The company I work for setup an ADO team that includes all developers regardless of seniority. However, we want to limit contributing to our master branch to just the project lead and the architects.
So what I did was set the contribute permission for the team to deny, manually add the project lead and architects, and manually set their contribute to allow.
However, when I refresh the page and revisit it, the project lead and architects are being denied the contribute permission due to inheritance from the team. This happens regardless if the inheritance toggle is on or off.
The basic idea is that when we create a new project we want to add just the team to include everyone but then granularly define the permissions for the master branch. Is this even possible in ADO? The UX around permissions has been an absolute nightmare.
Permissions in Azure DevOps follow a principle of "least privilege".
i.e. if an account has been Denied a particular permission (either directly or via group membership), an alternate Allow setting, whether applied directly or via group membership, will not override that.
This can create confusion when someone is unable to do something that settings appear to explicitly Allow (as in your case).
As a result, User/Group permissions are not well suited to this particular type of problem. As Rui explains, policies and permissions that apply to specific branches are supported through the aptly named Branch Policies configuration.