Azure DevOps – restrict organisation creation to specific AAD users

For quite some time it has been impossible to stop any user creating new Azure DevOps organisations and linking them to an Azure Active Directory Tenant. This has actually stopped a lot of customers considering using the platform as it brings in to question the abiltity for end users to store unmanaged code and solutions. Thankfully Microsoft have finally addressed the issue!

Firstly head over to the Azure Portal and login as a user with the ability to manage roles and permissions to Azure AD.

Go to Azure Active Directory and click on Roles and administrators.

Find the Azure DevOps administrator role and select it. Next you need to add an account into here that has access to manage an Azure DevOps organisation, if you have an organisation already linked to your AAD, usually a Project Collection Administrator. If you dont, dont worry when you create a new organisation you can apply the setting. Add the user account under Assignments.

Now logon to an exisiting Azure DevOps organisation or create a new one and head over to the Organisation settings. The link can be found at the bottom left of the screen (be sure you aren’t in a project as this changes to project settings so you need to go back one level!). Once there click Azure Active Directory:

Now you should see on the right hand side a Policies section (if you dont make sure you added the right account above!):

Apply the settings as you wish, quick tip – its always best to use groups if possible rather than individuals as it will give you more freedom.

Hope that helps!

More information:

About the author