Troubleshoot adding and deleting organization users

Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013

Permissions

Q: Why can't I manage users?

A: To access and manage users, you must have Azure DevOps Project Collection Administrator or organization Owner permissions.

Q: How do I find a Project Collection Administrator?

A: If you have at least Basic access, you can find your Project Collection Administrator in your organization's security settings.

Q: How do I find the organization owner?

If you have at least Basic access, you can find the current owner in your organization settings.

  1. Go to your Organization settings.

    Open Organization settings

  2. Find the current owner.

    Find the current owner in organization information

Q: Why don't users appear or disappear promptly in Azure DevOps after I add or delete them in the Users hub?

A: If you experience delays finding new users or having deleted users promptly removed from Azure DevOps (for example, in drop-down lists and groups) after you add or delete users, file a problem report on Developer Community so we can investigate.

Visual Studio subscriptions

Q: When do I select "Visual Studio/MSDN Subscriber"?

A: Assign this access level to users who have active, valid Visual Studio subscriptions. Azure DevOps automatically recognizes and validates Visual Studio subscribers who have Azure DevOps as a benefit. You need the email address that's associated with the subscription.

For example, if a user selects Visual Studio/MSDN Subscriber, but the user doesn't have a valid, active Visual Studio subscription, they can work only as a Stakeholder.

Q: Which Visual Studio subscriptions can I use with Azure DevOps?

A: See Azure DevOps benefits for Visual Studio subscribers.

Q: Why won't my Visual Studio subscription validate?

A: See Why won't Azure DevOps recognize my Visual Studio subscription?

Q: Why do Visual Studio subscriber access levels change after a subscriber signs in?

A: Azure DevOps recognizes Visual Studio subscribers. Azure DevOps automatically assigns a user access that's based on the user's subscription and not on the current access level that's assigned to the user.

Q: What happens if a user's subscription expires?

A: If no other access levels are available, users can work as Stakeholders. To restore access, a user must renew their subscription.

Q: What happened to Visual Studio Online Professional?

A: In 2016, we replaced Visual Studio Online Professional with the Visual Studio Professional monthly subscription. Customers who'd been purchasing Visual Studio Online Professional were able to continue purchasing it after that point, but it wasn't available to new customers. On September 30, 2019, we'll officially retire Visual Studio Online Professional. As a courtesy, billing for it stopped after August 1, 2019.

When Visual Studio Online Professional is retired, any users that are still assigned to it are assigned to the best Azure DevOps access level available to your organization. As a result, your Professional users’ access may be downgraded to Basic or Stakeholder. To avoid being downgraded, buy a Visual Studio Professional monthly subscription and assign your Professional users to it. The monthly subscription has the same monthly cost as Visual Studio Online Professional.

Follow these instructions to identify if you have Professional users, buy a monthly subscription, and assign them to it by September 30, 2019:

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Open Organization settings

  3. Select Users and filter by access level to show only Professional users.

    Sort by Access Level - Professional

  4. Buy a Visual Studio Professional monthly subscription.

  5. Assign your Professional users to the subscription in the Visual Studio subscriptions administration portal.

If you don’t complete these steps by September 30, 2019, and your users are downgraded to Basic or Stakeholder access, you may restore their Professional access at any time by following the instructions above.

User access

Q: What does "Last Access" mean in the All Users view?

The value in Last Access is the last date a user accessed any resources or services. Accessing Azure DevOps includes using organizationname.visualstudio.com directly and using resources or services indirectly. For example, you might use the Azure Artifacts extension, or you can push code to Azure DevOps from a Git command line or IDE.

Q: Can a user who has paid for Basic access join other organizations?

A: No, a user can join only the organization for which the user has paid for Basic access. But a user can join any organization where free users with Basic access are still available. The user can also join as a user with Stakeholder access for free.

Q: Why can't users access some features?

A: Make sure that users have the correct access level assigned to them.

Some features are available only as extensions. You need to install these extensions. Most extensions require you to have at least Basic access, not Stakeholder access. Check the extension's description in the Visual Studio Marketplace, Azure DevOps tab.

For example, to search your code, you can install the free Code Search extension, but you need at least Basic access to use the extension.

To help your team improve app quality, you can install the free Test & Feedback extension, but you get different capabilities based on your access level and whether you work offline or connected to Azure DevOps Services or Team Foundation Server (TFS).

Some Visual Studio subscribers can use this feature for free, but Basic users need to upgrade to Basic + Test Plans access before they can create test plans.

Q: Why does a user lose access to some features?

A: A user can lose access for the following reasons (although the user can continue to work as a Stakeholder):

  • The user's Visual Studio subscription has expired. Meanwhile, the user can work as a Stakeholder, or you can give the user Basic access until the user renews their subscription. After the user signs in, Azure DevOps restores access automatically.

  • The Azure subscription used for billing is no longer active. All purchases made with this subscription are affected, including Visual Studio subscriptions. To fix this issue, visit the Azure account portal.

  • The Azure subscription used for billing was removed from your organization. Learn more about linking your organization.

