Troubleshoot adding and deleting organization users
Azure DevOps Services | Azure DevOps Server 2019 | TFS 2018 | TFS 2017 | TFS 2015 | TFS 2013
Q: Why can't I manage users?
A: To access and manage users, you must have Azure DevOps Project Collection Administrator or organization Owner permissions.
Q: How do I find a Project Collection Administrator?
A: If you have at least Basic access, you can find your Project Collection Administrator in your organization's security settings.
Q: How do I find the organization owner?
If you have at least Basic access, you can find the current owner in your organization settings.
Go to your Organization settings.
Find the current owner.
Q: Why don't users appear or disappear promptly in Azure DevOps after I add or delete them in the Users hub?
A: If you experience delays finding new users or having deleted users promptly removed from Azure DevOps (for example, in drop-down lists and groups) after you add or delete users, file a problem report on Developer Community so we can investigate.
Visual Studio subscriptions
Q: When do I select "Visual Studio/MSDN Subscriber"?
A: Assign this access level to users who have active, valid Visual Studio subscriptions. Azure DevOps automatically recognizes and validates Visual Studio subscribers who have Azure DevOps as a benefit. You need the email address that's associated with the subscription.
For example, if a user selects Visual Studio/MSDN Subscriber, but the user doesn't have a valid, active Visual Studio subscription, they can work only as a Stakeholder.
Q: Which Visual Studio subscriptions can I use with Azure DevOps?
Q: Why won't my Visual Studio subscription validate?
Q: Why do Visual Studio subscriber access levels change after a subscriber signs in?
A: Azure DevOps recognizes Visual Studio subscribers. Azure DevOps automatically assigns a user access that's based on the user's subscription and not on the current access level that's assigned to the user.
Q: What happens if a user's subscription expires?
A: If no other access levels are available, users can work as Stakeholders. To restore access, a user must renew their subscription.
Q: What happened to Visual Studio Online Professional?
A: In 2016, we replaced Visual Studio Online Professional with the Visual Studio Professional monthly subscription. Customers who'd been purchasing Visual Studio Online Professional were able to continue purchasing it after that point, but it wasn't available to new customers. On September 30, 2019, we'll officially retire Visual Studio Online Professional. As a courtesy, billing for it stopped after August 1, 2019.
When Visual Studio Online Professional is retired, any users that are still assigned to it are assigned to the best Azure DevOps access level available to your organization. As a result, your Professional users’ access may be downgraded to Basic or Stakeholder. To avoid being downgraded, buy a Visual Studio Professional monthly subscription and assign your Professional users to it. The monthly subscription has the same monthly cost as Visual Studio Online Professional.
Follow these instructions to identify if you have Professional users, buy a monthly subscription, and assign them to it by September 30, 2019:
Sign in to your organization (
Select Organization settings.
Select Users and filter by access level to show only Professional users.
Assign your Professional users to the subscription in the Visual Studio subscriptions administration portal.
If you don’t complete these steps by September 30, 2019, and your users are downgraded to Basic or Stakeholder access, you may restore their Professional access at any time by following the instructions above.
Q: What does "Last Access" mean in the All Users view?
The value in Last Access is the last date a user accessed any resources or services. Accessing Azure DevOps includes using organizationname.visualstudio.com directly and using resources or services indirectly. For example, you might use the Azure Artifacts extension, or you can push code to Azure DevOps from a Git command line or IDE.
Q: Can a user who has paid for Basic access join other organizations?
A: No, a user can join only the organization for which the user has paid for Basic access. But a user can join any organization where free users with Basic access are still available. The user can also join as a user with Stakeholder access for free.
Q: Why can't users access some features?
A: Make sure that users have the correct access level assigned to them.
Some features are available only as extensions. You need to install these extensions. Most extensions require you to have at least Basic access, not Stakeholder access. Check the extension's description in the Visual Studio Marketplace, Azure DevOps tab.
For example, to search your code, you can install the free Code Search extension, but you need at least Basic access to use the extension.
To help your team improve app quality, you can install the free Test & Feedback extension, but you get different capabilities based on your access level and whether you work offline or connected to Azure DevOps Services or Team Foundation Server (TFS).
Some Visual Studio subscribers can use this feature for free, but Basic users need to upgrade to Basic + Test Plans access before they can create test plans.
- Learn how to get extensions for Azure DevOps.
- Learn how to get extensions for TFS.
- Learn how to buy access to TFS Test.
Q: Why does a user lose access to some features?
A: A user can lose access for the following reasons (although the user can continue to work as a Stakeholder):
The user's Visual Studio subscription has expired. Meanwhile, the user can work as a Stakeholder, or you can give the user Basic access until the user renews their subscription. After the user signs in, Azure DevOps restores access automatically.
The Azure subscription used for billing is no longer active. All purchases made with this subscription are affected, including Visual Studio subscriptions. To fix this issue, visit the Azure account portal.
