An Easier Way to Manage Permissions in Azure DevOps

October 20, 2020
Cover Image

When you’re managing permissions in Azure DevOps Server or in Azure DevOps Services, often you’re tempted to add people directly to your project or directly to a team. It’s not wrong exactly but over time it tends to get messy – especially if you’re adding the same people to new projects and new teams over and over again.

A better way to manage permissions is using Active Directory Groups (AD Groups) or Azure Active Directory Groups (AAD Groups).

TL; DR – Use groups in AD / AAD and grant Azure DevOps permissions against those groups instead of direct user permissions

It’s worth pointing out that there are two flavors of Azure DevOps: Azure DevOps Server 2020 and Azure DevOps Services. Server vs. Services. Azure DevOps Server is the on-premise version of Azure DevOps that you’d run in your data center. Azure DevOps Services is the cloud version of Azure DevOps that’s hosted and managed by Microsoft. They’re mostly the same but Azure DevOps Services has some differences with regard to how you manage users. The short answer is that if you’re using Azure DevOps Services and it’s joined to your Azure Active Directory (AAD) tenant, then the stuff I’ll show you in this guide will be applicable. If you’re NOT using AAD with Azure DevOps Services, then this won’t work.

How Do You Manage Permissions in Azure DevOps Anyway?

Let’s say that you’ve just set up a new project and you need to add some users to that project. You’ll start by going to the home page for that project and clicking Project settings.

To start, go to Project Settings

To start, go to Project Settings

Once you get to the project settings screen, you’ll see a left menu bar with a bunch of different options. If you click on Security in that left bar, you’ll see the list of teams and the list of default Azure DevOps groups. The default groups are:

  • Build Administrators
  • Contributors
  • Project Administrators
  • Project Valid Users
  • Readers

Project Valid Users is an auto-generated group that has a list of all the known people in this project. It’s generated automatically by Azure DevOps and it can’t be modified through the user interface.

Members of Project Administrators can do anything in this project.

Members of Build Administrators have admin rights to the builds and releases in this project.

Members of Contributors are your non-admin users who do work on this project. A good way to think about Contributors is that they have read & write access to artifacts in this project but not create or delete access. For my customers, most of their users are members of Contributors.

Members of the Readers group have read-only access to your project. Members of this group tend to be stakeholders or customers who need to be able to view artifacts in this project but who don’t create or modify any artifacts. You sometimes also see managers and executives in this group especially if they’re trying to get a high-level view of a lot of projects.

List of Azure DevOps groups in Project Settings

List of Azure DevOps groups in Project Settings

All of these groups have a Permissions tab that describes what members of the group can do within Azure DevOps, a Members tab that shows who is in the group, and a Members of tab that shows what other groups refer to this group. For this guide, we’re going to focus on the Members tab.

The Members tab is where a lot of my customers start getting into trouble and creating messes. As an Azure DevOps administrator, you might be tempted to just add and remove members to these groups directly. That works well in the beginning but it can get really messy.

Instead of adding people directly to the Members tab, I’d like you to create Active Directory Groups for your users.

Add/remove users and groups using the Members tab

Add/remove users and groups using the Members tab

What Active Directory Groups Do We Need?

Ok. So you’re going to create groups in Active Directory (AD) or Azure Active Directory (AAD). Which ones do you need?

Well, in the beginning, I’d suggest trying to keep it as simple as possible: a AD/AAD group for each major Azure DevOps group. I usually name them:

  • AZDO Build Administrator
  • AZDO Contributors
  • AZDO Project Administrators
  • AZDO Readers

Simple, right?

Next, I’ll walk you through creating these groups in AD and AAD.

How to Create the Groups in Active Directory?

To create the groups in Active Directory, the first thing you’ll need to do is to log in as an admin user to a machine that has the Active Directory Users & Computers app installed. The easiest thing is to just log in to one of your Active Directory Domain Controllers.

Once you’re logged in, use the Start menu to open Active Directory Users and Computers. In the left side panel, expand the node for your domain and then click on the Users folder. Yes, I know. We’re trying to create groups…but this is where the groups live.

The Domain Users section of Active Directory Users and Computers

The Domain Users section of Active Directory Users and Computers

Next, you’ll create the new group.

  • Right click the Users folder
  • From the context menu, choose New | Group

Create a new Group in the Users folder

Create a new Group in the Users folder

You should now see a dialog with the title New Object - Group.

