Azure DevOps Notifications and email-enabled AD Groups


Posted by Willy-Peter Schaub on Fri 28 March 2025

Understanding email-enabled Active Directory (AD) groups and Azure DevOps (AzDO) notifications.

We have relied on an Active Directory (AD) group-based security model with Azure DevOps for many years. This setup includes email-enabled AD groups for pull request reviewers, as well as Azure Pipeline and environment approvers. It worked seamlessly—until it did not- plunging us into a frustrating cycle of misinformation and troubleshooting. To help you avoid the same headaches, here is our checklist for enabling email notifications from Azure DevOps for Active Directory (AD) groups.

Checklist

  • Azure DevOps (AzDO) iterates through the members of an AzDO group when triggering a notification and sends an email to each user individually.
  • However, AzDO does not iterate through the members of an AD group when triggering a notification — instead, it sends the notification to the AD group’s mailbox.
  • AzDO does not send notifications to users or email-enabled AD groups unless they have at least read-only permissions in the associated AzDO project. To ensure notifications are received, we add the email-enabled AD groups used in the Azure DevOps project to the Readers group.
  • Lastly, your AD group’s mailbox must allow external emails from azuredevops@microsoft.com — make sure to check the infamous checkbox to prevent this restriction, which turned out to be our root cause.

checkbox

If you are struggling with notifications, refer to these references and then work through the checklist above.


That is all folks.