The Azure subscription used for billing was removed from your organization. Learn more about linking your organization.
Your organization has more users with Basic access than the number of users that you're paying for in Azure. Your organization includes five free users with Basic access. If you need to add more users with Basic access, you can pay for these users.
Otherwise, on the first day of the calendar month, users who haven't signed in to your organization for the longest time lose access first. If your organization has users who don't need access anymore, remove them from your organization.
Azure Active Directory and your organization
Q: Why do I have to add users to a directory?
A: Your organization authenticates users and controls access through Azure Active Directory (Azure AD). All users must be directory members to get access.
If you're a directory administrator, you can add users to the directory. If you're not an administrator, work with your directory administrator to add users. Learn more about how to control access by using a directory.
Q: How do I find out whether my organization uses Azure AD to control access?
A: If you have at least Basic access, here's how to find out:
Go your Organization settings, and then select the Azure Active Directory tab. See the following examples of an organization that is not connected, and then an organization that is connected to Azure AD.
If your organization is connected to your organization's directory, only users from your organization's directory can join your organization. Learn how to control organization access by using Azure AD.
Q: My organization controls access by using Azure Active Directory. Can I just delete users from the directory?
A: Yes, but deleting a user from the directory removes the user's access to all organizations and other assets associated with that directory. You must have Azure AD global administrator permissions to delete a user from your Azure AD directory.
Q: Why are "no identities found" when I try to add users from Azure AD to my Azure DevOps organization?
A: You're probably a guest in the Azure AD that backs your Azure DevOps organization, rather than a member. By default, Azure AD guests can't search the Azure AD in the manner required by Azure DevOps. Learn how to convert an Azure AD guest into a member.
Q: How can I convert an Azure AD guest into a member?
A: Select from the following two options:
- Have the Azure AD administrator(s) remove you from the Azure AD and readd you, making you an Azure AD member, rather than a guest. For more information, see Can Azure AD B2B users be added as members instead of guests.
- Change the UserType of the Azure AD guest using Azure AD PowerShell. This is an advanced process we don't advise, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.
Convert Azure AD UserType from guest to member using Azure AD PowerShell
This is an advanced process and is not advised, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.
The user making the UserType change must have the following:
- A work/school account (WSA)/native user in Azure AD. You can't change the UserType with a Microsoft Account.
- Global administrator permissions
We recommend that you create a brand new (native) Azure AD user who is a global admin in the Azure AD, and then complete the following steps with that user. This new user should eliminate the possibility of connecting to the wrong Azure AD. You can delete the new user when you're done.
Sign in to the Azure portal as global administrator for your organization's directory.
Go to the tenant that backs your Azure DevOps organization.
Check the UserType. Confirm that the user is a guest.
Open an Administrative Windows PowerShell prompt.
Install-Module -Name AzureAD. The Azure Active Directory PowerShell for Graph downloads from the PowerShell Gallery. You may see prompts about installing NuGet and untrusted repository, as pictured below. If you run into issues, review the system requirements and information at the Azure Active Directory PowerShell for Graph page.
Once the installation completes, execute
Connect-AzureAD. You're prompted to sign in to the Azure AD. Be sure to use an ID that meets the criteria above.
Get-AzureADuser -SearchString "<display_name>", where <display_name> is part of the entire display name for the user, as seen inside the Azure portal). The command returns four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and the UserType should say guest.
Set-AzureADUser -ObjectID <string> -UserType Member, where
is the value of ObjectId returned by the previous command. The user is set to member status.
Get-AzureADuser -SearchString "<display_name>"again to verify the UserType has changed. You can also verify in the Azure Active Directory section of the Azure portal. While not the norm, we have seen it take several hours or even days before this change is reflected inside Azure DevOps. If it doesn't fix your Azure DevOps issue immediately, give it some time and keep trying.
Q: Why do I have to choose between a "work or school account" and my "personal account"?
A: This happens when you sign in with an email address (for example, firstname.lastname@example.org) that's shared by your personal Microsoft account and by your work account or school account. Although both identities use the same sign-in address, they're still separate identities. The two identities have different profiles, security settings, and permissions. When you sign in, you see a page that looks like the following example:
Select Work or school account if you used this identity to create your organization, or if you previously signed in with this identity. For example, select this option if you previously signed in to Azure DevOps by using this UI:
Your identity is authenticated by your organization's directory in Azure AD, which controls access to your organization.
Select Personal account if you used your Microsoft account with Azure DevOps. For example, select this option if you previously signed in to Azure DevOps by using this UI:
Your identity is authenticated by the global directory for Microsoft accounts.
Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?
A: When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.
Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure DevOps.
Open a private or incognito browsing session.
Go to this URL:
You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.
If the sign-out page takes more than a minute to sign you out, close the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
Q: How do I get help or support for Azure DevOps?
A: You have the following options for support: