Set branch permissions

TFS 2017 | TFS 2015

Set up permissions to control who can read and update the code in a branch on your Git repo. You can set permissions for individual users and groups, and inherit and override permissions as needed from your repo permissions.


Select a version from TFS Content Version selector.

To view the content available for your platform, make sure that you select the correct version of this article from the version selector which is located above the table of contents. Feature support differs depending on the on-premises version of TFS you are using. .
To learn which on-premises version you are using, see What platform/version am I using?

Use the branches view to configure security

  1. Open the Branches page by navigating to your project in the web portal and selecting Code, Branches.

    Open up the Branches page on the web

  1. Locate your branch in the page. You can browse the list or you can search for your branch using the Search all branches box in the upper right.

    Branches page

  2. Open the context menu by selecting the ... icon next to the branch name. Select Branch security from the menu.

    Open the branch permissions page from the branches context menu

Add users or groups


You can only add permissions for users and groups already in your Project. Add new users and groups to your Project before setting branch permissions.

Add users or groups to your branch permissions by selecting Add.
Enter the sign-in address or group alias, then select Save Changes.

Remove users or groups

Remove permissions for a user or group by selecting the user or Azure DevOps group, then selecting Remove. The user or group will still exist in your Project and this change will not affect other permissions for the user or group.

Remove branch permissions for a user in Azure DevOps Services or TFS

Set permissions

Control branch permission settings from the branch permission view. Users and groups with permissions set at the repository level will inherit those permissions by default. To learn more about how permissions work, see Permission settings.




Can set branch permissions for other users, delete the branch, and lock the branch.


Can push new commits to the branch and lock the branch. Can't rewrite existing commits on the branch.

Edit policies

Can edit branch policies.


Requires TFS-2017.1 or later version.

Exempt from policy enforcement

Are exempt from branch policies when completing pull requests and can override the policies by checking Override branch policies and enable merge when completing a PR. Can also push to a branch that has branch policies enabled.


Requires TFS-2017.1 or later version.

Force push (rewrite history, delete branches and tags)

Can force push to a branch, which can rewrite history. This permission is also required to delete a branch.


Requires TFS-2017.1 or later version.

Manage permissions

Can set permissions for the branch.


Requires TFS-2017.1 or later version.

Remove others' locks

Can remove locks set on branches by other users.


Requires TFS-2017.1 or later version.

Rewrite and destroy history (force push)

Can force push to a branch, delete a branch, and modify the commit history of a branch.