Prevent project admin from adding new user to project and organization in Azure DevOps?

0
votes

I have an Azure DevOps org tied to an AAD tenant and it looks like it is possible for a user in the Project Administrators (not Collection Admin) group to add a new user from AAD to the org via the project, who was not in the org before, bypassing adding to the org.

Is there any way, programmatically or through the UI, to prevent this behavior? Even though the audit logs capture this, it's not totally safe to allow someone from the Project Admins group add anyone from AAD to the project who can then access the org.

1
azure-devops

1 Answers

0
votes

From this document it says To add users to a project, you must be a member of the Project Administrators or Project Collection Administrators groups.

It is by design that a project admin has the highest permission of the project and can of course add users to this project. But the user added to this project can only access this specific project. Since the user is added to the project, he will also be an user to the org and be listed in the users list. But his permission is limited to this project only.

If you donot want a user in the Project Administrators to add a new user from AAD. You should remove this user from the Project Administrators group.