Restrict Work Item Access to Azure DevOps Team Members
In Azure DevOps, all project members can access work items by default, regardless of their team membership. To secure team work items and restrict access to only specific users (typically team members), you can choose one of the following two approaches:
Option 1: Use a Custom Group to Explicitly Deny Access
This approach uses the “Deny overrides Allow” principle. In Azure DevOps, if a user is denied a permission at any level, that denial takes precedence over any allowed permissions elsewhere.
Steps:
Go to Project Settings > Permissions, then click New Group.
Name the group (e.g.,
NonTeamMembers - Deny Access
), add users you want to restrict, and click Create.Navigate to Project Settings > Areas, select the desired team area, click the ellipses (⋯) and choose Security.
Search for the custom group you created. Initially, all permissions are Not set.
Users in the project even those outside the team, can still view team work items unless explicitly denied.
Set the required permissions (e.g., View work items in this node) to Deny for the group.
Now, these users will be restricted from seeing the work items in this area.
Option 2: Remove Inherited Groups and Grant Access Only to Team Members
Instead of managing denials, this method removes default groups (like Contributors or Readers) from the area and assigns permissions only to the team members you want to allow access.
Steps:
Navigate to the team area security panel (same as in Step 3 above), select the Contributors group, and click Remove.
Users in this group will lose access to work items after removal.
Repeat this for the Readers group if they are listed.
Now only explicitly granted users will have access.
Finally, add your team members individually or through a dedicated group and set permissions to Allow.