Troubleshoot adding and deleting organization users

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

Permissions

Q: Why can't I manage users?

A: To access and manage users, you must have Azure DevOps project collection administrator or organization owner permissions.

Q: How do I find a Project Collection Administrator?

A: If you have at least Basic access, you can find your Project Collection Administrator in your organization's security settings.

Q: How do I find the organization owner?

If you have at least Basic access, you can find the current owner in your organization settings.

  1. Go to your Organization settings.

    Open Organization settings

  2. Find the current owner.

    Find the current owner in organization information

Q: Why don't users appear or disappear promptly in Azure DevOps after I add or delete them in the Users hub?

A: If you experience delays finding new users or having deleted users promptly removed from Azure DevOps (for example, in drop-down lists and groups) after you add or delete users, file a problem report on Developer Community so we can investigate.

Visual Studio subscriptions

Q: When do I select "Visual Studio/MSDN Subscriber"?

A: Assign this access level to users who have active, valid Visual Studio subscriptions. Azure DevOps automatically recognizes and validates Visual Studio subscribers who have Azure DevOps as a benefit. You need the email address that's associated with the subscription.

For example, if a user selects Visual Studio/MSDN Subscriber but the user doesn't have a valid, active Visual Studio subscription, the user can work only as a Stakeholder.

Q: Which Visual Studio subscriptions can I use with Azure DevOps?

A: See Azure DevOps benefits for Visual Studio subscribers.

Q: Why won't my Visual Studio subscription validate?

A: See Why won't Azure DevOps recognize my Visual Studio subscription?

Q: Why do Visual Studio subscriber access levels change after a subscriber signs in?

A: Azure DevOps recognizes Visual Studio subscribers. Azure DevOps automatically assigns a user access that's based on the user's subscription and not on the current access level that's assigned to the user.

Q: What happens if a user's subscription expires?

A: If no other access levels are available, users can work as Stakeholders. To restore access, a user must renew their subscription.

Q: What happened to Visual Studio Online Professional?

A: On December 1, 2015, we replaced Visual Studio Online Professional with the Visual Studio Professional monthly subscription.

Although a Visual Studio Online Professional purchase now appears on your monthly invoice as a Visual Studio Professional monthly subscription, you need to transition manually to get the new offering. The transition provides an upgrade by offering access to unlimited organizations (not just one organization) like Visual Studio Online Professional.

The rest stays the same. You get monthly access to the Visual Studio Professional IDE. Pricing remains the same at $45 per user, per month. Learn more about Visual Studio subscriptions.

If you're purchasing user access to Visual Studio Professional for a specific organization (possible only if you purchased before November 2015) and want to upgrade, do the following:

  1. Before the last day of the calendar month, sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Open Organization settings

  3. Select Billing.

    Select Billing tab in Organization settings

  4. Reduce the number of paid Visual Studio Online Professional users to 0.

    This change takes effect on the first day of the next month. For the rest of the current calendar month, you aren't billed for any Visual Studio Online Professional users.

  5. On the first day of the next calendar month, go to Visual Studio Marketplace Subscriptions > Visual Studio Professional - monthly subscription, and buy Visual Studio Professional monthly subscriptions for the same users. Learn how to buy Visual Studio subscriptions.

User access

Q: What does "Last Access" mean in the All Users view?

The value in Last Access is the last date a user accessed any resources or services. Accessing Azure DevOps includes using organizationname.visualstudio.com directly and using resources or services indirectly. For example, you might use the Azure Artifacts extension, or you might access the service by pushing code to Azure DevOps from a Git command line or IDE.

Q: Can a user who has paid for Basic access join other organizations?

A: No, a user can join only the organization for which the user has paid for Basic access. But a user can join any organization where free users with Basic access are still available. The user can also join as a user with Stakeholder access for free.

Q: Why can't users access some features?

A: Make sure that users have the correct access level assigned to them.

Some features are available only as extensions. You need to install these extensions. Most extensions require you to have at least Basic access, not Stakeholder access. Check the extension's description in the Visual Studio Marketplace, Azure DevOps tab.

For example, to search your code, you can install the free Code Search extension, but you need at least Basic access to use the extension.

To help your team improve app quality, you can install the free Test & Feedback extension, but you get different capabilities based on your access level and whether you work offline or connected to Azure DevOps Services or Team Foundation Server (TFS).

To create test plans, assign buBasic + Test Plans access level. Some Visual Studio subscribers can use this feature for free, but Basic users need to upgrade to Basic + Test Plans access before they can create test plans.

Q: Why does a user lose access to some features?

A: This might happen for different reasons (although the user can continue to work as a Stakeholder):

  • The user's Visual Studio subscription has expired. Meanwhile, the user can work as a Stakeholder, or you can give the user Basic access until the user renews their subscription. After the user signs in, Azure DevOps restores access automatically.

  • The Azure subscription used for billing is no longer active. This affects all purchases made with this subscription, including Visual Studio subscriptions. To fix this issue, visit the Azure account portal.

  • The Azure subscription used for billing was unlinked from your organization. Learn more about linking your organization.

  • Your organization has more users with Basic access than the number of users that you're paying for in Azure. Your organization includes five free users with Basic access. If you need to add more users with Basic access, you can pay for these users.

    Otherwise, on the first day of the calendar month, users who haven't signed in to your organization for the longest time lose access first. If your organization has users who don't need access anymore, remove them from your organization.

