In dev.azure, user's access level is automatically changing to stakeholder from Basic. Duplicate munged identity causing 500 login error and infinite license loop in Azure DevOps

Question

Organization: ACPLApps (dev.azure.com/ACPLApps)
 
Affected users:
- ******@acplcargo.com
- ******@acplcargo.com
 
Problem:
Audit logs show "Duplicate identity found" every 30 seconds.
Azure DevOps Service automatically removes Basic license and 
assigns Stakeholder in a loop. Users cannot login - 500 error.
 
Already done:
- Permanently deleted old identities from Microsoft Entra
- Removed and re-added users multiple times
- Ghost identity still persists in Azure DevOps backend
 
Correlation ID: 5fe7a5cf-3574-414f-aadf-79320402b4b6
 
Need backend identity/descriptor cleanup for these users.

Answer 1

Hi @Nirbhay Giri ,

The service keeps detecting a duplicate, stripping the Basic license, putting you on Stakeholder, then 30 seconds later doing it all over again hence the 500-login errors and infinite license loop.

Here's what you can do next:

1. Gather the user descriptors

• Use the Graph REST API to list each user’s descriptor: GET https://dev.azure.com/ACPLApps/_apis/graph/users?api-version=6.0-preview.1&searchTerm=<email>
• Note the “descriptor” field for each returned entry.

2. Attempt a hard-delete via REST (if there are no project/resource dependencies)

• DELETE https://dev.azure.com/ACPLApps/_apis/graph/users/{descriptor}?api-version=6.0-preview.1
• This will permanently remove the ghost identity from your org’s graph.
• After deletion, re-invite the user from Azure DevOps > Organization settings > Users.

3. If the REST delete fails or the ghost still persists, you’ll need a backend cleanup by Microsoft Support

• Open an Azure DevOps support request (https://aka.ms/azdevops-support) under the “Identity Management” category. Provide:
  • Your organization name (ACPLApps)
  • The affected email addresses
  • Correlation ID
  • AAD tenant ID and subscription ID
  • The support team can run a backend script to remove the phantom descriptor and clear the license loop.
• Once the ghost identity is gone, re-provision the users as Basic:
  • Azure DevOps portal > Organization settings > Users > Add users > assign “Basic” access.

Hope this helps!

---

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

This scenario requires backend identity and licensing cleanup in Azure DevOps and can’t be fully resolved with self-service tools.

Based on the symptoms:

• Users are repeatedly downgraded from Basic to Stakeholder.
• There are audit entries about duplicate identities.
• Users receive 500 errors on sign-in.

The supported path is:

1. Collect all relevant details
   • Organization: ACPLApps (dev.azure.com/ACPLApps).
   • Affected UPNs (both variants, including any historical/alias forms).
   • Correlation ID: 5fe7a5cf-3574-414f-aadf-79320402b4b6.
   • Exact timestamps (UTC) when the 500 error and “Duplicate identity found” events occur.
   • Screenshots or copies of the Azure DevOps audit log entries that show the automatic license changes and duplicate identity messages.
2. Verify local configuration (to rule out simple causes)
   • In Organization settings → Users, confirm the affected users are assigned Basic (or higher) and not only Stakeholder, and that there are no conflicting group rules that might be re-applying Stakeholder. Group rules always grant the highest access level available, but misconfiguration can still cause unexpected changes. See the guidance on group rules precedence and periodic re-evaluation.
   • Confirm the billing subscription is active and that there are enough paid Basic seats so that users are not being automatically downgraded due to over-allocation. See the billing FAQs for behavior when there are more Basic users than paid seats.
3. Open a support case with Microsoft
   • This issue involves a “ghost” or duplicate identity record and requires backend cleanup in the Azure DevOps identity store, which is not exposed via UI or API.
   • In the support request, include:
     • Organization name and URL.
     • Affected user identities (UPNs and any old/alternate UPNs).
     • Correlation ID 5fe7a5cf-3574-414f-aadf-79320402b4b6.
     • Description of the automatic Basic→Stakeholder license loop and 500 login error.
     • Confirmation that the old Entra ID objects have been permanently deleted.
     • Sample audit log entries showing “Duplicate identity found” and automatic license changes.
   • Ask specifically for:
     • Identity/descriptor de-duplication and cleanup for the affected users in Azure DevOps.
     • Removal or correction of any stale identity records that still reference the deleted Entra IDs.
4. Post-fix verification steps (after Microsoft completes cleanup)
   • Have support confirm that the duplicate identities/descriptors have been merged or removed.
   • In Organization settings → Users, reassign Basic access if needed.
   • Ensure no group rule or billing constraint is forcing a downgrade.
   • Have the users sign in again (preferably from an InPrivate/Incognito session after visiting https://aka.ms/vssignout to clear old tokens) and confirm:
     • No more 500 errors on login.
     • No new “Duplicate identity found” entries in the audit logs.
     • Access level remains Basic and is no longer auto-changed to Stakeholder.

Because the duplicate identity is in the Azure DevOps backend, only Microsoft support can perform the necessary identity/descriptor cleanup; local admin actions (removing/re-adding users, deleting Entra IDs) are not sufficient once the identity store is in an inconsistent state.

---

References:

• Troubleshoot access and permission issues
• Billing FAQs
• User and permissions management FAQs
• Resolve migration errors
• Lost access to all Repos - Microsoft Q&A