We are using Azure Entra ID security groups to add users to the ADO.

Mapping are:

1. Some SGs are added at the Org level using the Group rules when "basic" and Basic + Test plan" access is mandatory and we select one or multiple projects, and role in the projects.

2. We add the SGs directly into the project permissions, when all need stakeholder permission or only a few from the group need "basic" and Basic + Test plan" access, so that later we can add those users with access at the settings level.

Now all of a sudden Project Management wants to rename these security groups, due to which I believe that there are 2 scenarios.

1. Either ADO database will also be updated with a new name and there wont be any impact.
2. ADO database will not update the records and create a new record for the Groups and Permissions table, causig a re-assignment of all.

Can someone from the ADO side repond to what is the feasible scenario of the two above?

We are using Azure Entra ID security groups to add users to the ADO.

Mapping are:

1. Some SGs are added at the Org level using the Group rules when "basic" and Basic + Test plan" access is mandatory and we select one or multiple projects, and role in the projects.

2. We add the SGs directly into the project permissions, when all need stakeholder permission or only a few from the group need "basic" and Basic + Test plan" access, so that later we can add those users with access at the settings level.

Now all of a sudden Project Management wants to rename these security groups, due to which I believe that there are 2 scenarios.

1. Either ADO database will also be updated with a new name and there wont be any impact.
2. ADO database will not update the records and create a new record for the Groups and Permissions table, causig a re-assignment of all.

Can someone from the ADO side repond to what is the feasible scenario of the two above?

• azure
• azure-devops
• azure-active-directory

Share Improve this question Follow edited Nov 29, 2024 at 8:02 Venkat V 7,98822 gold badges44 silver badges1515 bronze badges asked Nov 19, 2024 at 8:32 sandeep rawatsandeep rawat 355 bronze badges 2

• 2 1. If Azure DevOps updates the group name in its database when the Azure AD security group is renamed, The Permissions Remain Intact and No Reassignment Needed. 2. If Azure DevOps does not update the records and instead creates a new record for the renamed group, you will Loss the Permissions: The new group record would not have any of the previously assigned permissions and Reassignment Required: You would need to go through the process of reassigning permissions to the new group record, which could be time-consuming and may lead to temporary access issues for users – Venkat V Commented Nov 19, 2024 at 10:01
• 2 The ADO database will automatically update the group name and retain the same permissions as before whenever the group name is changed in Azure Entra ID. – Venkat V Commented Nov 19, 2024 at 10:26

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

Either ADO database will also be updated with a new name and there wont be any impact.

The above scenario, The ADO recognizes the renamed Azure AD security group and updates its internal records accordingly without any permissions impact and the existing permissions associated with the group would remain same.

Azure DevOps would continue to sync the renamed group as the same entity, meaning that users in the group would retain their access levels and permissions and no reassignment is needed, since the group is still the same entity (just with a new name), there would be no need for any reassignment of permissions or roles. The Users would continue to have the same access as before.

For testing, I changed the Azure AD group name in Azure Entra ID, and after a few minutes, it was reflected in ADO as well without any permission issues

2. ADO database will not update the records and create a new record for the Groups and Permissions table, causing a re-assignment of all.

If ADO database will not update the records, you will loss the permissions and the new group record would not have any of the previously assigned permissions. it means the users in the renamed group would lose their permissions until permissions are manually reassigned.

Reference: Add a Microsoft Entra group to an Azure DevOps group

Assign access levels with group rules