Επεξεργασία

Κοινή χρήση μέσω


Access via Microsoft Entra FAQs

Azure DevOps Services

Important

Azure DevOps doesn't support Alternate Credentials authentication. If you're still using Alternate Credentials, we strongly encourage you to switch to a more secure authentication method.

Learn the answers to the following frequently asked questions (FAQs) about access to your Azure DevOps organization via Microsoft Entra ID. We grouped the FAQs by the following subjects:

General access with Microsoft Entra ID

Why don't I see my organization in the Azure portal?

In both applications, you must have Azure Service Administrator or Coadministrator permissions for the Azure subscription linked to your organization in Azure DevOps. Also, in the Azure portal, you must have Project Collection Administrator or organization owner permissions.

What do I need to set up an existing Azure DevOps instance with Microsoft Entra ID?

Ensure you meet the prerequisites in the following article, Connect your organization to Microsoft Entra ID.

I made changes to Microsoft Entra ID, but they didn't seem to take effect, why?

Changes made in Microsoft Entra ID can take up to 1 hour to be visible in Azure DevOps.

Can I use Microsoft 365 and Microsoft Entra ID with Azure DevOps?

Yes.

Why do I have to choose between a "work or school account" and my "personal account"?

You have to choose between a "work or school account" and your "personal account" when you sign in with an email address (for example, jamalhartnett@fabrikam.com) shared by both accounts. Although both identities use the same sign-in address, they're separate and have different profiles, security settings, and permissions.

  • Select Work or school account if you used this identity to create your organization or previously signed in with it. Your organization's directory in Microsoft Entra ID authenticates your identity and controls access to your organization.

  • Select Personal account if you used your Microsoft account with Azure DevOps. The global directory for Microsoft accounts authenticates your identity.

My organization uses Microsoft accounts only. Can I switch to Microsoft Entra ID?

Yes, but before you switch, make sure that Microsoft Entra ID meets your needs for sharing the following items:

  • Work items
  • Code
  • Resources
  • Other assets with your team and partners

Learn more about controlling access with Microsoft accounts versus Microsoft Entra ID, and how to switch when you're ready.

Why can't I sign in after I select "personal Microsoft account" or "work or school account"?

If your sign-in address is shared by both your personal Microsoft account and your work or school account, but the selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate and have different profiles, security settings, and permissions. Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:

  1. Close all browsers, including browsers that aren't running Azure DevOps.

  2. Open a private or incognito browsing session.

  3. Go to this URL: https://aka.ms/vssignout.

    A message displays, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.

    Tip

    If the sign-out page takes longer than a minute, close the browser and try again.

  4. Sign in to Azure DevOps again. Select your other identity.

What happens if my Azure subscription is disabled?

If you're the organization owner or Azure subscription Account Administrator, check your subscription status in the Account Center, then try to fix your subscription. Your paid settings are restored. Or you can link your organization to another Azure subscription by unlinking your organization from the disabled subscription. While your subscription is disabled, your organization goes back to the free monthly limits until your subscription is fixed.

Microsoft Entra users and permissions

If you don't find an answer to your question here, see User and permissions management FAQs.

Why do I have to add users to a directory?

Your organization authenticates users and controls access through Microsoft Entra ID. All users must be directory members to get access.

As a directory administrator, you can add users to the directory. If you're not an administrator, work with your directory administrator to add users. Learn more about controlling access to Azure DevOps Services by using a directory.

What happens to current users?

Your work in Azure DevOps is associated with your credentials for Microsoft Entra ID. After your organization is connected to your directory, users continue working seamlessly if their credential addresses appear in the connected directory. If users' addresses don't appear, you must add those users to your directory. Your organization might have policies about adding users to the directory, so find out more first.

How do I find out whether my organization uses Microsoft Entra ID to control access?

If you have at least Basic access, go to your Organization settings, and then select the Microsoft Entra ID tab. Either Connect directory, or Disconnect directory.

My organization controls access by using Microsoft Entra ID. Can I just delete users from the directory?

Yes, but deleting a user from the directory removes the user's access to all organizations and other assets associated with that directory. For more information, see Delete a user from your Microsoft Entra directory.

Why are "no identities found" when I try to add users from Microsoft Entra ID to my Azure DevOps organization?

You're probably a guest in the Microsoft Entra ID that backs your Azure DevOps organization, rather than a member. Microsoft Entra guests can't search the Microsoft Entra ID in the manner required by Azure DevOps. For example, Microsoft Entra guests can't use the Azure DevOps web portal to search for or select users who aren't added to the Azure DevOps organization. Learn how to convert a Microsoft Entra guest into a member.

What if we can't use the same sign-in addresses?

