diff --git a/caf_solution/add-ons/azure_devops_v1/azdo_pipelines.tf b/caf_solution/add-ons/azure_devops_v1/azdo_pipelines.tf
index 0af255f4f3..37f49712fc 100644
--- a/caf_solution/add-ons/azure_devops_v1/azdo_pipelines.tf
+++ b/caf_solution/add-ons/azure_devops_v1/azdo_pipelines.tf
@@ -52,5 +52,15 @@ resource "azuredevops_build_definition" "build_definition" {
       value = jsonencode(variable.value)
     }
   }
+}
+
+# See https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/build_definition_permissions#permissions for a list of available permissions.
+resource "azuredevops_build_definition_permissions" "permissions" {
+  for_each = try(var.permissions.build_definitions, {})
+
+  project_id = data.azuredevops_project.project[each.value.project_key].id
+  principal  = azuredevops_group.group[each.value.group_key].id
+  build_definition_id = azuredevops_build_definition.build_definition[each.key].id
 
+  permissions = each.value.permissions
 }
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/group_membership.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/group_membership.tf
new file mode 100644
index 0000000000..bdee126cab
--- /dev/null
+++ b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/group_membership.tf
@@ -0,0 +1,10 @@
+data "azuredevops_users" "user" {
+  for_each = toset(var.group_settings.members.user_principal_names)
+
+  principal_name = each.value
+}
+
+resource "azuredevops_group_membership" "membership" {
+  group   = var.group_descriptor
+  members = flatten(values(data.azuredevops_users.user)[*].users[*].descriptor)
+}
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/main.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/main.tf
new file mode 100644
index 0000000000..a533fb0352
--- /dev/null
+++ b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/main.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    azuredevops = {
+      source = "microsoft/azuredevops"
+    }
+  }
+}
\ No newline at end of file
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/variables.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/variables.tf
new file mode 100644
index 0000000000..e2d2cb504f
--- /dev/null
+++ b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/variables.tf
@@ -0,0 +1,5 @@
+variable "group_descriptor" {
+}
+
+variable "group_settings" {
+}
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_projects.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_projects.tf
index ebe0afc6c2..10cd00a9c6 100644
--- a/caf_solution/add-ons/azure_devops_v1/azuredevops_projects.tf
+++ b/caf_solution/add-ons/azure_devops_v1/azuredevops_projects.tf
@@ -35,4 +35,32 @@ resource "azuredevops_project_features" "project" {
     "repositories" = try(lower(each.value.features.repositories), "disabled")
     "testplans"    = try(lower(each.value.features.testplans), "disabled")
   }
-}
\ No newline at end of file
+}
+
+resource "azuredevops_group" "group" {
+  for_each = var.groups
+
+  scope        = data.azuredevops_project.project[each.value.project_key].id
+  display_name = each.value.display_name
+  description  = each.value.description
+}
+
+module "azuredevops_group_membership" {
+  source = "./azuredevops_group_membership"
+  for_each = {
+    for key, value in var.groups : key => value
+    if try(value.members.user_principal_names, null) != null
+  }
+
+  group_descriptor = azuredevops_group.group[each.key].descriptor
+  group_settings   = each.value
+}
+
+# See https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/project_permissions#permissions for a list of available permissions.
+resource "azuredevops_project_permissions" "project_perm" {
+  for_each = try(var.permissions.projects, {})
+
+  project_id  = data.azuredevops_project.project[each.key].id
+  principal   = azuredevops_group.group[each.value.group_key].id
+  permissions = each.value.permissions
+}
diff --git a/caf_solution/add-ons/azure_devops_v1/variables.tf b/caf_solution/add-ons/azure_devops_v1/variables.tf
index 36a172638f..245eadd0c7 100644
--- a/caf_solution/add-ons/azure_devops_v1/variables.tf
+++ b/caf_solution/add-ons/azure_devops_v1/variables.tf
@@ -75,3 +75,9 @@ variable "azdo_pat_admin" {
   default     = null
   description = "(Optional). Azure Devops PAT Token. If not provided with this value must be retrieved from the Keyvault secret."
 }
+variable "groups" {
+  default = {}
+}
+variable "permissions" {
+  default = {}
+}