  • In the Group name textbox, enter the name of the new group. For example, AZDO Project Administrators
  • Click the OK button

The new Group dialog

The new Group dialog

Repeat this process for the rest of the groups: AZDO Build Administrators, AZDO Contributors, and AZDO Readers.

You should now have four new groups for Azure DevOps.

The new Azure DevOps groups

The new Azure DevOps groups

Next, I’ll show you how to do this with Azure Active Directory (AAD). If you’re not using AAD, you can skip the “Add the Groups to Azure DevOps” section.

How to Create the Groups in Active Directory?

If you’re using Azure DevOps Services (aka. Azure DevOps in the cloud), you’ll create your groups inside of Azure Active Directory (AAD). The first step is to open the Azure Portal in a browser.

  • Open a browser and navigate to https://portal.azure.com
  • Log in as an admin user
  • Using the Search resources, services and docs box at the top of the portal page, search for Azure Active Directory
  • Choose Azure Active Directory from the search results

You should now see your Azure Active Directory (AAD) tenant admin page and it should look something like the screenshot below.

The Overview page of an Azure Active Directory tenant

The Overview page of an Azure Active Directory tenant

  • In the menu bar for your tenant, choose Groups

You should now be on the Groups page for your tenant and all your groups should be visible.

Azure Active Directory Groups page

Azure Active Directory Groups page

  • Click the New group button

You should now see the New Group dialog.

The New Group dialog

The New Group dialog

  • In the Group name textbox, enter the group name. For example, AZDO Project Administrators
  • In the Group description textbox, enter a description
  • Click the Create button

Repeat the group creation process for the remaining groups: AZDO Build Administrators, AZDO Contributors, and AZDO Readers.

You should now see the list of all your groups in the AAD admin portal.

The list of groups for Azure DevOps

The list of groups for Azure DevOps

Add the Groups to Azure DevOps

Ok. We’ve got the groups created. It’s time to start using them in Azure DevOps.

  • Open a web browser
  • Navigate to your Azure DevOps project
  • Navigate to Project settings
  • Navigate to Security
  • In the list of groups, choose Build Administrators
  • Click the Members tab

You should now see a screen like the screenshot below with the Build Administrators group selected.

The build administrators group

The build administrators group

From here, adding the references to the newly created AD or AAD groups is easy.

  • Click the Add button at the top of the Build Administrators group’s membership tab

From the group members tab, click the Add button

From the group members tab, click the Add button

You should now see a dialog with the title Add users and groups.

  • In the search box, type AZDO
  • From the search results, choose your AZDO Build Administrators group

The Add Users and Groups dialog

The Add Users and Groups dialog

You should now see your AZDO Build Administrators group selected in the dialog.

  • Click the Save changes button

The build admin group selected in the dialog

The build admin group selected in the dialog

You should now see the AZDO Build Administrators group in the Azure DevOps members list. (Note: you might need to press the Refresh button)

The group has been added

The group has been added

Now, just repeat this same process for Project Administrators and Readers.  Note: You're going to do a slightly different thing for the Contributors group.

For Contributors, you're going to add them as members of the default team.  The default team is going to be named Team.

  • Choose your default team
  • Navigate to the Members tab
  • Click the Add button
  • Add the AZDO Contributors group

Choose the default team

When you’ve done that, you’ve managed to connect your AD / AAD Groups to Azure DevOps.

Add Users to the AD / AAD Groups

Now that the groups are connected, all you have to do is to start adding users into the groups in Active Directory or Azure Active Directory. When you make those membership changes there, then the permissions will automatically show up in Azure DevOps. Let’s say that you have 20 projects and you’ve just promoted someone from developer to project manager. Rather than having to go into 20 projects to change that person’s permissions, you just need to make that one group membership change in AD / AAD and Azure DevOps just does the right thing. Or lets say that you need to remove someone’s permissions entirely from Azure DevOps. All you have to do is remove them from all the AD / AAD groups and it’s done.

Summary

So. If you want to make your life easy as an Azure DevOps admin, grant Azure DevOps permissions using groups rather than direct permissions in projects.

I hope this helps.

-Ben

– Looking for help with Azure DevOps or Team Foundation Server? Need to migrate to the cloud? Want some help getting your team productive with the Azure DevOps project management tools or QA Testing tools? Looking for some help implementing Scrum or maybe continuous delivery pipelines? We can help. Drop us a line at info@benday.com!