This post looks at onboarding users into an Azure DevOps team or project using Azure AD access packages. The Azure AD access packages are part of the Microsoft Entra Identity Governance and provide a good solution for onboarding internal or external users into your tenant with access to the defined resources.
Flow for onboarding Azure DevOps members
Sometimes we develop large projects with internal and external users which need access to an Azure DevOps project for a fixed length of time which can be extended if required. These users only need access to the the Azure DevOps project and should be automatically removed when the contract or project is completed. Azure AD access packages are a good way to implement this.
Use an Azure AD group
The access to the Azure DevOps can be implemented by using an Azure security group in Azure AD. This security will be used to add team members for the Azure DevOps project. Azure AD access packages are used to onboard users into the Azure AD group and the Azure DevOps project uses the security group to define the members. The “azure-devops-project-access-packages” security group was created for this.
Setup the Azure DevOps
A new Azure DevOps project was created for this demo. The project has an URL on the dev.azure.com domain. The Azure DevOps needs to be attached to the Azure AD tenant. Only an Azure AD member with the required permissions can add a security group to the Azure DevOps project.
My test Azure DevOps project was created with the following URL. You can only access this if you are a member.
The project team can now be onboarded.
Create the Azure AD P2 Access packages
To create an Azure AD P2 Access package, you can use the Microsoft Entra admin center. The access package can be created in the Entitlement management blade.
Add the security group from the Azure AD which you use for adding or removing users to the Azure DevOps project. Add the users as members.
The users onboarded using the access package are given a lifespan in the tenant for the access and can be extended or not as needed.
The users can be added using an access package link, or you can get an admin to assign users to the package. I created a second access package to assign any users to the package which can then be approved or rejected by the Azure DevOps project manager.
The Azure DevOps administrator can approve the access package and the Azure DevOps team member can access the Azure DevOps project using the public URL. The new member is added to the Azure security group using the access package.
An access package link would look something like this:
[…] Use Azure AD Access Packages to onboard users in an Azure DevOps project [#Azure #Azure AD #AzureAD #devops #Governance #Identity] […]
[…] Use Azure AD Access Packages to onboard users in an Azure DevOps project (Damien Bowden) […]