Azure DevOps Org Chaos - Controlling Org Creation and Cleanup

Notes from the field - If you haven’t controlled org creation in your Azure tenants yet you may have already lost the “where is prod work being done?” battle. My org got into the M&A space before my time here and never integrated their R&D systems in a meaningful way. I’m the Technical Application Owner for Azure DevOps for the entire company (the inhouse term, its my app, I’m the last stop before Microsoft) and I still learn about new orgs that users have come to depend on floating around in the acquired azure tenants. https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops. Today there was a casual comment on a call about hitting a limit on number of fields on a form in an org. I can’t even log into the org, it drives me nuts, infinite technical debt AKA job security I guess :face_palm:

After we reached 600 orgs, i closed it via the policy directly in the org by using my admin account that has the azure devops admin role in AD. We are enforcing some new governance. So i dont mind people creating orgs for learning. But not through the normal way. Instead they get a message asking them to contact us but i will replaced it with an internal URL where they can request it, after they have read some guidelines of what is expected of them

So i am going to open it again next year, after im done creating the necessary guidelines and guardrails and deleting majority of the current orgs that havent been used for X amount of years/months

I also encourageaged users to spin up orgs to lean for ages. the rules were have fun learn something no production work or data and don’t expect unique processes to get adopted in prod :slight_smile: even now with some guard rails I might be talked into a new org for a user. The current battle is these secondary tenants that are run by whoever was there the day the last admin quit.

I mean I’m not a dictator all the time :upside_down_face:

Yea but you can still block creation from default ui and give them a page with info , sign a EULA and the automate the creation with them as collection admins but you as org admin so you never have to ‘take ownership’