Edit

Share via

About accessing your organization via Microsoft Entra ID

Azure DevOps Services

This article discusses controlling access to your organization using Microsoft Entra ID. Connecting your organization to Microsoft Entra ID enhances security and simplifies user management.

Organization configuration options and benefits

Azure DevOps organizations support two primary authentication configurations that determine which types of users can collaborate within your organization. While access is always restricted to users you explicitly add, the configuration type controls the available user pool from which you can select.

Connected to Microsoft Entra ID

These organizations are integrated with Microsoft Entra ID, enabling centralized identity and access management.

User access:

Benefits:

  • Centralized management: Manage user access and permissions from a single location. Microsoft Entra administrators oversee user access, providing secure and centralized control.
  • Enhanced security: Utilize advanced security features like MFA and conditional access.
  • Simplified user experience: Provide a seamless sign-in experience with SSO.
  • Directory-based authentication: Only users who are members or guests in your directory can access your organization.
  • Access revocation: Disabled or removed users have no access by any mechanism, including PATs or SSH.
  • Seamless integration: Enhanced integration with Microsoft 365 services.

Ownership: The organization is governed by Microsoft Entra administrator policies and can be recovered by the administrator if it becomes orphaned.

Not connected to Microsoft Entra ID

The following examples are standalone Azure DevOps organizations that primarily use Microsoft accounts (MSAs) for authentication.

User access:

  • ✅ Microsoft account users can sign in freely.
  • ⚠️ Entra ID users can only sign-in if their sign in address matches their Entra user principal name (UPN). When adding Entra users to your organization, ensure you are adding them by UPN.

Limitations: Lacks centralized identity governance and enterprise-grade security features.

Ownership: Owned by the creator of the organization.

High-level steps to connect your organization to Microsoft Entra ID

  1. Connect to Microsoft Entra ID: If your organization was created with a Microsoft account, connect it to your Microsoft Entra ID. This integration allows you to manage access and enforce security policies centrally.
  2. Sign in: Use the same credentials that you use with your Microsoft services to sign in to Azure DevOps. The single sign-on (SSO) capability streamlines the sign-in process and improves security.
  3. Enforce policies: Implement and enforce policies to control access to your team's critical resources and key assets. Microsoft Entra ID provides robust policy management features, including multifactor authentication (MFA), conditional access, and role-based access control.

How Microsoft Entra ID controls access to Azure DevOps

Your organization authenticates users through its directory, ensuring that only members or guests within that directory can access your organization. Disabled or removed users from your directory are denied access by any mechanism, including personal access tokens (PATs) or SSH.

Access control gets managed by specific Microsoft Entra administrators who oversee user management within your directory. These administrators can control who gets access to your organization, ensuring secure and centralized management.

Without Microsoft Entra ID, you're solely responsible for controlling organization access. In this case, all users sign in with only Microsoft accounts, and you manually manage user permissions and access.

For more information, see Frequently asked questions about Azure access and Connect your organization to Microsoft Entra ID.

Related content