Access denied for orchestration plan on Build



I was trying to setup a Build Agent within one of my current customers. They do over 1 million builds a year through Team City and I need to demonstrate that the new TFS build system is awesome before they will consider it. So it never instils confidence when you get an error…

10:01:25.328098 ---------------------------------------------------------------------------
10:01:25.341094 System.AggregateException: One or more errors occurred. ---> Microsoft.TeamFoundation.DistributedTask.WebApi.TaskOrchestrationPlanSecurityException: Access denied: Project Collection Build Service does not have write permissions for orchestration plan 13b88515-ebeb-4c2e-9213-cdcc683b8ff4.
10:01:25.341094 Microsoft.TeamFoundation.DistributedTask.WebApi.TaskOrchestrationPlanSecurityException: Access denied: Project Collection Build Service does not have write permissions for orchestration plan 13b88515-ebeb-4c2e-9213-cdcc683b8ff4.

I had one of their guys setup a TFS agent on one of their many enormously powerful build servers and tried a simple build. The build immediately errored out and greeted me with a “there was an error” message with no logs at all. I knew that something fundamental was up because of the lack of logs, and had to go to the server to get the cryptic message, Project Collection Build Service does not have write permissions for orchestration plan, that really did not help me much.


Boy was the lack of logs annoying. Especially since the only way to get any information was to log onto a server that I did not own to go get more info.

After much pain and suffering I got with Chris Paterson and isolated the issue to one of permissions. The new build system has two custom user accounts that are used to execute builds:

  • Project Build Service
  • Project Collection Build Service

Effectively you can choose to have the build configured to run at the Project level if you only need access to the data in a single project, and the collection level if you need to pull bits from multiple projects. As soon as he mentioned this I thought about one of the options that I changed during the configuration of the build definition.


These isolation levels make sense, however there is a bug in the TFS 2015 RTM upgrade that may result in the “Project Collection” level resulting in the “Task Orchestration Plan Security Exception” you see above.

At this point you can immediately unblock yourself by selecting “Current Project” from the list.

However if you need access to more than one Team Project, or might in the future, you need to dig a little deeper. If you have a look at the permissions on your build definition you should see the issue.


If you open the permissions for your build you should see both the “Project Build Service” and the “Project Collection Build Service” permissions with “Inherit Allow”. You you don’t have both then you have an issue!

You can just add them to the Build Definition but you really want it to be inherited so that you don’t have to go add it for every Build Definition. To do that you have to go through Visual Studio to pop the correct UI.


It seams that the only way to pop the security panel for the root node of the Build Definitions, so that we can fix the cause, is in Visual Studio. So launch VS2015, head to the Builds page of Team Explorer, and click the “Actions” drop-down under “Build Definitions”. Then select “Security”… this will pop the Web UI and get you strait to the right place.

Note: Not to be confused by the legacy XAML Build Definitions.


Once there you can see that I only have the “Project Build Service” in the “Users” list and I also need to have the “Project Collection Build Service”. So even though this is not a Windows user or group you need to click “Add” and then “Add Windows User or Group”… Then search for and add the “Project Collection Build Service”.


Now, even though my build still fails, it fails for better reasons than just exploding. So if you run into the dreaded “Access denied: Project Collection Build Service does not have write permissions for orchestration plan” you will now know where to look and what might be the issue…

Upcoming Training Opportunities

These are the next five classes we have, and you can check out our full public schedule of classes.

Immersive Professional Scrum Product Owner with Russell Miller over 8 weeks starting 11th October 2023
Virtual Immersive
11 Oct-13 Oct, 2023
09:00-13:00 EDT
8 weekly half-days
Immersive Applying Professional Scrum with Simon Bourk over 10 weeks from18th October 2023
Virtual Immersive
18 Oct-20 Oct, 2023
09:00-13:00 EDT
10 weekly half-days
Immersive Professional Agile Leadership Essentials with Joanna Płaskonka Ph.D. over 7 weeks from 20th October 2023
Virtual Immersive
20 Oct-1 Oct, 2023
09:00-13:00 BST
7 weekly half-days
Live Virtual Product Backlog Management Skills with Joanna on 2nd November 2023
Virtual Traditional
2 Nov, 2023
09:00-17:00 GMT
1 full-days

We can deliver any of our courses as private in-house training over Microsoft Teams & Mural. We also recommend training based on your accountabilities or role, you can go directly to recommended courses for Scrum MastersProduct OwnersDevelopers and Agile Leaders.

Create a conversation around this article

Share on Facebook
Share on Twitter
Share on Linkdin

Related Courses

No items found

Read more

Martin Hinshelwood
🚀 Navigating the intricacies of the Sprint Goal in Scrum? 🎯 Discover the essence of crafting a goal that drives real value! 📈 Dive deep into the tactical steps, avoid common pitfalls, and ensure your team is on the right track. 🛤️ Let’s demystify the Sprint Goal together! 🤝 #Scrum …
Martin Hinshelwood
Software Development is not just a systematic process but a dynamic interplay of critical work that shapes the progress of your product. A Scrum team’s work can be classified into Sprint work and Refinement. To steer your Scrum Team towards success, it’s essential to understand, manage, and balance these two …
Daryn Basson Would you recommend the APS course to a newbie scrum team, and Why? Why the APS Course is a Must for Newbie Scrum Teams In this article, I’d like to share some thoughts on the Agile Practitioner Series (APS) course and its relevance to newbie Scrum teams. But first, …
Martin Hinshelwood
🚀 Navigating the nuances between the Definition of Done and Acceptance Criteria? 🤔 Dive into our latest article that explores the sanctity of a working, usable product without compromising value. 💡 Let’s ensure quality and value go hand in hand! 🤝


We believe that every company deserves high quality software delivered on a regular cadence that meets its customers needs. Our goal is to help you reduce your cycle time, improve your time to market, and minimise any organisational friction in achieving your goals.

naked Agility Limited is a professional company that offers training, coaching, mentoring, and facilitation to help people and teams evolve, integrate, and continuously improve.

We recognise the positive impact that a happy AND motivated workforce, that has purpose, has on client experience. We help change mindsets towards a people-first culture where everyone encourages others to learn and grow. The resulting divergent thinking leads to many different ideas and opportunities for the success of the organisation.