Branch protection policies configured in ado-2023 are not consistently enforcing compliance validation rules on pull requests. We’ve set up required reviewers and build validation policies, but developers are occasionally able to complete pull requests without meeting all policy requirements.
Our policy configuration shows:
{
"minimumApproverCount": 2,
"creatorVoteCounts": false,
"requireBuildValidation": true
}
Despite these settings, we’ve discovered several merged pull requests in audit logs that had only one approval and no successful build validation. This creates significant compliance audit violations for our regulated environment. The policies appear active in repository settings, but enforcement seems inconsistent. Are there known issues with policy enforcement in Azure DevOps, or could this be a permissions configuration problem?
Are you using Azure Policy-as-Code to enforce these policies? Repository-level branch policies can be overridden by organization or project-level settings. If someone has project administrator permissions, they can modify or disable branch policies temporarily. You need to implement Azure Policy definitions that enforce branch protection at a higher governance level to prevent local policy modifications.
Check if any users have ‘Bypass policies when completing pull requests’ permission enabled. This permission allows specific users or groups to override branch policies, which would explain why some PRs merge without meeting requirements. Navigate to repository security settings and review the permission assignments for your development team.
Another factor: policy evaluation timing. If developers complete pull requests immediately after pushing commits, the build validation might still be queued or running. Azure DevOps can have a race condition where the PR completion happens before the build policy status updates. Setting a minimum wait time or using status checks instead of build policies might provide more reliable enforcement.
Good point - I checked the bypass permissions and found that our ‘Release Managers’ group has this enabled. However, the audit logs show developers without that group membership completing non-compliant pull requests. There must be another mechanism allowing policy bypass that we’re not aware of.
For regulated environments, you absolutely need audit trails of policy bypass events. Enable diagnostic logging for your repositories and configure alerts when branch policies are modified or bypassed. Azure DevOps audit logs capture these events, but you need to actively monitor them. Consider implementing a custom webhook that validates policy compliance independently before allowing merges.