Add users or groups to an access level

TFS 2017 | TFS 2015 | TFS 2013

Users must be added to a group with the appropriate permissions, to connect and use the functions and features that Azure DevOps Server provides. To use select web portal features, they must also belong to the access level that enables access to that feature. For an overview of each access level, see About access levels.

This article applies to managing access levels for project collections defined on an on-premises Azure DevOps. To manage access levels for the Azure DevOps Services (the cloud service), see Add users to your organization or project. For Azure DevOps feature availability, see the Azure DevOps Feature Matrix.


Make sure that you select the correct version of this article for Azure DevOps Services or Azure DevOps Server, renamed from Team Foundation Server (TFS). The version selector is located above the table of contents.
Content version selector

For a simplified overview of the permissions that are assigned to the most common groups—Readers, Contributors, and Project Administrators—and the Stakeholder access group, see Permissions and access.


Even if you set a user or group's access level, you must add them to a project for them to connect to a project and access features available through a supported client or the web portal.

Make sure to set each user's access level based on what you've purchased for that user. Basic access includes all Stakeholder features - Basic + Test Plans, Advanced and Visual Studio Enterprise subscriber access levels include all Basic features. In the images provided below, the circled features indicate the features made available from the previous access level.


Open access levels

You manage access levels for the collections defined on the application tier. The default access level you set applies to all projects defined for all collections. Users or groups that you add to teams, projects, or collections are granted the access level that you set as the default. To change the access level for a specific group or user, add them specifically to a non-default access level.

From a user context, open Server Settings by choosing the gear icon. The tabs and pages available differ depending on which settings level you access.

  • From the web portal home page for a project (for example, http://MyServer:8080/tfs/DefaultCollection/MyProject/), open Server settings.

    TFS 2017, Web portal, open the Server settings admin context

Add a user or group to an access level

Changes you make to the access level settings take affect immediately. You can add or change the access level for a user or group through this interface.

  1. From Access levels, select the access level you want to manage. For example, here we choose Stakeholder, and then Add to add a group to Stakeholder access.

    TFS 2017, Web portal, Server settings admin context, Access levels, Stakeholder access level, Add user or group

    If you don't see Access levels, you aren't a TFS administrator and don't have permission. Here's how to get permissions.

  2. Enter the name of the user or group into the text box. You can enter several identities into the text box, separated by commas. The system automatically searches for matches. Choose the matches that meet your choice.

    Add users and group dialog

  3. Choose Save changes.

Change the access level for a user or group

To change the access level for a user or group, first remove them from their existing access level, and then add them to the access level you want them to have.

  1. Choose the user or group and then select Remove.

    Collection level permissions and groups

  2. Add the user or group to the other access level following the steps provided in the previous section.

Change the default access level

Change the default access level to match the access you have licenses for. If you change the default access level to Stakeholder, all users not explicitly added to the Basic or an advanced level are limited to the features provided through Stakeholder access.

You set an access level from its page. Choose Set as default access level as shown.

Admin context, Control panel, Access levels, Stakeholder tab, set as default access level


Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the Azure DevOps service accounts to the Basic or an advanced access level group.

Guide to features and access levels

For details on the features available to each access level, see About access levels.