| title | Restrict Team and Project Administrators from inviting new users |
|---|---|
| titleSuffix | Azure DevOps Services |
| description | Learn how to manage the policy that allows Team and Project Administrators to invite new users to Azure DevOps Services. |
| ms.assetid | |
| ms.topic | how-to |
| ms.subservice | azure-devops-security |
| ms.author | chcomley |
| author | chcomley |
| monikerRange | azure-devops |
| ms.date | 11/30/2023 |
[!INCLUDE version-eq-azure-devops]
By default, all administrators can invite new users to their Azure DevOps organization. Disabling this policy prevents Team and Project Administrators from inviting new users or adding Entra groups. However, Project Collection Administrators (PCAs) can still add new users and Entra groups to the organization regardless of the policy status. Additionally, if a user is already a member of the organization, Project and Team Administrators can add that user to specific projects.
| Category | Requirements |
|---|---|
| Permissions | Member of the Project Collection Administrators group. Organization owners are automatically members of this group. |
| Microsoft Entra | Member in the destination Microsoft Entra ID. For more information, see Convert a Microsoft Entra guest into a member. |
-
Sign in to your organization (
https://dev.azure.com/{yourorganization}). -
Select
Organization settings.
-
Under Security, select Policies, and then move the toggle to off.
:::image type="content" source="media/user-policy-invite-new-users.png" alt-text="Turn policy off to limit Team and Project administrators from inviting new users":::
Now, only Project Collection Administrators can invite new users to Azure DevOps.
Note
Project and Team Administrators can directly add users to their projects through the permissions blade. However, if they attempt to add users through the Add Users button located in the Organization settings > Users section, it's not visible to them. Adding a user directly through Project settings > Permissions doesn't result in the user appearing automatically in the Organization settings > Users list. For the user to be reflected in the Users list, they must sign in to the system.