Unable to link Azure DevOps to our Microsoft Entra Connection - oddly as I'm not a member?!?

Question

Unable to link Azure DevOps to our Microsoft Entra Connection - oddly as I'm not a member?!?

Donpaul Stephens 0

In Azure DevOps, I am unable to connect with Microsoft Entra our organization's subscription (directory).

I first get the warning:

Once connected, 2 out of 10 member(s) of this organization won't be able to sign in because they aren't a member of the target directory.

Oddly, this is >ME< (the owner) and the only other person who was created as a new user in [our] organization. It can see the 8 people who were "invited as external users.

When I try to connect anyway, I get the error:

"

User: [>>ME<<] is not allowed to link organization: [>>MY ORGANIZATION<<] to Microsoft Entra tenant: [>>OUR SUBSCRIPTION NAME<<]. Only active members of the Microsoft Entra tenant are allowed to perform the link.

Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-04-11T01:52:31.87+00:00

Hello Donpaul Stephens,

I understand that you are unable to link Azure DevOps to our Microsoft Entra Connection, To resolve the error make sure your account must be a Member (not Guest) in the Entra tenant and must be an AAD identity. And make sure you have switched directory to your default directory.

Also can you provide the screenshot of the users blade in the Tenant?

Let me know if further queries - feel free to reach out!
Donpaul Stephens 0 Reputation points

2025-04-11T15:20:12.9233333+00:00

This appears promising...
I created the new account

but not just an incognito browser, but on a completely separate browser, I get the same behavior

when I go to: dev.azure.com
it redirects to https://azure.microsoft.com/en-us/products/devops/?nav=min

that's fine

I login as:
******@donpaulairmettle.onmicrosoft.com

first time, it had me reset password, and setup 2 factor authentication --> that's ok

but it took me to the portal.azure.com
not the DevOps site

I want to log into Azure DevOps, and create a new organization (for using Azure DevOps) with this new account how can i do that?

Do I need to create some other account / configuration for this to work?
e.g. create a Microsoft.com account using the

******@donpaulairmettle.onmicrosoft.com
?

FWIW, it should not matter, but I have the "email" for that account set to a distribution list in my company - which works for receiving emails, but none will originate from that
Donpaul Stephens 0 Reputation points

2025-04-11T18:15:39.7133333+00:00

I was able to setup a new account
******@donpaulairmettle.onmicrosoft.com

which is a member
I can (from the portal) go to Azure DevOps
which seems to get me to the starting point

--> I have a warning : Confirmation pending for contact email
???

I created a project
AzureAirMettle

on the bright side:
Microsoft Entra

is already connected to our subscription, as it lists:
Your organization is connected to the AirMettle - Azure Development directory.

AirMettle - Azure Development

donpaulairmettle.onmicrosoft.com

Tenant Id: 7ead95db-a19f-40ac-b830-81b4d7ba7c9c

unfortunately... NOW... the Billing is not able to connect?!?!

when I click "set up BIlling", I get:
"
Set up billing

Select an Azure subscription for billing your organization's Azure DevOps charges

No Subscriptions found. Please create a new subscription to set up billing

Select an Azure subscription
"

FWIW, I could not create a Microsoft Account for the
******@donpaulairmettle.onmicrosoft.com
account

but I did for
******@airmettle.com

which I set as a 2nd email for ******@donpaulairmettle.onmicrosoft.com
the 1st email i set to:
******@airmettle.com

which is (as implied) a distribution list

please advise how i can link this for billing ... or should I try starting this (again) as a "free trial" to try to get things underway?
Donpaul Stephens 0 Reputation points

2025-04-14T00:37:35.4066667+00:00

The new DevOps account - created with a "member" of the organization now appears to be connected with both Entra (which it was when I set it up) and now billing as well

I was able to access using my own account (which did not work on Friday)
but ... oddly it says I'd disconnected (I'm not)... I'll ignore that error for now and try setting up the rest of this with my team tomorrow

hopefully they can get in - will find out when they are back at work tomorrow.

Thanks again Arko!
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-14T18:44:02.73+00:00

Glad my suggestion was helpful Donpaul Stephens, i will convert the same to answer. It would be great if you could kindly accept my answer so that anyone else on QnA forum having similar query can check out my answer. Thanks

1 answer

Your answer

Rukmini 3,841 Reputation points Microsoft External Staff Moderator

2025-04-11T01:52:31.87+00:00

Hello Donpaul Stephens,

I understand that you are unable to link Azure DevOps to our Microsoft Entra Connection, To resolve the error make sure your account must be a Member (not Guest) in the Entra tenant and must be an AAD identity. And make sure you have switched directory to your default directory.

Also can you provide the screenshot of the users blade in the Tenant?

Let me know if further queries - feel free to reach out!
Donpaul Stephens 0 Reputation points

2025-04-11T15:20:12.9233333+00:00

This appears promising...
I created the new account

but not just an incognito browser, but on a completely separate browser, I get the same behavior

when I go to: dev.azure.com
it redirects to https://azure.microsoft.com/en-us/products/devops/?nav=min

that's fine

I login as:
******@donpaulairmettle.onmicrosoft.com

first time, it had me reset password, and setup 2 factor authentication --> that's ok

but it took me to the portal.azure.com
not the DevOps site

I want to log into Azure DevOps, and create a new organization (for using Azure DevOps) with this new account how can i do that?

Do I need to create some other account / configuration for this to work?
e.g. create a Microsoft.com account using the

******@donpaulairmettle.onmicrosoft.com
?

FWIW, it should not matter, but I have the "email" for that account set to a distribution list in my company - which works for receiving emails, but none will originate from that
Donpaul Stephens 0 Reputation points

2025-04-11T18:15:39.7133333+00:00

I was able to setup a new account
******@donpaulairmettle.onmicrosoft.com

which is a member
I can (from the portal) go to Azure DevOps
which seems to get me to the starting point

--> I have a warning : Confirmation pending for contact email
???

