I get following error when trying to save a release pipeline on Azure dev. What exact permissions do I need to ask from my administrator?

Access denied. <<user id>> needs Use permissions for pool Default to perform the action. For more information, contact the Azure DevOps Server administrator.

What exact permissions do I need to ask from my administrator?

You need ask the User permissions from administrator.

When we go to Project Settings->Agent pools->The Agent Name->Security:

Check the document Security of agent pools for some more details.

Roles are also defined on each organization agent pool, and memberships in these roles govern what operations you can perform on an agent pool.

The All agent pools node in the Agent pools tab is used to control the security of all project agent pools in a project. Role memberships for individual project agent pools are automatically inherited from those of the 'All agent pools' node. By default, the following groups are added to the Administrator role of 'All agent pools': Build Administrators, Release Administrators, Project Administrators.

So, you should ask User permissions from your administrator, or add your account to one of the groups mentioned above, then try it again.

I found granting Admin to a pool very confusing (and time-consuming to resolve) but I think I can explain how I got it to work for my org. This is a further explanation, based upon what @Leo Lui-MSFT said, as that was not quite clear enough for me.

My problem: I wanted to give a user access to update a pool that the user had not created (ie, was not an Owner).

Attempted solution: Making the user Admin on the pool did not let the user do that.

Successful solution: I had to go to https://dev.azure.com/my-org/_settings/agentpools > Security > Add . I then added the user and assigned the Admin role.

This has the side effect of giving the user Admin on every pool in the org (which was not what I wanted to do). If this is not your desire then go into the pool you do not wish to grant Admin access to, set Inheritance off and then remove the user from that pool.

This feels wrong, to me. I should have been able to make a user an Admin of a single pool without granting org-wide Admin over all pools.

Also as all pools seem to be created with Inheritance defaulted to true then to remove that user as an Admin from all other pools could be time-consuming and when more pools are created then I would need to remember to turn inheritance off.

That is my experience. If I have missed something please let me know.

What exact permissions do I need to ask from my administrator?

You need ask the User permissions from administrator.

When we go to Project Settings->Agent pools->The Agent Name->Security:

Check the document Security of agent pools for some more details.

Roles are also defined on each organization agent pool, and memberships in these roles govern what operations you can perform on an agent pool.

The All agent pools node in the Agent pools tab is used to control the security of all project agent pools in a project. Role memberships for individual project agent pools are automatically inherited from those of the 'All agent pools' node. By default, the following groups are added to the Administrator role of 'All agent pools': Build Administrators, Release Administrators, Project Administrators.

So, you should ask User permissions from your administrator, or add your account to one of the groups mentioned above, then try it again.

The Agent Pools have two sets of security, when this happened to me I had Admin on the Agent Pool Project Security but not on the Agent Pool Organisation Security.

• Project Settings > Agent Pools > Pool Name > Security
• Organisation Settings > Agent Pools > Pool Name > Security

I used -e AZP_POOL=XXX parameter when docker run to solve the same issue, even my account is an administrator.

Check if you are entering the pool name correctly. If you pressed 'Enter' to keep the default name for the pool, it does not work, you need to specify the correct name for the agent pool

I had similar problem with a Pipeline:

Error: Access Denied: 0000000d-0000-8888-8000-000000000000 needs the following permission(s) on the resource /Organizations to perform this action: Read Organization resources

I created again service connections and change this in the pipeline:

I think this user was delete from active directory.

(I realize this question is regarding DevOps but DevOps Server / TFS may have different interface but encounter the same issue)

In TFS or DevOps Server, you have to be added to Team Foundation Administrators group through TFS Admin Console only. To do that:

Access Team Foundation Server Administration Console via Server > Application Tier > Group Membership > Team Foundation Administrators > Properties > Add user.

There is a difference in managing security roles:

• for deployment group (managed from the project -> deployment groups -> Security),
• for deployment pool (managed from the organization -> Deployment pools -> Security).

Check your permissions in both of these. In my case, I had deployment group permissions, but was missing permissions in deployment pool.

You should have an organization level access to get rid of the error message you are getting.

If you've created the organization you will be the owner of the organization, you should have all the admin access to do whatever your pipeline need.

otherwise, Select the organization -> Go to organization settings -> agent pool [left plane] -> security [right top] -> add a new user with your name with admin role

Try the same with project level settings.