✅ Azure DevOps Offshore Developer Onboarding & Permissions Checklist¶
1. Prepare¶
- Confirm developer’s correct email (must be Microsoft Entra ID or will be added as Guest).
- Confirm project(s) (e.g.,
ConnectSoft). - Confirm repositories they should access.
- Confirm Area Path for tasks (e.g.,
ConnectSoft\Offshore). - Confirm dashboard(s) and pipelines they should use.
2. Add User¶
- Go to Organization Settings → Users → Add users.
- Enter email, set Access Level = Basic.
- Assign project =
ConnectSoft. - Add to security group =
ConnectSoft-OffshoreDevs. - Send invite (ensure user accepts).
3. Azure AD (Guest Check)¶
- Go to Azure Portal → Entra ID → Users.
- Verify user exists as Guest.
- If missing, add manually as Guest and resend invite.
- Ensure user logs in with the correct tenant (can switch via profile → Switch Directory).
4. Repositories (Code Access)¶
Project-level baseline¶
- Go to Project Settings → Repos → Security.
- Select
ConnectSoft-OffshoreDevs. - Set Read = Deny at project-level.
Repo-specific¶
-
For each allowed repo:
-
Go to Repos → Settings → Repositories → [RepoName] → Security.
-
Grant
ConnectSoft-OffshoreDevs:- ✅ Allow → Read
- ✅ Allow → Contribute
- ❌ Deny → Force push, Manage permissions
- All other repos remain inaccessible.
5. Boards & Backlogs (Work Items)¶
Area Path setup¶
- Go to Project Settings → Boards → Project configuration → Areas.
- Create
ConnectSoft\Offshore. - Assign to Offshore-ConnectSoft-Team as default Area Path.
Permissions¶
-
In ConnectSoft\Offshore → Security, set for
ConnectSoft-OffshoreDevs: -
✅ Allow → View work items
- ✅ Allow → Edit work items
- ✅ Allow → Create work items
- ❌ Deny → Delete work items
- ❌ Deny → Move work items out of node
-
In ConnectSoft (root) and other areas:
-
❌ Deny → View work items
6. Dashboards¶
- Create Offshore-specific dashboards.
- In Dashboard → Manage sharing, share only with
ConnectSoft-OffshoreDevs. - Remove [All project members].
7. Pipelines¶
- Go to Project Settings → Pipelines → Security.
-
For
ConnectSoft-OffshoreDevs: -
✅ Allow → View builds
- ✅ Allow → Queue builds (if needed)
- ❌ Deny → Edit pipeline
- ❌ Deny → Delete pipeline
8. Validation¶
- Offshore developer logs in at
https://dev.azure.com/ConnectSoft/. -
Confirm they see:
-
Only assigned repos.
- Only
ConnectSoft\Offshorebacklog/board. - Only Offshore dashboards.
- Only allowed pipelines.
-
Confirm they cannot:
-
See other repos.
- See tasks in other area paths.
- Modify project/global settings.
9. Audit & Maintenance¶
- Run regular Org Settings → Auditing checks.
- Review
ConnectSoft-OffshoreDevsmembership periodically. - Adjust repo/area permissions as new repos/teams are created.
✅ With this checklist, every new offshore developer can be onboarded consistently, securely, and with least-privilege access.
👉 Do you want me to format this as a Markdown SOP file (ready to drop into your Azure DevOps wiki or Git repo), or as a Word/PDF doc for handover to your administrators?
Perfect 🙌 Creating a repeatable checklist is the best way to avoid these headaches when onboarding new offshore developers.
Here’s a step-by-step New User Onboarding Checklist for Azure DevOps (with Azure AD integration):
✅ New User Onboarding Checklist – Azure DevOps + Azure AD¶
1. Preparation¶
- Confirm the user’s correct email address (the one they’ll log in with).
- Decide which Project(s) they need (e.g.,
ConnectSoft). - Decide which Security Group(s) they belong to (e.g.,
ConnectSoft-OffshoreDevs). - Decide which Team they belong to (e.g.,
Offshore-ConnectSoft-Team). - Confirm you have enough Basic access licenses (free for first 5 users, paid afterwards).
2. Add to Azure DevOps Organization¶
- Go to Organization Settings → Users → Add users.
- Enter the user’s email.
- Assign Access level = Basic (or Stakeholder if read-only).
- Assign Project(s) = ConnectSoft.
- Assign Group(s) =
ConnectSoft-OffshoreDevs. - Click Add → invitation email is sent.
ℹ️ This step also automatically creates a Guest user in your Azure AD (if they’re external).
3. Verify in Azure AD (Entra ID)¶
- Go to Entra ID → Users.
- Confirm the user appears as User type = Guest.
- If missing → add them manually as Guest in Entra ID and resend invite.
4. User Accepts Invitation¶
- User receives invitation email → clicks Accept invitation.
- Completes registration + MFA setup.
- If they have multiple Azure AD accounts → confirm they use the same email you added.
5. Access Check¶
- User logs in at:
- Top-right corner → Profile → Switch directory → Select correct org directory.
6. Assign Permissions¶
- Confirm the user is in the correct Project Security Group (
ConnectSoft-OffshoreDevs). - Confirm the user is in the correct Team (
Offshore-ConnectSoft-Team). - Apply Repo permissions (Allow on required repos, Deny on others).
- Apply Boards Area Path (e.g.,
ConnectSoft\Offshore). - Apply Dashboard sharing (only with their group).
- Apply Pipeline permissions (View/Queue but no edit/delete, unless needed).
7. Validation¶
-
User signs in and confirms they can:
-
See only their repos.
- See their backlog/boards.
- See their dashboards.
- View pipelines they’re allowed.
- Run a quick test (e.g., clone repo, view work item).
8. Cleanup (if issues)¶
-
If the user sees “no organization”:
-
Verify they’re in Org Settings → Users.
- Verify they’re in the correct Project.
- Resend invite from Org Settings.
- If still broken → remove from Azure DevOps and Entra ID, then re-add cleanly.
✅ With this flow, every new offshore developer should be onboarded smoothly and securely.
Would you like me to also prepare a one-page SOP document (Markdown or Word format) that you can hand to your DevOps admin, so they follow the same checklist each time without missing a step?