Add these users to the directory with new work or school accounts, and reassign access levels and readd them to any projects. If they have existing work or school accounts, those accounts can be used instead. Work isn't lost and stays with their current sign-in addresses. Users can migrate work that they want to keep, except for their work history. For more information, see how to add organization users.

What if I accidentally delete a user in Microsoft Entra ID?

Restore the user, rather than create a new one. If you create a new user, even with the same email address, this user isn't associated with the previous identity.

How can I convert a Microsoft Entra guest into a member?

Select from the following two options:

Convert the UserType from guest to member using Microsoft Graph PowerShell

Warning

We don't recommend this advanced process, but it allows the user to query Microsoft Entra ID from the Azure DevOps organization.

Prerequisites

As the user making the UserType change, have the following items:

  • A work/school account (WSA)/native user in Microsoft Entra ID. You can't change the UserType with a Microsoft Account.
  • User Administrator permissions

Important

We recommend creating a new (native) Microsoft Entra user with User Administrator permissions in Microsoft Entra ID. Complete the following steps with this user to eliminate the possibility of connecting to the wrong Microsoft Entra ID. You can delete the new user when you're done.

Process

  1. Sign in to the Azure portal as User Administrator for your organization's directory.
  2. Go to the tenant that backs your Azure DevOps organization.
  3. Open an Administrative Windows PowerShell prompt to use Microsoft Graph PowerShell.
  4. Execute Install-Module -Name Microsoft.Graph -Scope CurrentUser. The Microsoft Graph downloads from the PowerShell Gallery.
  5. Once the installation completes, execute Connect-MgGraph -Scopes "User.ReadWrite.All". Sign in to the Microsoft Entra ID. Be sure to use an ID that meets the previously mentioned criteria and consent to the permissions.
  6. Execute Get-MgUser -Filter "DisplayName eq '<display name'" -property DisplayName, ID, UserPrincipalName, UserType | Select DisplayName, ID, UserPrincipalName, UserType, where <display_name> is the display name for the user, as seen inside the Azure portal. We want to change the userType to Member.
  7. Execute Update-MgUser -UserId string -UserType Member, where string is the value of ID returned by the previous command. The user is set to member status.
  8. Execute Get-MgUser -Filter "DisplayName eq '<display name'" -property DisplayName, ID, UserPrincipalName, UserType | Select DisplayName, ID, UserPrincipalName, UserType again to verify the UserType changed. You can also verify in the Microsoft Entra ID section of the Azure portal.

While not the norm, it could take several hours, or even days before this change reflects in Azure DevOps. If it doesn't fix your Azure DevOps issue immediately, give it some time and keep trying.

Microsoft Entra groups

Why can't I assign Azure DevOps permissions directly to a Microsoft Entra group?

Because these groups are created and managed in Azure, you can't assign Azure DevOps permissions directly or secure version control paths to these groups. You get an error if you try to assign permissions directly.

You can add a Microsoft Entra group to the Azure DevOps group that has the permissions you want. Or, you can assign these permissions to the group instead. Microsoft Entra group members inherit permissions from the group where you add them.

Can I manage Microsoft Entra groups in Azure DevOps?

No, because these groups are created and managed in Azure. Azure DevOps doesn't store or sync member status for Microsoft Entra groups. To manage Microsoft Entra groups, use the Azure portal, Microsoft Identity Manager (MIM), or the group management tools that your organization supports.

How do I tell the difference between an Azure DevOps group and a Microsoft Entra group?

The Azure DevOps UI indicates membership scope using brackets []. For example, consider this permissions settings page:

Permissions Settings with various scopes

Scope name Definition
[fabrikam-fiber] Membership is defined in Organization Settings
[Project Name] Membership is defined in Project Settings
[TEAM FOUNDATION] Membership is defined directly in Microsoft Entra ID

Note

If you add a Microsoft Entra group to a custom security group and use a similar name, you might see what appears to be duplicate groups. Examine the scope in [] to determine which is a DevOps Group and which is a Microsoft Entra group.

Why doesn't the Users list show all Microsoft Entra group members?

These users have to sign in to your organization before they appear in Users.

How do I assign organization access to Microsoft Entra group members?

When these group members sign in to your organization for the first time, Azure DevOps assigns an access level to them automatically. If they have Visual Studio subscriptions, Azure DevOps assigns the respective access level to them. Otherwise, Azure DevOps assigns them the next "best available" access level, in this order: Basic, Stakeholder.

If you don't have enough access levels for all Microsoft Entra group members, those members who sign in get a Stakeholder access.

How can I protect access to built-in administrator groups?

Require just-in-time access using a Microsoft Entra Privileged Identity Management (PIM) group. For more information, see Just-in-time access for admin groups.

Why doesn't the Security tab show all members when I select a Microsoft Entra group?

