Simplify Azure DevOps License Management with Group Rules

Managing user access and permissions in Azure DevOps can be a time-consuming task, especially for larger organizations. In this blog post, I am going to write about Azure DevOps group rules. Group rules can help to make Azure DevOps user management easier and make the onboarding and offboarding process more efficient.

What is a Group rule?

In Azure DevOps it is possible to assign licenses in multiple ways:

  • Via direct assignment to a user
  • Via group rules using an Azure Active Directory security group or Azure DevOps group

Group rules is an Azure DevOps Services feature (not available in the server version) that helps with group-based licensing management. Besides licensing, group rules can also be used for assignment to Azure DevOps team projects.

One of the benefits of using group rules is that licenses are automatically assigned to users upon login if the user is a member of the assigned security group or Azure DevOps group. This saves time, effort and cost compared to manually assigning and removing licenses by hand. Additionally, when using group rules it is easy to revoke access for an employee who, for example, leaves the company by just simply removing the employee from the group rule assigned security group.

Benefits of Azure DevOps Group Rules

Using group rules for license and access management in Azure DevOps can provide a number of benefits, including:

  • Simplifying user management by assigning licenses and access levels automatically based on group membership instead of on individual accounts
  • Streamlining the onboarding and offboarding process for new employees and departing employees
  • Improving security by ensuring that only authorized users have access to specific Azure DevOps features or resources
  • Licenses are allocated only after a user’s initial login, thereby optimizing costs by preventing unused licenses.

By using group rules, organizations can save time and effort while also improving the security and efficiency of their Azure DevOps user management processes.

How to configure a group rule in Azure DevOps

First, to configure group rules in Azure DevOps you need the role Project Collection Administrator because the configuration of group rules is at the organization-level.

To configure group rules in Azure DevOps:

  1. Go to your organization settings
  2. Go to General > Users
  3. Open the tab Group rules
  4. Click the button Add a group rule

After clicking on the add a group rule button a window appear in which you can configure the group rule:

  1. Search for the security group or Azure DevOps group that you want to add
    1. Optionally, you can create an Azure DevOps group
  2. Assign the access level. The dropdown shows the following levels:
    1. Basic
    2. Stakeholder
    3. Visual Studio Subscriber
  3. (optional) Assign the Azure DevOps Team Project
    1. After the selection of a project, the Azure DevOps Groups dropdown becomes visible. In this dropdown, you can select the appropriate group (Project contributor, Project administrator or Project reader)

In the example below I added two Azure AD security groups to the group rule list: ADO-Basic and ADO-Stakeholder. Besides that, I have added the users John Doe and Jane Doe to one of each security group.

Overview of Azure DevOps Group Rules
Added user John Doe to ADO-Stakeholder security group
Added user Jane Doe to ADO-Basic security group

When the user Jane Doe logs in, the license will be added automatically. The source of the license assignment can be seen in the License Source column, which will show either Direct if the user was added directly (via the Add Users button) or Group Rule when added via the security group ADO-Basic or ADO-Stakeholder.

Shows the Basic license assignment to Jane Doe from the source group rule

How to configure a group rule in Azure DevOps with the REST API

Besides using the Azure DevOps GUI, group memberships can also be created using the Azure DevOps REST API. The API enables the programmatic creation of group rules, providing a flexible and efficient method for managing access control.

To programmatically create a group rule, use the following API and Body:

API

`POST https://vsaex.dev.azure.com/{organization}/_apis/groupentitlements?api-version=7.0`

Body

$body = @{
"group" = @{
"origin" = "aad"
"originId" = "acd06030-7fda-49c8-9d32-d8c093236ce6" # Security Group ID
"subjectKind" = "group"
}
"licenseRule" = @{
"licensingSource" = "account"
"accountLicenseType" = "express"
"licenseDisplayName" = "Basic"
}
}

Result

When this API call is executed the output will be that the security group has been added as a group rule in Azure DevOps with the Basic access level:

Added the ADO-DynamicGroup security group using the Azure DevOps REST API

On my GitHub gists, you can find my PowerShell script that is ready to use and requires only a personal access token, organization name, and security group ID to run.

Conclusion

This is how you can configure group rules to manage Azure DevOps licenses. This can be done by configuring it through the Azure DevOps GUI or using the Azure DevOps REST API. Using group rules to manage user licensing can save time and make managing it more efficient. The user management is centralized in Azure Active Directory. Overall, group rules are a valuable feature for organizations that want to optimize their Azure DevOps user management processes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s