I usually create a special VSO group like "Devs" and then place the developers in it. Then, I use the group as a member group of project Contributors and then specifically on the branch I want to protect, I use the "Devs" group and set Contribute to Deny, thus only members of the "Devs" group have the contribution denied, but e.g. Project Admins can still push in it.

If you set Contribute to Deny directly on the Contributors group then nobody can push in the branch, not even Administrators and not even if you specifically set Allow on their Contribute, simply because Deny is stronger than Allow - unless you do some vaster changes to the original groups.

I successfully created the (2) types of groups based off of @anthonybrown. I wanted to, however, give some screenshots to further help the explanation of resolving the ability to restrict users from deleting, pushing, and contributing to the master branch (or other branch(es) of your choosing) on a repository level base, not a global level.

Note that based on our VSTS, we already had users added to the "global" team. I did not remove these users, but instead added them to (2) separate groups.

• Developers
• Administrators

1) Go to your base VSTS screen (this will default to /_projects in the URL.

2) Click on the cog and select "Security"

3) On the far left side, select "Create Group", and name it "Developers". Once the group is created, select the group, and in the middle section, select "Members". Add all users that you DO NOT want to have contribute rights to the "master" branch to this group. (note - your users must already be added to VSTS prior to this step).

4) Create the "Administrators" group and add the users that you DO WANT to have access. (note - if your users in the "Administrators" group are already added to VSTS at either the global or project level you can skip this step. I did it regardless).

5) Go back to the VSTS home page (/_projects) and select your repository that you want to restrict access to the master branch. Select "Version Control". On the left side, select the "master" branch. In the middle section, select "Security". Add the "Developers group. Select the "Developers" group (once added) and set the access to "Deny" for:

• Contribute (this will be pushing
• Edit policies
• Force push
• Manage permissions

You can protect MASTER in VSTS pretty easily as TFS provides enterprise Git capabilities. There are two ways to achieve this.

1) Git Branch Permissions

In the administration pages under the Version Control tab you can change permission for each published branch. You need to maintain access at the repo level, however on MASTER you can change "Contributor" commit permission to "not configured". You can then add only Rob...

Oh... Always use "not set" rather than "deny" as deny always overrides.

2) Git Branch Policies

VSTS has introduces the idea of Branch Policies. These Branch Policies can be applied to any branch but are traditionally applied to MASTER.

Here you can apply multiple policies to reflect you needs... I always set

I found I had to go through slightly more steps to get this done

There are 2 places to define groups in visual studio online - at the collection level and at the project level.

At the collection level I created an admin group and created a developers group. I only wanted people in the admin group to have write access to master branch in my repository.

At the project level, I added developers and admins group to the project team. In the project contributors group I removed the project team and added only the developer group

In the project administrators group I added the collection level admin group.

Then on version control tab on the master branch I set contribute=deny for the contributors group

As administrators are not members of the contributors group the deny permission is not applied to them and they can still push changes to master - either directly or through approving pull requests