Access your organization with Azure Active Directory

Azure DevOps Services

Important

Azure DevOps will no longer support Alternate Credentials authentication beginning March 2, 2020. If you're still using Alternate Credentials, you have until then to transition to a more secure authentication method, to avoid this breaking change impacting your DevOps workflows. Learn more.

In this article, learn how to authenticate users and control access to your organization the same way you can do so with Microsoft services like Office 365 and Azure. If your organization was created with a Microsoft account, you can connect your organization to your Azure Active Directory (Azure AD). You can then sign in to Azure DevOps with the same username and password that you use with these Microsoft services. You can also enforce policies for accessing your team's critical resources and key assets.

To use existing on-premises identities with Azure DevOps, you can integrate directories with Azure AD by using Azure AD Connect. To switch your organization to another directory, learn how to change your directory in Azure AD.

How does Azure Active Directory control access to Azure DevOps?

Your organization authenticates users through your organization's directory. Only users who are members or guests in that directory can get access to your organization. When users are disabled or removed from your directory, they can't access your organization by any mechanism. This includes PATs, SSH, or any other alternate credentials. Only specific Azure AD administrators can manage users in your directory, so they control who can get access to your organization.

Without Azure AD, you're solely responsible for controlling organization access. All users must sign in with Microsoft accounts.

Q: What do I need to set up an existing Azure DevOps instance with Azure AD?

A: Ensure you meet the prerequisites in the article, Connect your organization to Azure AD.

Q: What happens to current users?

A: Your work in Azure DevOps is associated with your sign-in address. After your organization is connected to your directory, users continue working seamlessly if their sign-in addresses appear in the connected directory. If their sign-in addresses don't appear, you must add those users to your directory. Your organization might have policies about adding users to the directory, so find out more first.

Q: What if we can't use the same sign-in addresses?

A: Add these users to the directory with new work or school accounts. Then, reassign access levels and readd them to any projects. If they have existing work or school accounts, those accounts can be used instead. Work won't be lost and stays with their current sign-in addresses. Users can migrate work that they want to keep, except for their work history. For more information, see how to add organization users.

Q: What happens to tools that use my credentials, like alternate credentials?

A: Alternate credentials won't work anymore for tools that run outside a web browser, like the Git command-line tool. Set up your credentials again for the organization that you connected. See important information about alternate credentials.

Q: What if I accidentally delete a user in Azure AD?

A: Restore the user, rather than create a new one. If you create a new user, even with the same email address, this user is not associated with the previous identity.

Manage organization access with Azure AD