  • Your organization has more users with Basic access than the number of users that you're paying for in Azure. Your organization includes five free users with Basic access. If you need to add more users with Basic access, you can pay for these users.

    Otherwise, on the first day of the calendar month, users who haven't signed in to your organization for the longest time lose access first. If your organization has users who don't need access anymore, remove them from your organization.

Azure Active Directory and your organization

Q: Why do I have to add users to a directory?

A: Your organization authenticates users and controls access through Azure Active Directory (Azure AD). All users must be directory members to get access.

If you're a directory administrator, you can add users to the directory. If you're not an administrator, work with your directory administrator to add users. Learn more about how to control access by using a directory.

Q: How do I find out whether my organization uses Azure AD to control access?

A: If you have at least Basic access, here's how to find out:

Go your Organization settings, and then select the Azure Active Directory tab. See the following examples of an organization that is not connected, and then an organization that is connected to Azure AD.

Not connected

Check for a connected directory in Organization settings = Not connected

Connected

Check for a connected directory in Organization settings = Connected

If your organization is connected to your organization's directory, only users from your organization's directory can join your organization. Learn how to control organization access by using Azure AD.

Q: My organization controls access by using Azure Active Directory. Can I just delete users from the directory?

A: Yes, but deleting a user from the directory removes the user's access to all organizations and other assets associated with that directory. You must have Azure AD global administrator permissions to delete a user from your Azure AD directory.

Q: Why are "no identities found" when I try to add users from Azure AD to my Azure DevOps organization?

A: You're probably a guest in the Azure AD that backs your Azure DevOps organization, rather than a member. By default, Azure AD guests can't search the Azure AD in the manner required by Azure DevOps. Learn how to convert an Azure AD guest into a member.

Q: How can I convert an Azure AD guest into a member?

A: Select from the following two options:

Convert Azure AD UserType from guest to member using Azure AD PowerShell

Warning

This is an advanced process and is not advised, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.

Prerequisites

The user making the UserType change must have the following:

  • A work/school account (WSA)/native user in Azure AD. You can't change the UserType with a Microsoft Account.
  • Global administrator permissions

Important

We recommend that you create a brand new (native) Azure AD user who is a global admin in the Azure AD, and then complete the following steps with that user. This new user should eliminate the possibility of connecting to the wrong Azure AD. You can delete the new user when you're done.

Process

  1. Sign in to the Azure portal as global administrator for your organization's directory.

  2. Go to the tenant that backs your Azure DevOps organization.

  3. Check the UserType. Confirm that the user is a guest.

    Check UserType in Azure portal

  4. Open an Administrative Windows PowerShell prompt.

  5. Execute Install-Module -Name AzureAD. The Azure Active Directory PowerShell for Graph downloads from the PowerShell Gallery. You may see prompts about installing NuGet and untrusted repository, as pictured below. If you run into issues, review the system requirements and information at the Azure Active Directory PowerShell for Graph page.

    Administrator action in Windows PowerShell

  6. Once the installation completes, execute Connect-AzureAD. You're prompted to sign in to the Azure AD. Be sure to use an ID that meets the criteria above.

  7. Execute Get-AzureADuser -SearchString "<display_name>", where <display_name> is part of the entire display name for the user, as seen inside the Azure portal). The command returns four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and the UserType should say guest.

  8. Execute Set-AzureADUser -ObjectID <string> -UserType Member, where is the value of ObjectId returned by the previous command. The user is set to member status.

  9. Execute Get-AzureADuser -SearchString "<display_name>" again to verify the UserType has changed. You can also verify in the Azure Active Directory section of the Azure portal. While not the norm, we have seen it take several hours or even days before this change is reflected inside Azure DevOps. If it doesn't fix your Azure DevOps issue immediately, give it some time and keep trying.

Q: Why do I have to choose between a "work or school account" and my "personal account"?

A: This happens when you sign in with an email address (for example, jamalhartnett@fabrikam.com) that's shared by your personal Microsoft account and by your work account or school account. Although both identities use the same sign-in address, they're still separate identities. The two identities have different profiles, security settings, and permissions. When you sign in, you see a page that looks like the following example:

Choose work or school account, or personal Microsoft account
  • Select Work or school account if you used this identity to create your organization, or if you previously signed in with this identity. For example, select this option if you previously signed in to Azure DevOps by using this UI:

    Old sign-in for work or school accounts

    Your identity is authenticated by your organization's directory in Azure AD, which controls access to your organization.

  • Select Personal account if you used your Microsoft account with Azure DevOps. For example, select this option if you previously signed in to Azure DevOps by using this UI:

    Old sign-in for Microsoft account

    Your identity is authenticated by the global directory for Microsoft accounts.

Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?

A: When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.

Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:

  1. Close all browsers, including browsers that aren't running Azure DevOps.

  2. Open a private or incognito browsing session.

  3. Go to this URL: https://aka.ms/vssignout.

    You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.

    Tip

    If the sign-out page takes more than a minute to sign you out, close the browser and continue.

  4. Sign in to Azure DevOps again. Select your other identity.

More support

Q: How do I get help or support for Azure DevOps?

A: You have the following options for support: