Azure DevOps – Automatic user provisioning via Azure Active Directory


When managing any IT infrastructure, you want to rely on as much automation as possible. As you probably know, you can integrate Azure DevOps with Azure Active Directory. The next step would be to ensure that you do not need to do any manual tasks in terms of adding/removing users from Azure DevOps. Which is something you can do with Group Rules. So for today, let us go through a brief setup of how we can achieve that all users from a given Azure Active Directory (AAD) group get automatically added upon login to a given access level in Azure DevOps.

What are we going to do?

The thing we want to achieve it the following outcome ;

A user got added by a group rule and not “Direct”-ly (manual). We want to choose which access level this user gets by default too.

Let us make it real!

In AAD, I have created a group called “ADO_StakeHolder”.

Which has four users ;

And my Azure DevOps (ADO) organization is linked to the same AAD ;

Now let us go to “Users” and then to “Group Rules” ;

Click “Add Group rule” ;

And I am going to add the group I just created and give it a default access level. Yes, in the screenshot I selected Basic instead of my group indicating Stakeholder… Dang! But you get the idea, right? Anyhow, the group will be “processed” (evaluated), and we are good to go. You will see nothing changing in the user lists…

Until after the user logged in for the first time. Then the user gets added, and the administrator sees that the source was “Group Rule”.

Closing Thoughts

The odd thing was that till now I had not played around with the group rules yet. So big shoutout to Mike for giving me the golden tip on how to achieve this! 😉

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.