Skip to content

Latest commit

 

History

History
348 lines (215 loc) · 20.4 KB

manage-organization-collection.md

File metadata and controls

348 lines (215 loc) · 20.4 KB
title titleSuffix description ms.technology ms.author author ms.topic monikerRange ms.date
Get started as a project collection administrator or organization owner
Azure DevOps
Learn how to add contributors and configure policies, settings, and other Azure DevOps options available at the organization or collection level.
devops-new-user
kaelli
KathrynEE
overview
<= azure-devops
02/25/2022

Manage your organization or project collection

[!INCLUDE version-lt-eq-azure-devops]

After you create an organization or project collection, you'll want to add contributors and configure policies, settings, and other options available to you. This article provides an overview of tasks you'll want to review to ensure you're setting up your organization or collection to get maximal use of your services.

::: moniker range="azure-devops" Each organization is associated with one and only one collection. If you need to create another organization, see Create an organization. ::: moniker-end

::: moniker range="< azure-devops" When you install Azure DevOps Server, you automatically create a default collection. If you need to create another project collection, see Manage project collections. ::: moniker-end

Note

This article provides an overview of tasks that require membership in the Project Collection Administrators group. For information on tasks to be performed by members of a Project Administrators group, see Manage your project.

Add users to your organization

::: moniker range="azure-devops" For large enterprises, the recommended method to manage Azure DevOps users, is to connect Azure DevOps to Azure Active Directory (Azure AD) and manage user access through security groups defined in Azure AD. That way, when you add and remove users or groups from Azure AD, you automatically add and remove these same users and groups from Azure DevOps. You limit the maintenance of managing permissions and user access.

For small and large enterprises, you can add users and security groups directly through the web portal Organization settings>Users interface. All users added to an organization can be added to one or more projects defined for the organization. ::: moniker-end

::: moniker range="< azure-devops" For large enterprises, the recommended method to manage Azure DevOps users, is to connect Azure DevOps to Active Directory (AD) and manage user access through security groups defined in AD. That way, when you add and remove users or groups from AD, you automatically add and remove these same users and groups from Azure DevOps. Typically, you should install Active Directory before installing Azure DevOps. You limit the maintenance of managing permissions and user access.

For small and large enterprises, you add users to a server instance through the web portal Access levels interface. All users added to the server instance can be added to to one or more projects defined within the project collection(s) defined in the server instance. ::: moniker-end

When you add users, you specify their access level which determines the features they can use through the web portal. To learn more, review these resources:
::: moniker range="azure-devops"

Note

If the Limit user visibility and collaboration to specific projects preview feature is enabled for the organization, users added to the Project-Scoped Users group won't be able to access projects that they haven't been added to. To learn more, see Limit user visibility for projects and more later in this article.

::: moniker-end

::: moniker-end

::: moniker range="< azure-devops"

Note

Even if you add a user or group to an access level, you must also add them to a project for them to connect to a project and access features available through a supported client or the web portal. ::: moniker-end

::: moniker range="azure-devops"

Set up billing

Azure DevOps Services charges for the following services as described in Pricing for Azure DevOps.

  • Individual services:
    • Microsoft-hosted CI/CD parallel job
    • Self-hosted CI'CD parallel job Users added to organizations
    • Storage of Azure Artifacts feeds
  • User licenses for Basic or Basic + Test Plans.

All organizations are granted five free Basic licenses. If your organization requires more than five contributors, then you'll need to set up billing. Users that have a Visual Studio subscription can be added without incurring any further billing charges. Billing is based on the access level, Basic or Basic + Test Plans, that you assign to the user.

All organizations can add up to five users with Basic access and unlimited users with Stakeholder access. If you need to add more users or pay for additional services, refer to the following articles:

::: moniker-end

Manage security and permissions

Access to select tasks is controlled by permissions and security groups. To quickly understand the defaults configured for your project, see Default permissions and access.

To learn more about permissions and security, review the following articles:

Grant or restrict permissions

Permissions are managed at the following three levels and through role-based assignments.

  • object
  • project
  • organization or collection

As a member of the Project Collection Administrators group, you can grant or restrict permissions at all levels within the organization or collection.

To delegate specific tasks to others, we recommend that you add them to a built-in or custom security group or add them to a specific role. To learn more, see the following articles.

Add members to the Project Collection Administrators group

::: moniker range="azure-devops" The person who creates an organization is automatically added as a member to the Project Collection Administrators group. Members of this group have permissions to manage the settings, policies, and processes for the organization, create and manage all projects defined in the organization, and install and manage extensions.
::: moniker-end ::: moniker range="< azure-devops" The person who creates a project collection is automatically added as a member to the Project Collection Administrators group. Members of this group have permissions to manage the settings, policies, and processes for the organization, create and manage all projects defined in the organization, and install and manage extensions.
::: moniker-end

It's always a good idea to have more than one person who has administrative privileges. To add a user to this group, see Change permissions at the organization level,Add members to the Project Collection Administrators group.

::: moniker range="azure-devops"

Limit user visibility for projects and more

By default, users added to an organization can view all organization and project information and settings.

To restrict select users, such as Stakeholders, Azure Active Directory guest users, or members of a particular security group, you can enable the Limit user visibility and collaboration to specific projects preview feature for the organization. Once that is enabled, any user or group added to the Project-Scoped Users group, are restricted in the following ways:

  • Restricted users to only access those projects to which they've been explicitly added to.
  • Restricts views that display list of users, list of projects, billing details, usage data, and more that is accessed through Organization Settings.
  • Limits the set of people or groups that appear through people-picker search selections and the ability to @mention people.

To enable this feature, see Manage or enable features.

