| title | Change Project-Level Permissions or Group Membership |
|---|---|
| titleSuffix | Azure DevOps |
| description | Learn how to change project-level permissions or group membership in Azure DevOps. |
| ms.subservice | azure-devops-security |
| ms.custom | security-refresh |
| ai-usage | ai-assisted |
| ms.author | chcomley |
| author | chcomley |
| ms.topic | quickstart |
| monikerRange | <= azure-devops |
| ms.update | 90-days |
| ms.date | 09/18/2025 |
[!INCLUDE version-lt-eq-azure-devops]
Many permissions are managed at the project level. You can grant project-level capabilities by adding users or groups to the built-in Project Administrators group, or by assigning specific project permissions to a custom security group or an individual user.
Consider adding users to Project Administrators when they need to add or manage teams, area and iteration paths, repositories, service hooks, or service connections.
What you'll learn:
- How to add members to the Project Administrators group.
- How to change project-level permissions for a group or user.
- Notes about tagging permissions, Microsoft Entra groups, and Stakeholder access limits.
[!INCLUDE project-level-permissions]
Note
The permission that allows adding or removing project-level security groups (and managing their membership) is granted to all members of the Project Administrators group. This capability is not exposed as a separate permission in the user interface.
By default, the Contributors group is granted the Create tag definition permission. Although this permission appears at the project level in the UI, tagging is implemented as a collection-level capability. When you modify tagging permissions using command-line tools, provide the project GUID to scope the change to a single project; otherwise your change applies to the entire collection. For more information, see Security groups, service accounts, and permissions — Work item tags.
| Category | Requirements |
|---|---|
| Permissions | Member of the Project Administrators group. If you created the organization or collection, you're automatically a member. |
| Directory services | If you plan to add directory groups, ensure Microsoft Entra ID (Azure AD) groups are available and synced to Azure DevOps. See Add AD/Azure AD built-in security groups. |
Note
Users with Stakeholder access have limited feature access even if specific permissions are granted. See Stakeholder access quick reference.
You can add users or directory groups (for example, Microsoft Entra ID groups) to the built-in Project Administrators group. To add a custom security group to a project, first create the group as described in Use security groups to manage users and groups.
Cloud (Azure DevOps Services) ::: moniker range="azure-devops"
Note
To enable the Project Permissions Settings preview page, see Enable preview features.
-
Sign in to your organization:
https://dev.azure.com/{yourorganization}. -
Select Project settings > Permissions.
:::image type="content" source="media/permissions/open-project-settings-permissions-preview.png" alt-text="Permissions section in Project settings.":::
-
Choose the Project Administrators group > Members > Add.
:::image type="content" source="media/project-collection/project-admin-members-add.png" alt-text="Add member in Permissions.":::
-
Enter the user account or security group name in the Add users and/or groups box, select one or more matches, and then select Save.
:::image type="content" source="media/project-collection/add-member-project-admin.png" alt-text="Add users and group dialog."::: ::: moniker-end
On-premises / older UI ::: moniker range="<azure-devops"
-
Sign in to your organization:
https://dev.azure.com/{yourorganization}. -
Select Project settings > Security.
:::image type="content" source="media/view-permissions/open-security-project-level-vert.png" alt-text="Project settings, Security.":::
-
Select Project Administrators > Members > Add.
:::image type="content" source="media/project-level-permissions-add-member.png" alt-text="Project Settings, Security, Add member.":::
-
Enter one or more user or group names, choose matches, and select Save changes. Refresh the page to see updates.
:::image type="content" source="media/project-level-permissions-add-a-user.png" alt-text="Add users dialog, on-premises."::: ::: moniker-end
You can modify project-level permissions for any project-associated group (except the built-in Project Administrators group). Each team added to a project is exposed as a project-level group and can be granted specific permissions.
Cloud (Azure DevOps Services) ::: moniker range="azure-devops"
Note
To enable the Project Permissions Settings preview page, see Enable preview features.
-
Open Project settings > Permissions.
-
Choose the group (for example, Contributors).
-
Toggle permission assignments (Allow / Deny / Inherit). Changes are saved automatically.
:::image type="content" source="media/project-collection/delete-restore-work-items-permissions-s154.png" alt-text="Contributors group permissions.":::
Tip
Adding a user to Contributors grants the ability to add and modify work items. To limit that capability by area, scope permissions at the Area Path level — see Modify work items under an area or iteration path. ::: moniker-end
On-premises / older UI ::: moniker range="< azure-devops"
-
Open Project settings > Security.
-
Choose the group, update permission assignments, and select Save changes.
:::image type="content" source="media/project-level-permissions-contributors-group.png" alt-text="Contributors group permissions, on-premises."::: ::: moniker-end
For a description of each permission, see Permissions and groups reference — project-level permissions.
Note
You cannot change the permission settings for the built-in Project Administrators group. This is by design.
You can change project-level permissions for an individual user. Permission inheritance still applies — check the user's group memberships when evaluating effective permissions.
Cloud (Azure DevOps Services) ::: moniker range="azure-devops"
-
Open Project settings > Permissions.
-
Select Users, pick the user, and update permission assignments. Changes are saved automatically.
:::image type="content" source="media/change-project-level/choose-users-select-user.png" alt-text="Users tab, select a user.":::
-
Make the required permission changes (for example, Edit project-level information), then close the dialog.
:::image type="content" source="media/change-project-level/change-project-level-permission-for-user.png" alt-text="Change permission for selected user."::: ::: moniker-end
On-premises / older UI ::: moniker range="< azure-devops"
-
Open Project settings > Security.
-
Use Filter users and groups to find a user, change permissions, and select Save changes.
:::image type="content" source="media/change-project-level/change-project-level-permission-for-user-current-page.png" alt-text="Change permission for user, on-premises."::: ::: moniker-end
[!INCLUDE enable-mcp-server]
[!div class="nextstepaction"] Manage projects