My understanding is that branch policies allow us to prevent push to master but allow PR. But I could not find a policy or security settings on Azure DevOps that allow me to do this. What am I missing?
After you set up a required branch policy, you can't directly push changes to the branch. Changes to the branch are only made through pull requests. You can refer to this documentation:
A branch that has required policies configured can't be deleted, and requires pull requests (PRs) for all changes.
You can't push changes directly to branches that have required branch policies unless you have permissions to bypass branch policies. Changes to these branches can be made only through pull requests. You can push changes directly to branches that have optional branch policies, if they have no required branch policies.
Please note that:
For example: If the policy requirement here is optional, you can still push changes directly to the branch. If the policy requirement here is required, you need to create a pull request to push changes.