The Security tab shows Microsoft Entra group members only after they sign in to your organization, and have an access level assigned to them.

To see all Microsoft Entra group members, use the Azure portal, MIM, or the group management tools that your organization supports.

Why doesn't the team members widget show all Microsoft Entra group members?

The team members widget shows only users who previously signed in to your organization.

Why doesn't the team capacity pane show all Microsoft Entra group members?

The team capacity pane shows only users who previously signed in to your organization. To set capacity, manually add users to your team.

Why doesn't Azure DevOps reclaim access levels from users who aren't Microsoft Entra group members anymore?

Azure DevOps doesn't automatically reclaim access levels from these users. To manually remove their access, go to Users.

Can I assign work items to Microsoft Entra group members who haven't signed in?

You can assign work items to any Microsoft Entra member who has permissions for your organization. This action also adds that member to your organization. When you add users this way, they automatically appear as Users, with the best available access level. The user also appears in the security settings.

Can I use Microsoft Entra groups to query work items by using the "In Group" clause?

No, we don't support querying on Microsoft Entra groups.

Can I use Microsoft Entra groups to set up field rules in my work item templates?

No, but you might be interested in our process customization plans.

Add users to directory

Add organization users to your Microsoft Entra ID.

Why did I get an error stating that my organization has multiple active identities with the same UPN?

During the connect process, we map existing users to members of the Microsoft Entra tenant, based on their UPN, which is often known as sign-in address. If we detect multiple users with the same UPN, we don't know how to map these users. This scenario occurs if a user changes their UPN to match one already existing in the organization.

If you encounter this error, review your list of users for any duplicates. If you find any duplicates, remove the users you don't need. If you can't find any duplicates, contact support.

Can I switch current users from Microsoft accounts to work accounts in Azure DevOps?

No. Although you can add new work accounts to your organization, they're treated as new users. If you want to access all your work, including its history, you must use the same sign-in addresses that you used before your organization was connected to your Microsoft Entra ID. Add your Microsoft account as a member to your Microsoft Entra ID.

Why can't I add users from other directories to my Microsoft Entra ID?

Be a member of or have Read access in those directories. Otherwise, you can add them using B2B collaboration through your Microsoft Entra administrator. You can also add them by using their Microsoft accounts, or by creating new work accounts for them in your directory.

What if I get an error trying to map a user to an existing member of my organization?

You can map the user onto a different identity that isn't yet an active member of the organization or add the existing user to your Microsoft Entra ID. If you still need to map to the existing Azure DevOps organization member, contact support.

How do I use my work or school account with my Visual Studio with MSDN subscription?

If you used a Microsoft account to activate a Visual Studio with MSDN subscription containing Azure DevOps as a benefit, you can add a work or school account. Microsoft Entra ID must manage the account. Learn how to link work or school accounts to Visual Studio with MSDN subscriptions.

Can I control access to my organization for external users in the connected directory?

Yes, but only for external users who are added as guests through Microsoft 365 or added using B2B collaboration by your Microsoft Entra administrator. These external users are managed outside the connected directory. For more information, contact your Microsoft Entra administrator. The following setting doesn't affect users who are added directly to your organization's directory.

Before you start, make sure you have at least Basic access, not Stakeholder.

Complete the prerequisites for adding external users, turning External guest access to On.

Remove users or groups

How do I remove a Microsoft Entra group from Azure DevOps?

Go to your project collection or project. In the upper bar, select Settings, and then select Security.

Find the Microsoft Entra group, and delete it from your organization.

Screenshot of project, with Delete option highlighted

Why am I asked to remove a user from a Microsoft Entra group when I delete that user from my organization?

Users can belong to your organization, both as individuals and as members of Microsoft Entra groups in Azure DevOps groups. These users can still access your organization while they're members of these Microsoft Entra groups.

To block all access for users, remove them from Microsoft Entra groups in your organization, or remove these groups from your organization. We currently can't block access completely or make exceptions for such users.

Users who are disabled or removed from your directory, can no longer access your organization by any mechanism, including via PATs or SSH.

Connect to, disconnect from, or change Microsoft Entra connection

How can I manage multiple organizations that are connected to Microsoft Entra ID?

You can download a complete list of organizations backed by a Microsoft Entra tenant. For more information, see Get a list of organizations backed by Microsoft Entra ID.

Can I connect my organization to a Microsoft Entra ID created from Microsoft 365?

Yes. If you can't find your Microsoft Entra ID created from Microsoft 365, see Why don't I see the directory that I want to connect?.

Why don't I see the directory that I want to connect to? What should I do?

You might not see the directory for any of the following circumstances:

  • You aren't recognized as the organization Owner to manage directory connections.

  • Talk to your Microsoft Entra organization administrator and ask them to make you a member of the organization. It's possible that you're not part of the organization.

