Limit user visibility and collaboration to specific projects
This sprint we’re releasing a public preview feature to enable organization administrators in Azure DevOps to restrict users from seeing and collaborating with users in different projects. This will bring another level of isolation and access control to projects. We can’t wait for you to get in and try the new feature. Your early feedback will help us improve the experience.
By default, users added to an organization can view all organization metadata and settings. This includes viewing the list of users in the organization, list of projects, billing details, usage data, and more that is accessed through the organization settings. Additionally, users are able to use the various people pickers in the product to search for, view, select, and tag all other members of the organization, even if these users are not in the same project.
To restrict select users from this information you can enable the Limit user visibility and collaboration to specific projects preview feature for your organization. Once that is enabled, users and groups added to the Project-Scoped Users group will have two limitations: Hidden organization settings and limited people-picker search and tagging.
Hidden Organization Settings
Users added to the “Project-Scoped Users” group are restricted from accessing the Organization Settings pages, except for Overview and Projects, and are restricted to only viewing data from projects they have been added to.
Limited people-picker search and tagging
Using the various people pickers in the product, users and groups added to the “Project-Scoped Users” group will only be able to search for, view, select, and tag members who are also members of the project they’re currently in.
Note that the current restrictions are on the user interface only; users will still be able to use the REST APIs to produce or construe the restricted data.
Please email us directly with any questions, comments or issues you may have. We take your input seriously and read every bit of feedback. We’re very excited for you all to try this out and let us know what you think!
Having in mind that usually all organizations have some security structure already in place what would be your recommended way of using this feature in a scenario where I would like to have all users restricted besides Project Collection Administrators.
This is great feedback. For the time being, the only option is to create an Azure AD group that will include all users. Then, you can add this Azure AD group to the new, Project-Scoped Users group.
However, this is a preview feature and we will continue to iterate on it. I’ll post an update when we’ve added any improvements!
I second that. It would be great if we could add ADO Collection-level or even individual Project-level Groups into the new Collection-level Project-Scoped Users Group. For example currently we are having 800 users in our Organization with Direct assignments. Adding all these users to a new AD group would be very time consuming and on top of that we will have to include this process for net new users, which adds to the complexity of adding new users to the Org.
Maybe there could be a provisioning of adding all Valid Users of the Org to the Project-Scoped Users Group, but without affecting access of the Project Collection Administrators (since PCA are also in the Valid Users group).