Add organization users and manage access
Azure DevOps Services
Learn how to add users to your organization and manage user access through direct assignment. For an overview of adding users and related concepts, see About organization management in Azure DevOps. Users can include human users, service accounts, and service principals.
The following types of users can join your Azure DevOps Services organization for free:
- Five users who get Basic features, such as version control, tools for Agile, Java, build, release, and more
- Unlimited users who get Stakeholder features, such as working with your backlog, work items, and queries. Don't use Stakeholder access as a substitute for more limited permissions, as users with a Visual Studio subscription or a GitHub Enterprise license automatically get upgraded from Stakeholder when they sign in. For more information, see Stakeholder access quick reference.
- Unlimited Visual Studio subscribers who also get Basic or Basic + Test Plan features, depending on their subscription level.
Need more users with Basic features?
Note
For information about inviting external users, see Add external user.
Prerequisites
- Permissions: Be a member of the Project Collection Administrators group. Organization owners are automatically members of this group.
- Organization: Have an organization. If you don't have an organization, create one.
For an overview of the methods supported for adding users to an organization, see Add and manage user access.
Add users to your organization
Administrators can efficiently manage user access by adding users to an organization, granting them access to the appropriate tooling extensions and service access levels, and assigning them to relevant groups—all from a single view. This streamlined process ensures that new users have the necessary permissions and resources to start contributing immediately.
Note
If you have a Microsoft Entra ID-backed organization and need to add users who are external to Microsoft Entra ID, first add external users. On the Tell us about this user page, under Type of user, choose User with an existing Microsoft account. After completing those steps, follow these instructions to add the Microsoft Entra ID user to Azure DevOps.
You can add up to 50 users in a single transaction. When you add users, each user receives a notification email with a link to the organization page, allowing them to easily access and start using the organization's resources.
To give other users access to your organization, do the following steps:
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Select Organization settings.
Select Users > Add users.
Enter the following information.
- Users: Enter the email addresses (Microsoft accounts) or GitHub usernames of the users. You can add multiple email addresses by separating them with a semicolon
;
. Accepted email addresses appear in red. For more information about GitHub authentication, see Connect to GitHub/FAQs. To add a service principal, enter the display name of the application or managed identity.- Access level: Set the access level to Basic for users who contribute to the code base. For more information, see About access levels.
- Add to projects: Select the project to which you want to add the users.
- Azure DevOps Groups: Leave as Project Contributors, the default security group for users who contribute to your project. For more information, see Default permissions and access assignments.
Note
Add email addresses for personal Microsoft accounts and IDs for GitHub accounts unless you plan to use Microsoft Entra ID to authenticate users and control organization access. If a user doesn't have a Microsoft or GitHub account, ask them to sign up for a Microsoft account or a GitHub account.
- Users: Enter the email addresses (Microsoft accounts) or GitHub usernames of the users. You can add multiple email addresses by separating them with a semicolon
Select Add to complete your invitation.
For more information about user access, read about access levels.
Note
You can add people to projects instead of to your organization. Users are automatically assigned Basic features if your organization has seats available, or Stakeholder features if not. Learn how to add members to projects.
When a user no longer needs access to your organization, delete them from your organization.
Manage users
From your web browser, you can view and edit certain user information. Using the Azure DevOps CLI, you can see details about a specific user and update their access level.
The Users view displays key information for each user in a table. In this view, you can:
- See and modify assigned service extensions and access levels.
- Multi-select users and bulk edit their extensions and access levels.
- Filter by searching for partial user names, access levels, or extension names.
- See the last access date for each user. This information can help you identify users to remove or lower their access to stay within your license limits. For more information, see Permissions and access.
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Select Organization settings.
Select Users.
Select a user or group of users. Then, select Actions ... at the end of the Name column to open the context menu.
In the context menu, choose one of the following options:
- Change access level
- Manage user
- Resend invite
- Remove direct assignments
- Remove from organization (deletes user)
- Save your changes.
Restrict users' view to organization projects
To restrict certain users' access to organizational information, enable the Limit user visibility and collaboration to specific projects preview feature and add the users to the Project-Scoped Users group. Once added, users in that group can't access projects that they aren't explicitly added to.
Note
Users and groups added to the Project-Scoped Users group have limited access to project and organization information. They also have restricted access to specific identities through the people picker. For more information, see Limit user visibility for projects, and more.
To add users to the new Project-Scoped Users group, do the following steps:
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Turn on the Limit user visibility and collaboration to specific projects preview feature for the organization. For more information, see Manage preview features.
Tip
The Project-Scoped Users group only appears under Permissions > Groups once Limit user visibility and collaboration to specific projects preview feature gets enabled.
Add users or groups to your project by following the steps in Add users to a project or team. When you add users to a team, they automatically get added to both the project and the team group.
Select Organization settings.
Select Security > Permissions > Project-Scoped Users.
Choose the Members tab.
Add all users and groups that you want to scope to the project you added them to.
Important
- The limited visibility features described in this section apply only to interactions through the web portal. With the REST APIs or
azure devops
CLI commands, project members can access the restricted data. - Guest users who are members in the limited group with default access in Microsoft Entra ID, can't search for users with the people picker. When the preview feature's turned off for the organization, or when guest users aren't members of the limited group, guest users can search all Microsoft Entra users, as expected.
For more information, see Add or remove users or groups, manage security groups.
Warning
Enabling the Limit user visibility and collaboration to specific projects preview feature prevents project-scoped users from searching for users added to the organization through Microsoft Entra group membership, rather than through an explicit user invitation. This is an unexpected behavior, and a resolution is in progress. To resolve this issue, disable the Limit user visibility and collaboration to specific projects preview feature for the organization.
FAQ
Q: Which email addresses can I add?
A:
- If your organization is connected to Microsoft Entra ID, you can only add email addresses that are internal to the directory.
- Add email addresses of users who have "personal" Microsoft accounts unless you authenticate users and control access through Microsoft Entra ID using your organization's directory.
- If your organization is connected to your directory, all users must be directory members. They must sign in to Azure DevOps with work or school accounts managed by your directory. If they aren't members, they need to be added to the directory.
After you add members to your project, each member receives an invitation email with a link to your organization. They can use this link to sign in and access your project. First-time members might get asked for more details when they sign in to personalize their experience.
Q: What if users don't get or lose the invitation email?
A:
For Organizations connected to Microsoft Entra ID: If you're inviting users from outside your Microsoft Entra ID, they must use their email. Removing users from the organization removes both their access and their license. However, any artifacts assigned to them remain unchanged. You can always invite users back into the organization if they exist in the Microsoft Entra tenant. After they're removed from Microsoft Entra ID, you can't assign any new artifacts (work items, pull requests, and so on) to them. The history of artifacts already assigned to the users is preserved.
For Organizations with Microsoft accounts: You can send a link to the project page, included in the invitation email, to new team members. Removing users from the organization removes both their access and their licenses. You can no longer assign any new artifacts (work items, pull requests, and so on) to these users. However, any artifacts previously assigned to them remain unchanged.
Q: Why can't I add any more members?
A: See Q: Why can't I add any more members to my project?.
Q: How is access different from permissions?
A: Access levels determine a user's access to specific web portal features based on their subscription. Permissions control a user's ability to perform specific operations, which get governed by security group membership or specific Access Control Level (ACL) assignments made to a user or group.