![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 33%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 77%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
- Yes. There is a tenant-level policy in Azure DevOps that controls who can create new Azure DevOps organizations. It is the Restrict organization creation tenant policy, configured under Organization settings → Microsoft Entra ID for an Azure DevOps organization that is linked to the tenant.
- By default, any user in the Microsoft Entra tenant can create new Azure DevOps organizations.
- When Restrict organization creation is turned on, only users and groups on the allowlist can create organizations. All other users, including Azure DevOps administrators, are blocked unless explicitly added to the allowlist.
- To enable the permission for all users in the tenant, the tenant policy must either be turned off or its allowlist must be configured to include everyone: Option A – Allow everyone (recommended for your scenario):
- Sign in to an existing Azure DevOps organization as a user with the Azure DevOps Administrator role in Microsoft Entra ID.
- Go to
https://dev.azure.com/{Your_Organization}. - Select Organization settings (gear icon).
- Select Microsoft Entra ID.
- Turn off the Restrict organization creation toggle.
- With the policy off, any user in the tenant can create new Azure DevOps organizations again.
- If the policy must stay enabled, still go to Organization settings → Microsoft Entra ID.
- Under Allow list, select Add Microsoft Entra user or group.
- Add a tenant-wide group that contains all internal members (for example, an “All Employees” or equivalent security group).
- Save the changes.
- All users in that group will be able to create organizations; others will be blocked.
- The behavior is not described as legacy or based on hidden internal flags. It is governed by the documented Restrict organization creation tenant policy and its allowlist:
- When the policy is off, behavior is “open”: any user in the tenant can create organizations.
- When the policy is on, behavior is “restricted”: only users or groups on the allowlist can create organizations.
- This policy affects only the creation of new organizations; it does not change access to existing organizations or their settings.
- The documentation does not state that Microsoft Support can globally override or bypass this policy. Instead, it states that:
- To manage this tenant-level policy, the administrator must have the Azure DevOps Administrator role in Microsoft Entra ID.
- That administrator can enable/disable the policy and manage the allowlist directly in the Azure DevOps Organization settings → Microsoft Entra ID blade.
If users report they cannot create organizations, they should contact the administrator managing this tenant policy, as also indicated in the user-facing FAQ.
References: