February 22nd, 2021

Limit user visibility and collaboration to specific projects

pazand
Product Manager

This sprint we’re releasing a public preview feature to enable organization administrators in Azure DevOps to restrict users from seeing and collaborating with users in different projects. This will bring another level of isolation and access control to projects. We can’t wait for you to get in and try the new feature. Your early feedback will help us improve the experience.

By default, users added to an organization can view all organization metadata and settings. This includes viewing the list of users in the organization, list of projects, billing details, usage data, and more that is accessed through the organization settings. Additionally, users are able to use the various people pickers in the product to search for, view, select, and tag all other members of the organization, even if these users are not in the same project.

To restrict select users from this information you can enable the Limit user visibility and collaboration to specific projects preview feature for your organization. Once that is enabled, users and groups added to the Project-Scoped Users group will have two limitations: Hidden organization settings and limited people-picker search and tagging.

Hidden Organization Settings

Users added to the “Project-Scoped Users” group are restricted from accessing the Organization Settings pages, except for Overview and Projects, and are restricted to only viewing data from projects they have been added to.

Image Hidden Organization Settings

Limited people-picker search and tagging

Using the various people pickers in the product, users and groups added to the “Project-Scoped Users” group will only be able to search for, view, select, and tag members who are also members of the project they’re currently in.

Disclaimer

Note that the current restrictions are on the user interface only; users will still be able to use the REST APIs to produce or construe the restricted data.

Feedback

Please email us directly with any questions, comments or issues you may have. We take your input seriously and read every bit of feedback. We’re very excited for you all to try this out and let us know what you think!

Author

pazand
Product Manager

Parsa is a Product Manager on the Azure DevOps team.

4 comments

Discussion is closed. Login to edit/delete existing comments.

  • Tomasz Wiśniewski

    Having in mind that usually all organizations have some security structure already in place what would be your recommended way of using this feature in a scenario where I would like to have all users restricted besides Project Collection Administrators.

    • Kapasakalidis, Panagiotis

      I second that. It would be great if we could add ADO Collection-level or even individual Project-level Groups into the new Collection-level Project-Scoped Users Group. For example currently we are having 800 users in our Organization with Direct assignments. Adding all these users to a new AD group would be very time consuming and on top of that we will have to include this process for net new users, which adds to the complexity of...

      Read more
    • pazandMicrosoft employee Author

      This is great feedback. For the time being, the only option is to create an Azure AD group that will include all users. Then, you can add this Azure AD group to the new, Project-Scoped Users group.

      However, this is a preview feature and we will continue to iterate on it. I’ll post an update when we’ve added any improvements!