Why is my organization already connected to a directory? Can I change that directory?

Your organization was connected to a directory when the organization owner created the organization, or sometime afterward. When you create an organization with a work or school account, your organization is automatically connected to the directory that manages that work or school account. Yes, you can switch directories. You might have to migrate some users.

Can I switch to a different directory?

Yes. For more information, see Switch to another Microsoft Entra ID.

Important

When you change the Microsoft Entra connection, users and groups that inherit membership and permissions from a Microsoft Entra group no longer inherit those permissions. Microsoft Entra groups added to your Azure DevOps organization don't get transferred and cease to exist in your organization. All permissions and membership relationships made with these Microsoft Entra groups also cease to exist after the transfer. Additionally, group rules enabled on Microsoft Entra groups cease to exist when you change the Microsoft Entra connection.

Why and when should I request Support to manually clear my SSH keys?

When you switch from one Microsoft Entra tenant to another, the underlying identity also changes and any PAT tokens or SSH keys that the user had with their old identity stop working. Any active SSH keys uploaded to the organization aren't deleted as part of the tenant switch process, which might block the user from uploading new keys after the switch. We recommend that users delete all their SSH keys before they switch their active directory tenant. We have work in our backlog to automatically delete the SSH keys as part of the tenant switch process and in the interim if you're blocked from uploading new keys after tenant switch, we recommend you contact Support to delete those old SSH keys.

My alternate credentials don't work anymore. What do I do?

Azure DevOps no longer supports Alternate Credentials authentication since the beginning of March 2, 2020. If you're still using Alternate Credentials, we strongly encourage you to switch to a more secure authentication method (for example, personal access tokens or SSH). Learn more.

Some users are disconnected, but they have matching identities in Microsoft Entra ID. What should I do?

  • In your Azure DevOps Organization settings, select Microsoft Entra ID, and then select Resolve.

    Select Microsoft Entra ID and then Resolve

  • Match the identities. Select Next when you're done.

    Resolve disconnected users

I got an error message when I was resolving disconnections. What should I do?

  • Try again.

  • You might be a guest in Microsoft Entra ID. Request that an organization administrator, who is a member of Microsoft Entra ID, do the mapping. Or, request that an admin of the Microsoft Entra ID converts you to a member.

  • If the error message includes a user in your domain, but you don't see them active in your directory, the user likely left your company. Go to the organization user settings to remove the user from your organization.

When I was trying to invite a new user to my Microsoft Entra ID, I got a 403 exception. What do I do?

You might be a guest in Microsoft Entra ID and don't have the right permission to invite users. Go to External collaboration settings in Microsoft Entra ID and move the "Guests can invite" toggle to Yes. Refresh Microsoft Entra ID and try again.

Will my users keep their existing Visual Studio subscriptions?

Visual Studio subscription administrators ordinarily assign subscriptions to users' corporate email addresses, so that users can receive welcome email and notifications. If the identity and subscription email addresses match, users can access the benefits of the subscription. As you transition from Microsoft to Microsoft Entra identities, users' benefits still work with their new Microsoft Entra identity. But, the email addresses must match. If the email addresses don't match, your subscription administrator must reassign the subscription. Otherwise, users must add an alternate identity to their Visual Studio subscription.

What if I'm required to sign in when I use the people picker?

Clear your browser cache and delete any cookies for the session. Close your browser, and then reopen.

What if my work items are indicating that the users aren't valid?

Clear your browser cache and delete any cookies for the session. Close your browser, and then reopen.

Once my organization is connected to Microsoft Entra ID, will it update Azure Boards work items, pull requests, and other pieces where I'm referenced in the system with my new ID?

Yes, all pieces in the system are updated with the new ID when a user's ID gets mapped from their personal email to their work email.

What if I get a warning about members who will lose access to the organization?

You can still connect to Microsoft Entra ID, but try to resolve the mapping issue after you connect and select the bolded text to see which users are affected. If you still need help, contact support.

Screenshot showing Microsoft Entra connection warning.

With more than 100 members in my Azure DevOps organization, how can I connect to a Microsoft Entra ID?

Currently, you can still connect, but the mapping and invite features that help resolve disconnected users post-connection doesn't work beyond 100. Contact Support.

Why is git.exe/Visual Studio failing to authenticate after linking/unlinking from Microsoft Entra ID?

The tenant cache must be cleared if you're using a GCM version before v1.15.0. Clearing the tenant cache is as easy as deleting the %LocalAppData%\GitCredentialManager\tenant.cache file on each machine returning a sign-in error. The GCM automatically recreates and populates the cache file, as needed, on subsequent sign-in attempts.

How do I get help or support for Azure DevOps?

Choose from the following support options: