Limit user visibility and collaboration to specific projects

Parsa

This sprint we’re releasing a public preview feature to enable organization administrators in Azure DevOps to restrict users from seeing and collaborating with users in different projects. This will bring another level of isolation and access control to projects. We can’t wait for you to get in and try the new feature. Your early feedback will help us improve the experience.

By default, users added to an organization can view all organization metadata and settings. This includes viewing the list of users in the organization, list of projects, billing details, usage data, and more that is accessed through the organization settings. Additionally, users are able to use the various people pickers in the product to search for, view, select, and tag all other members of the organization, even if these users are not in the same project.

To restrict select users from this information you can enable the Limit user visibility and collaboration to specific projects preview feature for your organization. Once that is enabled, users and groups added to the Project-Scoped Users group will have two limitations: Hidden organization settings and limited people-picker search and tagging.

Hidden Organization Settings

Users added to the “Project-Scoped Users” group are restricted from accessing the Organization Settings pages, except for Overview and Projects, and are restricted to only viewing data from projects they have been added to.

Image Hidden Organization Settings

Limited people-picker search and tagging

Using the various people pickers in the product, users and groups added to the “Project-Scoped Users” group will only be able to search for, view, select, and tag members who are also members of the project they’re currently in.

Disclaimer

Note that the current restrictions are on the user interface only; users will still be able to use the REST APIs to produce or construe the restricted data.

EDIT: 5/5/21

When the preview feature is enabled for the organization, project-scoped users are currently unable to search for users who were added to Azure DevOps through Azure Active Directory group membership, rather than through an explicit user invitation. This is unexpected behavior and we’re currently working on a fix. If you’re experiencing this issue, the easiest way to self-resolve is to disable the preview feature for the organization for now.

Feedback

Please email us directly with any questions, comments or issues you may have. We take your input seriously and read every bit of feedback. We’re very excited for you all to try this out and let us know what you think!

3 comments

Comments are closed. Login to edit/delete your existing comments

  • Tomasz Wiśniewski

    Having in mind that usually all organizations have some security structure already in place what would be your recommended way of using this feature in a scenario where I would like to have all users restricted besides Project Collection Administrators.

    • pazandMicrosoft employee

      This is great feedback. For the time being, the only option is to create an Azure AD group that will include all users. Then, you can add this Azure AD group to the new, Project-Scoped Users group.

      However, this is a preview feature and we will continue to iterate on it. I’ll post an update when we’ve added any improvements!

    • Kapasakalidis, Panagiotis

      I second that. It would be great if we could add ADO Collection-level or even individual Project-level Groups into the new Collection-level Project-Scoped Users Group. For example currently we are having 800 users in our Organization with Direct assignments. Adding all these users to a new AD group would be very time consuming and on top of that we will have to include this process for net new users, which adds to the complexity of adding new users to the Org.

      Maybe there could be a provisioning of adding all Valid Users of the Org to the Project-Scoped Users Group, but without affecting access of the Project Collection Administrators (since PCA are also in the Valid Users group).