I created a project
AzureAirMettle

on the bright side:
Microsoft Entra

is already connected to our subscription, as it lists:
Your organization is connected to the AirMettle - Azure Development directory.

AirMettle - Azure Development

donpaulairmettle.onmicrosoft.com

Tenant Id: 7ead95db-a19f-40ac-b830-81b4d7ba7c9c

unfortunately... NOW... the Billing is not able to connect?!?!

when I click "set up BIlling", I get:
"
Set up billing

Select an Azure subscription for billing your organization's Azure DevOps charges

No Subscriptions found. Please create a new subscription to set up billing

Select an Azure subscription
"

FWIW, I could not create a Microsoft Account for the
******@donpaulairmettle.onmicrosoft.com
account

but I did for
******@airmettle.com

which I set as a 2nd email for ******@donpaulairmettle.onmicrosoft.com
the 1st email i set to:
******@airmettle.com

which is (as implied) a distribution list

please advise how i can link this for billing ... or should I try starting this (again) as a "free trial" to try to get things underway?
Donpaul Stephens 0 Reputation points

2025-04-14T00:37:35.4066667+00:00

The new DevOps account - created with a "member" of the organization now appears to be connected with both Entra (which it was when I set it up) and now billing as well

I was able to access using my own account (which did not work on Friday)
but ... oddly it says I'd disconnected (I'm not)... I'll ignore that error for now and try setting up the rest of this with my team tomorrow

hopefully they can get in - will find out when they are back at work tomorrow.

Thanks again Arko!
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-14T18:44:02.73+00:00

Glad my suggestion was helpful Donpaul Stephens, i will convert the same to answer. It would be great if you could kindly accept my answer so that anyone else on QnA forum having similar query can check out my answer. Thanks

Answer 1

Hello Donpaul Stephens,

the error you are encountering-

"User is not allowed to link organization to Microsoft Entra tenant. Only active members of the Microsoft Entra tenant are allowed to perform the link."

happens because your Azure DevOps org must have been created using a Microsoft MSA Account (e.g. @gmail.com, @outlook.com)

Please note, Microsoft Accounts are not considered Members of the Entra tenant. Only Entra ID members (not Guests/MSA users) can link DevOps to the tenant.

Question- So how to fix it now? Any Resolution?

Ans- Yes, Set Up a Clean DevOps Org Using Entra ID

Create a New Microsoft Entra User (Member) by going to https://portal.azure.com then navigate to Microsoft Entra ID > Users > New User

enter image description here

Fill the details such as

User principal name: whatever you want. For this example I gave-devopsadmin@<yourtenant>.onmicrosoft.com

Display name: DevOps Admin again your choice. edit it

User type: Member (important!) this remains same

Password: Set manually or auto-generate again upto you.

Once all the details are filled, review and create.

This creates a native Entra ID user in your tenant

enter image description here

next grant subscription access under -

Subscriptions > [your subscription] > Access control (IAM) and click on Add > Add role assignment

Choose some strong role as per your requirement for example Owner or Contributor. Assign access to your principal name in this example which is devopsadmin@... and save.

Now the main part comes. As you mentioned you don't care about old data, create a new DevOps Organization

Open a private/incognito browser window
Visit: https://dev.azure.com
Sign in as: devopsadmin@<yourtenant>.onmicrosoft.com this will be the one which you have set in the previous step

enter image description here

Create a new DevOps org:
- Name: stephens-org (or any name)
- Region: your preferred region
You’ll be prompted to create a new project. Choose your name (e.g. Stephens-Demo-Project) Now the org is fully owned by an Entra-native user.

enter image description here

Link DevOps to Microsoft Entra and it should work. Navigate to Organization Settings > Microsoft Entra. Click "Connect directory"

It will automatically detect and connect to your Default Directory

enter image description here

Donpaul Stephens 0 Reputation points

2025-04-14T19:50:33.7266667+00:00

we are still having issues...

While appears (to me) that the Entra is connected...

from the "Users" Page on Organization Settings... it appears they "accessed" the DevOps - but my team members are all getting 401 errors -

meaning they can't get in.

is there any way we could schedule a brief web conference?
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-15T03:14:00.0933333+00:00

Sure. I can see my colleague Ryan shared with you a teams invite on private messsge. Were you able to connect? I have dropped you a mail as well for the same.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-29T07:20:58.2033333+00:00

Hello Donpaul Stephens,

Thank you for confirming in Private message that things are working fine for you. Just an additional note for your reference-
After creating a new Entra ID-based Azure DevOps organization, you might see a message like-

*"Resolve disconnected users. Mapping identities is a permanent action that transfers all work history from the old identity to the new matched identity."
*
If you encounter this warning, only proceed with mapping if you're absolutely certain the disconnected identity matches the new Entra user. If uncertain or not critical, you can leave disconnected users unmapped and continue using the organization.

This behavior is normal when migrating from an old MSA-based organization to a clean Microsoft Entra ID-based setup.

If you see this section, it says only Members (not Guests or MSAs) can link an Azure DevOps organization to Microsoft Entra. If a user is a guest, they need to be converted to a member.
Official reference: Connect your organization to Microsoft Entra ID

Hope this resolves you query from the original post. It would be great if you could kindly accept the answer for anyone in the QnA community having similar query can refer to this post. Thanks

Share via

Unable to link Azure DevOps to our Microsoft Entra Connection - oddly as I'm not a member?!?

1 answer

Your answer