Azure Devops CLI - restrict access

MaksWysocki 

The issue you are facing with Azure DevOps (ADO) and user visibility is indeed a concern when setting up access for clients within the same organization. While the feature "Limit user visibility and collaboration to specific projects" was introduced by Microsoft to address this, it currently only applies to the presentation layer and not the REST APIs.

The Azure CLI command you mentioned, 'az devops user list -o table', retrieves the list of all users in the organization, including those not associated with your specific projects. This behavior aligns with the documentation, which states that it lists users in the entire organization.

To restrict user visibility to only the projects they are members of and mitigate the suboptimal situation where clients can see users from other clients, there are a couple of considerations:

Security Groups: You can leverage Azure Active Directory (AD) security groups to manage user access and permissions within ADO. By carefully configuring security groups and associating users with specific projects through these groups, you can limit the visibility of users within each project. This approach requires proper planning and configuration to ensure that users only have access to the projects they are assigned to.

Custom Solutions: As the current limitations are at the REST API level, you may need to explore custom solutions to address this. One approach could involve building a middleware or custom API layer that sits between the Azure CLI and ADO. This layer would intercept requests for user information and enforce additional authorization checks based on project membership. By controlling the API requests and filtering the user list, you can restrict the visibility of the projects the users are associated with.

Hope the answer provided fulfills your request.