelines
- Administer build resource permissions
- Manage build resources
- Manage pipeline policies
- Use build resources
- View build resources
Test Plans
- Manage test controllers
Auditing
- Delete audit streams
- Manage audit streams
- View audit log
Policies
- Manage enterprise policies
Note
Project Collection Administrators can manage organization or collection-level security groups, group membership, and edit permission ACLs. This permission isn't controlled through the user interface.
Prerequisites
Permissions:
- To manage permissions or groups at the organization or collection level, be a member of the Project Collection Administrators security group. If you created the organization or collection, you're automatically a member of this group.
- Directory services: Ensure security groups in Microsoft Entra ID or Active Directory are defined before adding them. For more information, see Add Active Directory / Microsoft Entra users or groups to a built-in security group.
Note
- Users in the Project-scoped Users group can't access most organization settings, including permissions. For more information, see Manage your organization, limit user visibility for projects, and more.
- Users with Stakeholder access can't access specific features even if they have permissions to those features. For more information, see Stakeholder access quick reference.
Note
Users with Stakeholder access can't access specific features even if they have permissions to those features. For more information, see Stakeholder access quick reference.
Add members to the Project Administrators group
Do the following steps to add users to the Project Administrators group or any other group at the organization or collection level. To add a custom security group, first create the group.
Note
To turn on the Organization Permissions Settings Page v2 preview page, see Enable preview features.
Sign in to your organization (
https://dev.azure.com/{Your_Organization}
).Select Organization settings > Permissions.
Select Project Administrators group, Members, and then Add.
Enter the name of the user account or custom security group into the text box and select the matching result. You can enter multiple identities into the Add users and/or groups box, and the system automatically searches for matches. Select the appropriate matches.
Select Save.
Open the web portal and choose the collection where you want to add users or groups.
Select Collection Settings > Security.
Select Project Administrators > Members > Add.
Enter the name of the user account into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Select one or more matches.
Select Save changes and the refresh icon to see the additions.
Change permissions for a group
You can change the permissions for any organization or collection-level group, except the Project Collection Administrators group. Adding security groups to a collection is similar to adding them to a project. For more information, see Add or remove users or groups, manage security groups and About permissions, Permission states.
Note
To turn on the Organization Permissions Settings Page v2 preview page, see Enable preview features.
Go to the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.
Note
By design, you can't change the permission settings for the Project Collection Administrators group.
Choose the group whose permissions you want to change.
In the following example, we choose the Stakeholders Limited group, and change several permissions.
Your changes automatically save.
Go to the Security page as described in the previous section, Add a user or group to the Project Collection Administrators group.
Choose the group whose permissions you want to change.
In the following example, we choose the Stakeholders Limited group and change several permissions.
Select Save changes.
Change permissions for a user
You can change the collection-level permissions for a specific user. For more information, see About permissions, Permission states.
Note
To turn on the Organization Permissions Settings Page v2 preview page, see Enable preview features.
Go to the Permissions page as described in the previous section, Add a user or group to the Project Administrators group.
Select Users, then choose the user whose permissions you want to change.
Change the assignment for one or more permissions.
In the following example, we change the Edit project-level information for Christie Church.
Dismiss the dialog and your changes automatically save.
Open the Security page as described in the previous section, Add a user or group to the Project Administrators group.
In the Filter users and groups text box, enter the name of the user whose permissions you want to change.
Change change the assignment for one or more permissions.
In the following example, we change the Edit project-level information for Christie Church.
Select Save changes.
On-premises deployments
For on-premises deployments, see the following articles:
If your on-premises deployment is integrated with SQL Server Reports, manage membership for those products separately from their websites. For more information, see Grant permissions to view or create SQL Server reports.
FAQs
Q: When do I need to add someone to the Project Collection Administrator role?
A: It varies. In most organizations, Project Collection Administrators manage the collections created by the Team Foundation Administrators group. They don’t create collections themselves but handle tasks like creating team projects, adding users to groups, and modifying collection settings.
Q: What are the optimal permissions to administer a project collection across all of its components and dependencies?
A: Project Collection Administrators need the following permissions:
- Team Foundation Server: Members of the Project Collection Administrators group, or have the necessary collection-level permissions set to Allow.
- SharePoint Products: Members of the Site Collection Administrators group if the collection includes a site collection resource.
- Reporting Services: Members of the Team Foundation Content Manager group if the collection includes reporting resources.
Q: I'm an admin, but I don't have permission to add a Project Collection Administrator. What do I need?
A: You need the following permissions:
- Project Collection Administrator or View Server-Level Information and Edit Server-Level Information set to Allow.
- For SharePoint Products, membership in the Site Collection Administrators or Farm Administrators groups.
- For Reporting Services, membership in the Content Managers or Team Foundation Content Managers groups.
Important
To create project collections and perform other administrative tasks, users need administrative permissions. Additionally, the service account for the Team Foundation Background Job Agent must have specific permissions. For more information, see Service accounts and dependencies in Team Foundation Server and Team Foundation Background Job Agent.