Setting up Azure DevOps in Organizations and Enterprises
Microsoft recently rebranded its CI/CD and DevOps platform — Microsoft Visual Studio Team Services (VSTS) — to Azure DevOps.
Azure DevOps introduced the concept of Azure DevOps Organizations. An Azure DevOps Organization is meant to reflect exactly what its name suggests — an organizational unit within an enterprise, or even the whole company itself.
However, there seems to be some confusion concerning setup and management of Azure DevOps Organizations. The main cause of this confusion lies in the new name itself: “Azure” DevOps.
Contents
- Creating an Azure DevOps organization
- Azure DevOps with Azure Active Directory
- Administering Azure DevOps in your enterprise
- Changing an Azure DevOps Owner
Creating an Azure DevOps organization
If you head over to the Azure Portal and search for “DevOps”, you will find two services: an “Azure DevOps organizations” service and a “DevOps Projects” service.
So Azure DevOps must be a service within the Azure platform now, right?
You thought wrong! Rather than being an Azure service — like the name implies— Azure DevOps is (at the time of this writing) not actually an Azure resource. The name “Azure DevOps” is merely a renaming of the old VSTS service (and of course an update with a new UI and new features), but it is still a separate product.
This becomes evident, once you try to create a new Azure DevOps organization. If you go and visit the “Azure DevOps organizations” service in the Azure Portal, you will get a list of all your DevOps organizations. From here you can view and manage some settings for your DevOps organizations.
But wait — where is that “Add” button you are used from (almost) every other service in Azure? It’s not there!
Let’s try a different approach: The “Create a resource” button at the top left of the Azure portal. If you search for “DevOps”, the only thing you will find is an “Azure DevOps Project”. An Azure DevOps Project represents a project, for example your new Website, within your company and as such, must be created within an existing Azure DevOps organization. If you create an Azure DevOps project from the Azure portal and you do not have an existing Azure DevOps organization, you will be able to create a new Azure DevOps organization. But be careful — that organization will be created only for the user you are currently signed in with. If you already have an Azure DevOps organization, you won’t even have the option to create a new organization. Another word of advice: If you create an Azure DevOps Project from within the Azure Portal, your options for the project settings are very limited.
We mentioned earlier, that Azure DevOps still is a separate product and as such it is best to create both new organizations and new projects from the Azure DevOps Portal.
Here you can find the button for a new organization on the bottom left of the page and the button for a new project is located in the top right corner.
But be aware! A new organization will still be created for the current user. What this means is, that every DevOps user is able to create an organization, that, by default, no other user will be able to access. Some of you might say now: “But I read that Azure DevOps is integrated into Azure Active Directory (AAD) and I’m a Global Admin. So, I’m able to access every organization that is created within my Azure Tenant!”
Azure DevOps with Azure Active Directory
Again, remember what we said earlier: Azure DevOps is not an actual Azure service! This means, that the Azure DevOps organizations do not reside in your Azure tenant and therefore are not integrated into your AAD. Don’t get me wrong: Yes, there is an AAD integration. But this only provides the possibility for the organization’s owner to invite users from within the AAD to access its organization.
No other user than the owner of the organization will be able to see the organization under the “Azure DevOps organizations” service in the Azure portal. Also, Azure DevOps does not support multiple owners, like Azure services that support Role Based Access Control (RBAC) do. An Azure DevOps organization will only have a single owner at a time.
The Administrators among you will most probably say: “We have to prevent our users from creating their own organizations, if we can’t manage them!”, but the Problem is: you can’t. For now, there is simply no option to do so.
Administering Azure DevOps in your enterprise
Our advice is to create an Azure DevOps organization with a generic user — that way you assure the DevOps owner will stay within the company — and to define a company wide process/policy, that defines to only create projects in the organization you provided.
Another approach that might work and that you could try is to block the association of new DevOps organizations with your AAD by blocking App registrations from non-Admin users. This still wouldn’t prevent users from creating their own DevOps organizations, but prevent them from inviting other colleagues to their custom organizations and therefore discouraging them from using those.
Changing an Azure DevOps Owner
But what if an employee created an DevOps organization that is in active use and this employee is about to leave your company? Luckily it’s easy to change the owner of a DevOps organization. Those settings are accessible at the DevOps Portal → Organization settings (bottom left of the portal) → Overview → Organization owner.
What if that employee already left the company, but an important project with precious code is still hosted in this DevOps organization and you need to obtain access?
One possibility to achieve this, is to call Microsoft Support. They can assign the organization to a different owner.
Another possibility is for an AAD Administrator to change the password of the user, that left the company, to log in as this user and to manually change the owner of the DevOps organization.
Conclusion
While the current situation might not be ideal, Azure DevOps is a great tool, that is definitely worth to take a look into! Also, like every other Azure related service, Azure DevOps is updated and extended frequently and a feature that is missing today, might be there tomorrow.
If you have any further questions, feel free to leave a comment or to contact us!
