| title | titleSuffix | description | ms.assetid | ms.topic | ms.subservice | ms.author | author | monikerRange | ms.date |
|---|---|---|---|---|---|---|---|---|---|
Restrict Team and Project Administrators from inviting new users |
Azure DevOps Services |
Learn how to manage the policy that allows Team and Project Administrators to invite new users to Azure DevOps Services. |
how-to |
azure-devops-security |
chcomley |
chcomley |
azure-devops |
11/30/2023 |
[!INCLUDE version-eq-azure-devops]
By default, all administrators can invite new users to their Azure DevOps organization. Disabling this policy blocks Team and Project Administrators from inviting new users. Project Collection Administrators (PCAs) can add new users to the organization, regardless of the policy status. If a user is already a member of the organization, Project and Team Administrators can add that user to a project.
You must be a member of the Project Collection Administrators group. Organization owners are automatically members of this group.
-
Sign in to your organization (
https://dev.azure.com/{yourorganization}). -
Select
Organization settings.
-
Under Security, select Policies, and then move the toggle to off.
:::image type="content" source="media/user-policy-invite-new-users.png" alt-text="Turn policy off to limit Team and Project administrators from inviting new users":::
Now, only Project Collection Administrators can invite new users to Azure DevOps.
Note
Project and Team Administrators can directly add users to their projects through the permissions blade. However, if they attempt to add users through the Add Users button located in the Organization settings > Users section, it's not visible to them. Adding a user directly through Project settings > Permissions doesn't result in the user appearing automatically in the Organization settings > Users list. For the user to be reflected in the Users list, they must sign in to the system.