Restrict administrators from inviting new users
Azure DevOps Services
By default, all administrators can invite new users to their Azure DevOps organization. Disabling this policy prevents Team and Project Administrators from inviting new users. However, Project Collection Administrators (PCAs) can still add new users to the organization regardless of the policy status. Additionally, if a user is already a member of the organization, Project and Team Administrators can add that user to specific projects.
Prerequisites
- Permissions: Be a member of the Project Collection Administrators group. Organization owners are automatically members of this group.
- Access levels: Be a member in the destination Microsoft Entra ID. For more information, see Convert a Microsoft Entra guest into a member.
Turn off policy
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.
Under Security, select Policies, and then move the toggle to off.
Now, only Project Collection Administrators can invite new users to Azure DevOps.
Note
Project and Team Administrators can directly add users to their projects through the permissions blade. However, if they attempt to add users through the Add Users button located in the Organization settings > Users section, it's not visible to them. Adding a user directly through Project settings > Permissions doesn't result in the user appearing automatically in the Organization settings > Users list. For the user to be reflected in the Users list, they must sign in to the system.