I am currently working with Microsoft Entra ID and Azure DevOps. Within our organization, I’ve created an Entra ID group that represents a specific team/department. As users join this team, they are added to the group. My objective is to automatically provision Azure DevOps licenses to these users based on their group membership. Specifically, when a user is added to the group, they should receive an Azure DevOps license (such as Stakeholder or Basic depending on the group). Also, if a user leaves the group or organization, their Azure DevOps license should be revoked.
As part of my research, I have reviewed the documentation for both Microsoft Entra ID and Azure DevOps. My expectation was to find a straightforward method for configuring automatic license provisioning based on group membership similar to how GitHub handles user provisioning with Entra (https://learn.microsoft.com/en-us/entra/identity/saas-apps/github-provisioning-tutorial). However, I currently lack clarity on the steps and best practices required to achieve this integration.
I’m also considering building an external service to manage Azure DevOps operations. However, I’ve encountered a challenge: I couldn’t find a straightforward way to set up triggers when specific operations (such as adding or removing users) occur within an Entra ID group.
You can set group rules in the Azure DevOps organization to meet your demands.
Go to "Organization Settings" > "Microsoft Entra", ensure the organization has connected to the Microsoft Entra tenant where the groups is in.
Go to "Organization Settings" > "Users" > "Group rules" tab, click "Add a group rule".
On the pop-up window, search and select the Microsoft Entra group you want, set the Access level of the group, and set the Projects that the group can access.
Once the group rule set, the users in this group will have the licenses assigned to the group.
If you add a new user into the group, this user normally will automatically get the licenses after he first successfully login to the Azure DevOps organization. If the new users are not synced to Azure DevOps, you can try to click "Re-evaluate Rules" on the "Group rules" tab.