Share via

[Azure DevOps] Cannot remove user from organization.

Carl M. Gregory 6 Reputation points
2022-12-28T22:07:09.847+00:00

There is a user in my Azure DevOps organization that I cannot remove. I have tried it in the web UI as well as CLI. Here is what I have done in the CLI, to illustrate the issue.

First I pull a list of users in Azure DevOps. I see the trouble user in this list.

PS /home/carl> az devops user list --org https://dev.azure.com/[redacted]/
...
{
"accessLevel": {
"accountLicenseType": "express",
"assignmentSource": "groupRule",
"licenseDisplayName": "Basic",
"licensingSource": "account",
"msdnLicenseType": "none",
"status": "active",
"statusMessage": ""
},
"dateCreated": "2020-05-12T20:41:05.725845Z",
"extensions": [],
"groupAssignments": [],
"id": "2c72b91b-21db-6ce7-8cb3-[redacted]",
"lastAccessedDate": "2020-05-12T20:41:15.427982+00:00",
"projectEntitlements": [],
"user": {
"descriptor": "aad.NWRlZDlmMWEtNmRlYy03NzJ[redacted]",
"directoryAlias": "tuser200512",
"displayName": "test user",
"domain": "9362acc2-7d95-44b3-b9e8-[redacted]",
"isDeletedInOrigin": null,
"legacyDescriptor": null,
"mailAddress": "tuser200512@[redacted]",
"metaType": null,
"metadataUpdateDate": null,
"origin": "aad",
"originId": "dbeefb2f-933c-4ca6-a5d2-[redacted]",
"principalName": "tuser200512@[redacted]",
"subjectKind": "user",
"url": "https://vssps.dev.azure.com/[redacted]/_apis/Graph/Users/aad.NWRlZDlmMWEtNmRlYy03NzJ[redacted]"
}
}
...

I attempt to show the user, using both the email address as well as the user id, both say "Sequence contains no elements".

PS /home/carl> az devops user show --user "tuser200512@[redacted]" --org https://dev.azure.com/[redacted]/
Sequence contains no elements
PS /home/carl> az devops user show --user "2c72b91b-21db-6ce7-8cb3-[redacted]" --org https://dev.azure.com/[redacted]/
Sequence contains no elements

Maybe I'm using the wrong user id? Testing with a different user found in the list...

PS /home/carl> az devops user show --user "494d40b4-b481-6c45-b52e-[redacted]" --org https://dev.azure.com/[redacted]/
<shows user data>

So we know that's the correct user id to query against, yet it will not show the problem user.

Moving on -- let's try and remove this problem user via CLI.

PS /home/carl> az devops user remove --user "2c72b91b-21db-6ce7-8cb3-[redacted]" --org https://dev.azure.com/[redacted]/
Are you sure you want to remove this user? (y/n): y

It returns with no error. But, I still see the user in the list.

PS /home/carl> az devops user list --org https://dev.azure.com/[redacted]/
<shows user in the list of data, same as above>

In the user data from the list it has an origin of aad and an originId. Let's query against azure ad for the user.

PS /home/carl> az ad user show --id "dbeefb2f-933c-4ca6-a5d2-[redacted]"
Resource 'dbeefb2f-933c-4ca6-a5d2-[redacted]' does not exist or one of its queried reference-property objects are not present.

This user is not in AAD. But are we using the right ID to do such a query? Testing the same originId but from a different user.

PS /home/carl> az ad user show --id "c88eda83-4afd-43ed-ac80-[redacted]"
<shows user data>

So that is the right ID to query using.

I also tried the web API: https://vsaex.dev.azure.com/[redacted]/_apis/userentitlements/2c72b91b-21db-6ce7-8cb3-[redacted]?api-version=7.0
It respondeds with: {"$id":"1","innerException":null,"message":"Sequence contains no elements","typeName":"System.InvalidOperationException, mscorlib","typeKey":"InvalidOperationException","errorCode":0,"eventId":0}

This problem user appears in Azure DevOps and says it's from AAD yet it's not in AAD and I cannot remove the user from Azure DevOps.

--------------------

Note: Before someone says I posted to the wrong location - when in Azure DevOps web UI, I click on Help > Contact Support > Ask the virtual support agent. It suggests I contact "Basic Technical Support". When I click on that link I fill out all that information then it posts it here.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,907 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carl M. Gregory 6 Reputation points
    2023-01-03T14:01:55.557+00:00

    A Microsoft rep reached out to me directly as a result of this post. They are working on a solution as we speak, it appears to be a bug in either Azure DevOps or Azure Active Directory.

    Furthermore, for the next person needing help; the Microsoft support rep assured me that this forum was the correct place to post this. If anyone else has members of this forum telling you to post somewhere else, or going in and changing the tag to not-supported, ignore them and change the tag back as I have done - you will get results in due time.

    1 person found this answer helpful.
  2. Dillon Silzer 54,831 Reputation points
    2022-12-28T22:30:11.75+00:00

    Hi @Carl M. Gregory

    Azure DevOps community support can be found at https://developercommunity.visualstudio.com/AzureDevOps/report

    This is currently not supported on this forum.

    --------------------------------

    If this is helpful please accept answer.

  3. Diane Bevington 0 Reputation points
    2024-05-14T19:34:48.8566667+00:00

    @microsoftsupport I also am getting an error when trying to remove a user from my ADO organization. "Identity not found with ID xxxxxx"

    I don't believe they are part of any other group. How can I remove them?

    0 comments