Note

All security groups are organization-level entities, even those groups that only have permissions to a specific project. From the web portal, visibility of some security groups may be limited based on user permissions. However, you can discover the names of all groups in an organization using the azure devops CLI tool or our REST APIs. To learn more, see Add and manage security groups. ::: moniker-end
::: moniker-end

::: moniker range="azure-devops"

Limit identity search and selection

For organizations that manage users and groups using Azure Active Directory (Azure AD), people pickers provide support for searching all users and groups added to Azure AD, not just those users and groups added to your project. people pickers support the following Azure DevOps functions:

  • Selection of a user identity from a work tracking identity field such as Assigned To
  • Selection of a user or group using @mention in a work item discussion or rich-text field, a pull request discussion, commit comments, or changeset or shelveset comments
  • Selection of a user or group using @mention from a wiki page

As shown in the following image, you simply start typing into a people picker box until you find a match to a user name or security group.

[!div class="mx-imgBorder"]
Screenshot of people picker

Warning

When the Limit user visibility and collaboration to specific projects preview feature is enabled for the organization, project-scoped users are unable to search for users who were added to the organization through Azure Active Directory group membership, rather than through an explicit user invitation. This is an unexpected behavior and a resolution is being worked on. To self-resolve this issue, disable the Limit user visibility and collaboration to specific projects preview feature for the organization.

Users and groups who are added to the Project-Scoped Users group can only see and select users and groups in the project they are connected to from a people picker. To scope people pickers for all project members, see Limit user visibility for projects and more earlier in this article.

To limit the identity selection to just those users and groups added to a project, perform the following procedure for your organization and projects.

  1. Enable the Limit user visibility and collaboration to specific projects preview feature for the organization. To learn how, see Manage or enable features.
  2. Add the users to your project(s) as described in Add users to a project or team. Users added to a team are automatically added to the project and team group.
  3. Open Organizations Settings>Security>Permissions and choose Project-Scoped Users. Choose the Members tab. Add all users and groups that you want to scope to the project(s) you've added them to. To learn more, see Set permissions at the project- or collection-level. The Project-Scoped Users group only appears under the Permissions>Groups once Limit user visibility and collaboration to specific projects preview feature is enabled.

::: moniker-end

::: moniker range="azure-devops"

Set security policies

Configure the security policies for your organization through the Organization settings>Policies page. These policies enable you to grant or restrict the following features:

  • Third-party application access via OAuth
  • SSH authentication
  • Creation of public projects
  • Invitation of GitHub user accounts

:::image type="content" source="../media/policies/security-policies.png" alt-text="Screenshot of Azure DevOps Security Policies.":::

To learn more, see Change application connection & security policies for your organization.

::: moniker-end

::: moniker range="azure-devops"

Enable preview features for your organization

As new features are introduced to Azure DevOps Services, you can choose to enable them or not for an organization. Some features are introduced and automatically enabled. You can try them out, provide feedback, and work with those features that meet your requirements.

When you enable a feature at the organization level, you essentially turn it on for all users of your account. Each user can then disable the feature if they so choose. If you disable a feature at the organization level, user settings are not changed. Users can enable or disable the feature on their own.

To enable or disable a preview feature, see Manage or enable features.

The following features are only enabled or disabled at the organization-level:

[!INCLUDE install-manage-extensions]

::: moniker range=">= tfs-2015"

Install Code Search

Code Search is a free Marketplace extension that you must install to enable searching across all your source repositories. To learn how, see Install and configure Search. ::: moniker-end

::: moniker range=">= azure-devops-2019 < azure-devops"

Enable or disable Analytics

Code Search is a free Marketplace extension that you must install to enable searching across all your source repositories. To learn how, see Install and configure Search. ::: moniker-end

::: moniker range="azure-devops"

Adjust time zone and other organization settings

When you create an organization, you specify the name of your organization and select the region where your organization is hosted. The default Time zone is set to UTC. You can update the Time zone and specify a Privacy URL from the Organization settings>Overview page. To learn more about these settings, see the following articles:

::: moniker-end

::: moniker range=">= tfs-2015"

Set DevOps policies

Set policies to support collaboration across your teams, secure your projects, and automatically remove obsolete files. To set policies, review the following articles:

::: moniker-end

::: moniker range=">= azure-devops-2019"

::: moniker range=">= tfs-2015 <= tfs-2018"

Customize work-tracking processes

::: moniker range=">= azure-devops-2019"

All work-tracking tools are available immediately after you create a project. Often, one or more users may want to customize the experience to meet one or more business needs. Processes are easily customized through the user interface. However, you may want to establish a methodology for who manages the updates and evaluates requests.

To learn more, see the following articles:

::: moniker-end

::: moniker range="<= tfs-2018"

All work-tracking tools are available immediately after you create a project. Often, one or more users may want to customize the experience to meet one or more business needs. But, you may want to establish a methodology for who manages the updates and evaluates requests.

To learn more, see On-premises XML process model.

::: moniker-end

Review and update notifications

A number of notifications are predefined at the organization or collection level. Notifications are based on subscription rules which you can modify. Subscriptions arise from the following areas:

global-notifications.png :::image type="content" source="../media/global-notifications.png" alt-text="Screenshot of Azure DevOps global notifications.":::

If users believe they're getting too many notifications, direct them to opt out of a subscription.

[!div class="mx-imgBorder"]
Personal notifications

::: moniker range="< azure-devops"

Configure an SMTP server

In order for team members to receive notifications, you must configure an SMTP server.

::: moniker-end

Integrate with other services

Scale your organization or collection

Next steps

[!div class="nextstepaction"] Share your project vision

Related articles

::: moniker range="azure-devops"

::: moniker-end

::: moniker range="< azure-devops"

::: moniker-end