Branch policiesalready do exactly what you're saying. When a branch policy is in place, PRs are required.

分支机构政策已经完全符合您的要求。当分支策略到位时，需要 PR。

Make sure your developers don't have the "Exempt From Policy Enforcement" permission.

确保您的开发人员没有“豁免政策执行”权限。

I know this question is a bit older but here is some additional information...
Unfortunately I cannot add comments to the "best answer" so here is a new one, you may just treat it as a comment:

我知道这个问题有点旧，但这里有一些额外的信息......
不幸的是，我无法在“最佳答案”中添加评论，所以这是一个新问题，您可以将其视为评论：

Branch policies already do exactly what you're saying. When a branch policy is in place, PRs are required.

分支机构政策已经完全符合您的要求。当分支策略到位时，需要 PR。

100 % agree

100% 同意

Make sure your developers don't have the "Exempt From Policy Enforcement" permission.

确保您的开发人员没有“豁免政策执行”权限。

100 % agree

100% 同意

Exempt From Policy Enforcement

豁免政策执行

Where should we look to see if developers have the "Exempt From Policy Enforcement" permission?

我们应该在哪里查看开发人员是否拥有“豁免政策执行”权限？

From docs.microsoft.com:

从docs.microsoft.com：

There are several permissions that allow users to bypass branch policy. In TFS 2015 through TFS 2018 Update 2, the Exempt from policy enforcementpermission allows users with this permission to perform the following actions:

• When completing a pull request, opt-in to override policies and complete a pull request even if the current set of branch policies is not satisfied.
• Push directly to a branch even if that branch has branch policies set. Note that when a user with this permission makes a push that would override branch policy, the push automatically bypasses branch policy with no opt-in step or warning.

In Azure DevOps Services, the Exempt from policy enforcementpermission is removed and its functionality divided into the following two new permissions:

• Bypass policies when completing pull requests
• Bypass policies when pushing

Users that previously had Exempt from policy enforcementenabled now have the two new permissions enabled instead.

有多种权限允许用户绕过分支策略。在 TFS 2015 到 TFS 2018 Update 2 中，策略实施豁免权限允许具有此权限的用户执行以下操作：

• 完成拉取请求时，即使不满足当前的分支策略集，也可选择覆盖策略并完成拉取请求。
• 即使该分支设置了分支策略，也可以直接推送到该分支。请注意，当具有此权限的用户进行会覆盖分支策略的推送时，推送会自动绕过分支策略，不会出现选择加入步骤或警告。

在 Azure DevOps Services 中，删除了策略强制豁免权限，其功能分为以下两个新权限：

• 完成拉取请求时绕过策略
• 推送时绕过策略

以前启用了策略实施豁免的用户现在启用了两个新权限。

You can find these options under:
organization/ project/ Settings / Repositories

您可以在以下位置找到这些选项：
组织/项目/设置/存储库

Local Git

本地 Git

Presumably a user can do anything to their own local version of the master branch, but then Azure DevOps would deny the push to the remote? If/when that happens, what would the dev need to do to undo the mess they've gotten into on their local repo?

据推测，用户可以对自己本地版本的 master 分支做任何事情，但是 Azure DevOps 会拒绝推送到远程？如果/当发生这种情况时，开发人员需要做什么来消除他们在本地存储库中陷入的混乱？

This is the case because the Branch policies in Azure DevOps are not let's call it "vanilla-git". It's a Microsoft specific extension which has nothing to do with your user's local git branches. Therefor a user can do to his local git repo whatever he wants to - DevOps just prevents some stuff "server-sided".

About the question how a dev can undo the mess: I recommend this SO question.

之所以如此，是因为 Azure DevOps 中的 Branch 策略不让我们称之为“vanilla-git”。它是 Microsoft 特定的扩展，与您用户的本地 git 分支无关。因此，用户可以对他的本地 git repo 做任何他想做的事情——DevOps 只是阻止了一些“服务器端”的东西。

关于开发人员如何消除混乱的问题：我推荐这个 SO question。