My understanding is that branch policies allow us to prevent push to master but allow PR. But I could not find a policy or security settings on Azure DevOps that allow me to
