Hello, 

I'm trying to setup custom security groups, so that only few people can invite new users to the organization, and they shouldn't be able to do anything else.

I already turned off this policy to restrict new user invitations from Project and Team Administrators.

Next, I then need a custom DevOps group that is allowed to invite new users to the organization. But I don't want the members of this group to be able to manage the organization's settinngs (members will be non-technical people). 

And next to that, I would need another group, allowed to manage the organization, but not allowed to invite new users. 

According to the documentation, I think the Edit instance-level information permissions is what I need (manage users & permissions).

My idea was to duplicate twice the built-in Project Collection Administrators group. In the first custom group I would remove the permissions General\Edit instance-level information so that members can no longer invite new users, and  in the second, I would only grant the permission General\Edit instance-level information.

But this doesnt do th trick.

First, the group cant be duplicated, and if I create a new custom group with Edit instance-level information permission only, it doesnt allow the members to invite new users.

It looks like the Project Collection Administrators group has some extra permissions that are not exposed (to invite new users); 

Does anybody have experience with such thing ? I looked into the devops CLI, but I didn't find anything ususeful for this. Any advice would be much appreciated.

Thanks !

briac