Change your organization connection to a different Azure AD
Azure DevOps Services
Learn how to switch your organization connection from one Azure Active Directory (Azure AD) to another. When you change directories, your project resources remain unaffected.
For more information about using Azure AD with Azure DevOps, see the Conceptual overview.
- You must be a Project Collection Administrator group for the organization.
- You must be a member in the destination Azure AD. For more information, see how to convert an Azure AD guest into a member.
- You must be a member or a guest in the source Azure AD.
- Confirm there are 100 or fewer users in your organization. If your organization has more than 100 users, contact Support to resolve any disconnected users. You can map them to their Azure AD identities in the new tenant.
- Request that SSH keys get manually cleared by Support before you switch directories. You can find the steps for how to recreate SSH keys further in this article. For more information, see the FAQ.
- Don't add the users from the destination Azure AD into the Azure DevOps organization.
- If you add any new custom domains to your Azure AD directory, contact Support before you migrate customers over to the new custom domain as this action breaks the mapping for existing identities.
Users and groups who inherit membership and permissions from an Azure AD group, will no longer inherit those permissions after the transfer. Azure AD groups that were added to your Azure DevOps organization don't get transferred and will cease to exist in your organization when the Azure AD connection is changed. All permissions and membership relationships made with these Azure AD groups will also cease to exist after the transfer.
Change the Azure AD connection
Sign into your organization (
Select Organization settings.
Select Azure Active Directory, and then Switch directory.
Select a directory from the dropdown menu, and then select Connect.
If you can't find your directory, contact your Azure AD administrator to request that they add you as a member to the Azure AD.
Select Sign out.
Your organization connects to your Azure AD.
Confirm that the process is complete. Sign out, and then open your browser in a private session and sign in to your organization with your Azure AD or work credentials.
If some members are disconnected, sign back in to Azure DevOps and map them to their Azure AD identities. Or, you can invite them as guests into the Azure AD. For more information, see the FAQs.
Inform users of the completed change
When you inform your users of the completed change, include the following tasks for each user in the organization to complete.
Clear cache for Git Credential Manager
If you use Visual Studio or the Git command-line too, clear the cache for the Git Credential Manager. Delete the %LocalAppData%\GitCredentialManager\tenant.cache file on each client machine.
Regenerate new PATs
Complete the steps in Use personal access tokens.
Recreate SSH keys
Complete the following steps to recreate your SSH keys.
In Azure DevOps, open your profile, and then select Security from the resulting dropdown menu.
Select SSH public keys, and then select Add.
Enter a description and key data, and then select Save.
Copy your key and put it in a safe place, as you can't view it again.
Rename your MSA
Rename your Microsoft account to a different email that doesn't conflict with your Azure AD identity. Doing so ensures that you aren't prompted to choose between accounts.
Adjust your VS subscription
If the UPN used inside your organization changed, adjust your Visual Studio subscription. You can reassign the subscription to your new UPN, or set that UPN as the alternate account inside the subscription. For more information, see how to add an alternate account to your subscription.