  • The user no longer has access to features that are available only as extensions. This might happen for different reasons:

    • The user's access level no longer meets the extension's requirements. Most extensions require at least Basic access, not Stakeholder access. For more information, see the extension's description in the Marketplace.

    • The extension was uninstalled. Users can reinstall the extension.

    • If the extension is a paid extension, the Azure subscription used for billing might be unlinked from your organization or might no longer be active. Learn more about linking your organization or visit the Azure portal to check payment details.

Azure Active Directory and your organization

Q: Why do I have to add users to a directory?

A: Your organization authenticates users and controls access through Azure Active Directory (Azure AD). All users must be directory members to get access.

If you're a directory administrator, you can add users to the directory. If you're not an administrator, work with your directory administrator to add users. Learn more about how to control access by using a directory.

Q: How do I find out whether my organization uses Azure AD to control access?

A: If you have at least Basic access, here's how to find out:

Go your Organization settings, and then select the Azure Active Directory tab. See the following examples of an organization that is not connected, and then an organization that is connected to Azure AD.

Not connected Check for a connected directory in Organization settings = Not connected

Connected Check for a connected directory in Organization settings = Connected

If your organization is connected to your organization's directory, only users from your organization's directory can join your organization. Learn how to control organization access by using Azure AD.

Q: My organization controls access by using Azure Active Directory. Can I just delete users from the directory?

A: Yes, but deleting a user from the directory removes the user's access to all organizations and other assets associated with that directory. You must have Azure AD global administrator permissions to delete a user from your Azure AD directory.

Q: Why are "no identities found" when I try to add users from Azure AD to my Azure DevOps organization?

A: You're probably a guest in the Azure AD that backs your Azure DevOps organization, rather than a member. By default, Azure AD guests can't search the Azure AD in the manner required by Azure DevOps. Learn how to convert an Azure AD guest into a member.

Q: How can I convert an Azure AD guest into a member?

A: Select from the following two options:

Convert Azure AD UserType from guest to member using Azure AD PowerShell

Warning

This is an advanced process and is not advised, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.

Prerequisites

The user making the UserType change must have the following:

  • A work/school account (WSA)/native user in Azure AD. You can't do this with a Microsoft Account.
  • Global administrator permissions

Important

We recommend that you create a brand new (native) Azure AD user who is a global admin in the Azure AD, and then complete the following steps with that user. This new user should eliminate the possibility of connecting to the wrong Azure AD. You can delete the new user when you're done.

Process

  1. Sign in to the Azure portal as global administrator for your organization's directory.

  2. Go to the tenant that backs your Azure DevOps organization.

  3. Check the UserType. Confirm that the user is a guest.

    Check UserType in azure portal

  4. Open an Administrative Windows PowerShell prompt.

  5. Execute Install-Module -Name AzureAD. The Azure Active Directory PowerShell for Graph downloads from the PowerShell Gallery. You may see prompts about installing NuGet and untrusted repository, as pictured below. If you run into issues please review the system requirements and information at the Azure Active Directory PowerShell for Graph page.

    Administrator action in Windows PowerShell

  6. Once the installation completes, execute Connect-AzureAD. You're prompted to sign in to the Azure AD. Be sure to use an ID that meets the criteria above.

  7. Execute Get-AzureADuser -SearchString "<display_name>", where <display_name> is part of the entire display name for the user, as seen inside the Azure portal). The command returns four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and the UserType should say guest.

  8. Execute Set-AzureADUser -ObjectID <string> -UserType Member, where is the value of ObjectId returned by the previous command. This should set the user to member status.

  9. Execute Get-AzureADuser -SearchString "<display_name>" again to verify the UserType has changed. You can also verify this in the Azure Active Directory section of the Azure portal. While not the norm, we have seen it take several hours or even days before this change is reflected inside Azure DevOps. If it doesn't fix your Azure DevOps issue immediately, give it some time and keep trying.

Q: Why do I have to choose between a "work or school account" and my "personal account"?

A: This happens when you sign in with an email address (for example, jamalhartnett@fabrikam.com) that's shared by your personal Microsoft account and by your work account or school account. Although both identities use the same sign-in address, they're still separate identities. The two identities have different profiles, security settings, and permissions. When you sign in, you see a page that looks like the following example:

Choose work or school account, or personal Microsoft account
  • Select Work or school account if you used this identity to create your organization, or if you previously signed in with this identity. For example, select this option if you previously signed in to Azure DevOps by using this UI:

    Old sign-in for work or school accounts

    Your identity is authenticated by your organization's directory in Azure AD, which controls access to your organization.

  • Select Personal account if you used your Microsoft account with Azure DevOps. For example, select this option if you previously signed in to Azure DevOps by using this UI:

    Old sign-in for Microsoft account

    Your identity is authenticated by the global directory for Microsoft accounts.

Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?

A: When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.

Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:

  1. Close all browsers, including browsers that aren't running Azure DevOps.

  2. Open a private or incognito browsing session.

  3. Go to this URL: https://aka.ms/vssignout.

    You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.

    Tip

    If the sign-out page takes more than a minute to sign you out, close the browser and continue.

  4. Sign in to Azure DevOps again. Select your other identity.

More support

Q: How do I get help or support for Azure DevOps?

A: You have the following options for support: