Troubleshoot permissions and access with Azure Active Directory

Azure DevOps Services

General

Q: I made changes to Azure Active Directory (Azure AD), but they didn't seem to take effect

A: Changes made in Azure AD can take up to 24 hours to be visible in Azure DevOps.

Q: Can I use Office 365 and Azure AD with Azure DevOps?

A: Yes.

Q: Why do I have to choose between a "work or school account" and my "personal account"?

A: This happens when you sign in with an email address (for example, jamalhartnett@fabrikam.com) that's shared by your personal Microsoft account and by your work account or school account. Although both identities use the same sign-in address, they're still separate identities. The two identities have different profiles, security settings, and permissions. When you sign in, you see a page that looks like the following example:

Choose work or school account, or personal Microsoft account

  • Select Work or school account if you used this identity to create your organization, or if you previously signed in with this identity. For example, select this option if you previously signed in to Azure DevOps by using this UI:

    Old sign-in for work or school accounts

    Your identity is authenticated by your organization's directory in Azure AD, which controls access to your organization.

  • Select Personal account if you used your Microsoft account with Azure DevOps. For example, select this option if you previously signed in to Azure DevOps by using this UI:

    Old sign-in for Microsoft account

    Your identity is authenticated by the global directory for Microsoft accounts.

Q: My organization uses Microsoft accounts only. Can I switch to Azure AD?

A. Yes, but before you switch, make sure that Azure AD meets your needs for sharing work items, code, resources, and other assets with your team and partners.

Learn more about the differences in how you control access with Microsoft accounts or with Azure AD, and how to switch when you're ready.

Q: How do I find the organization owner?

If you have at least Basic access, you can find the current owner in your organization settings.

  1. Go to your Organization settings.

    Open Organization settings

  2. Find the current owner.

    Find the current owner in organization information

Q: Why don't I see the organizations that I own after I sign in to my Visual Studio profile on visualstudio.com?

A: Your list of organizations are associated with the identity that you use to sign in to Azure DevOps.

If you're asked to choose between your personal Microsoft account or your work or school account when you sign in, you might have selected the wrong identity.

Choose work or school account, or personal Microsoft account

Try to sign out completely from Azure DevOps, then sign in again and select your other identity.

Closing your browser doesn't always sign you out completely. Here's how you can sign out completely:

  1. Close all browsers, including browsers that aren't running Azure DevOps.

  2. Open a private or incognito browsing session.

  3. Go to this URL: https://aka.ms/vssignout.

    You see the message "Sign out in progress." After you sign out, you're redirected to the Visual Studio page @visualstudio.microsoft.com.

    Tip

    If the sign-out page takes more than a minute to sign you out, close the browser and continue.

  4. Sign in to Azure DevOps again. Select your other identity.

Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?

A: When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.

Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:

  1. Close all browsers, including browsers that aren't running Azure DevOps.

  2. Open a private or incognito browsing session.

  3. Go to this URL: https://aka.ms/vssignout.

    You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.

    Tip

    If the sign-out page takes more than a minute to sign you out, close the browser and continue.

  4. Sign in to Azure DevOps again. Select your other identity.

Understand Azure AD groups

Q: Why can't I assign Azure DevOps permissions directly to an Azure AD group?

A: Because these groups are created and managed in Azure, you can't assign Azure DevOps permissions directly or secure version control paths to these groups. You'll get an error if you try to assign permissions directly.

You can add an Azure AD group to the Azure DevOps group that has the permissions you want. Or, you can assign these permissions to the group instead. Azure AD group members inherit permissions from the group where you add them.

Q: Can I manage Azure AD groups in Azure DevOps?

A: No, because these groups are created and managed in Azure. Azure DevOps doesn't store or sync member status for Azure AD groups. To manage Azure AD groups, use the Azure portal, Microsoft Identity Manager (MIM), or the group management tools that your organization supports.

Q: How do I tell the difference between an Azure DevOps group and an Azure AD group?

A: On the group's identity card, check the group's source.

Screenshot of group identity card

Q: Why doesn't Users show all Azure AD group members?

A: These users have to sign in to your organization before they appear in Users.

Q: How do I assign organization access to Azure AD group members?

A: When these group members sign in to your organization for the first time, Azure DevOps assigns an access level to them automatically. If they have Visual Studio subscriptions, Azure DevOps assigns the respective access level to them. Otherwise, Azure DevOps assigns them the next "best available" access level, in this order: Basic, Stakeholder.

If you don't have enough access levels for all Azure AD group members, those members who sign in get a Stakeholder access.

Q: Why doesn't the Security tab show all members when I select an Azure AD group?

A: The Security tab shows Azure AD group members only after they sign in to your organization, and have an access level assigned to them.

To see all Azure AD group members, use the Azure portal, MIM, or the group management tools that your organization supports.

Q: Why doesn't the team members widget show all Azure AD group members?

A: The team members widget shows only users who previously signed in to your organization.

Q: Why doesn't the team capacity pane show all Azure AD group members?

A: The team capacity pane shows only users who previously signed in to your organization. To set capacity, manually add users to your team.

Q: Why doesn't the team room show offline users?

A: The team room shows Azure AD group members, but only when they're online.

Q: Why doesn't Azure DevOps reclaim access levels from users who aren't Azure AD group members anymore?

Azure DevOps doesn't automatically reclaim access levels from these users. To manually remove their access, go to Users.

Q: Can I assign work items to Azure AD group members who haven't signed in?

A: You can assign work items to any Azure AD member who has permissions for your organization. This also adds that member to your organization. When you add users this way, they'll automatically appear in Users, with the best available access level. They'll also appear in the security settings.

Q: Can I use Azure AD groups to query work items by using the "In Group" clause?

A: No, querying on Azure AD groups is unsupported.

Q: Can I use Azure AD groups to set up field rules in my work item templates?

A: No, but you might be interested in our process customization plans.

Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?

A: When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.

Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:

  1. Close all browsers, including browsers that aren't running Azure DevOps.

  2. Open a private or incognito browsing session.

  3. Go to this URL: https://aka.ms/vssignout.

    You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.

    Tip

    If the sign-out page takes more than a minute to sign you out, close the browser and continue.

  4. Sign in to Azure DevOps again. Select your other identity.

Add users to directory

Add organization users to your Azure Active Directory.

Q: Can I switch current users from Microsoft accounts to work accounts in Azure DevOps?

A: No. Although you can add new work accounts to your organization, they're treated as new users. If you want to access all your work, including its history, you must use the same sign-in addresses that you used before your organization was connected to your Azure AD. You can do this by adding your Microsoft account as a member to your Azure AD.

Q: Why can't I add users from other directories to my Azure AD?

A: You must be a member or have read access in those directories. Otherwise, you can add them using B2B collaboration through your Azure AD administrator. You can also add them by using their Microsoft accounts, or by creating new work accounts for them in your directory.

Q: How do I use my work or school account with my Visual Studio with MSDN subscription?

A: If you used a Microsoft account to activate a Visual Studio with MSDN subscription that includes Azure DevOps as a benefit, you can add a work or school account. The account must be managed by Azure AD. Learn how to link work or school accounts to Visual Studio with MSDN subscriptions.

Q: Can I control access to my organization for external users in the connected directory?

A: Yes, but only for external users who are added as guests through Office 365 or added using B2B collaboration by your Azure AD administrator. These external users are managed outside the connected directory. To learn more, contact your Azure AD administrator. The following setting doesn't affect users who are added directly to your organization's directory.

Before you start, make sure you have at least Basic access, not Stakeholder.

Complete the following steps to control organization access for external users added through Office 365 or Azure AD B2B collaboration.

  1. Go to Organization settings.

    Screenshot of project with gear icon highlighted

  2. Select Policy and choose to allow or deny organization access for external users added as guests.

    Screenshot of organization settings

Remove users or groups

Q: How do I remove an Azure AD group from Azure DevOps?

A: Go to your project collection or project. In the bar at the top, select the gear icon, and then select Security.

Find the Azure AD group, and delete it from your organization.

Screenshot of project, with Delete option highlighted

Q: Why am I asked to remove a user from an Azure AD group when I delete that user from my organization?

A: Users can belong to your organization, both as individuals and as members of Azure AD groups that were added to Azure DevOps groups. These users can still access your organization while they're members of these Azure AD groups.

To block all access for these users, remove them from Azure AD groups in your organization, or remove these groups from your organization. Although we'd like to make it possible to block access completely or make exceptions for such users, Azure DevOps doesn't currently have this capability.

A: When users are disabled or removed from your directory, they can no longer access your organization by any mechanism including via PATs, SSH, or any other alternate credentials.

Connect, disconnect, or change Azure AD

Q: Can I connect my organization to an Azure AD created from Office 365?

A: Yes. If you can't find your Azure AD created from Office 365, see Why don't I see the directory that I want to connect?.

Q: Why don't I see the directory that I want to connect to? What should I do?

A: This might happen due to any of the following circumstances:

  • You don't have organization Owner permissions to manage directory connections.

  • Talk to your Azure AD organization administrator and ask them to make you a member of the organization. It's possible that you're not part of the organization.

Q: Why is my organization already connected to a directory? Can I change that directory?

A: Your organization was connected to a directory when the organization owner created the organization, or sometime after that. When you create an organization with a work or school account, your organization is automatically connected to the directory that manages that work or school account. You can disconnect your organization from this directory, and reconnect to another directory. You might have to migrate some users.

Q: My alternate credentials don't work anymore. What do I do?

A: This happens after you connect your organization to a directory. Set up your credentials again for the organization that you connected.

Q: Some users are disconnected, but they have matching identities in Azure AD. What should I do?

A:

  • In your Azure DevOps Organization settings, select Azure Active Directory, and then select Resolve.

    Select Azure AD and then Resolve

  • Match the identities. Select Next when you're done.

    Resolve disconnected users

Q: I got an error message when I was resolving disconnections. What should I do?

A:

  • Try again.
  • You might be a guest in Azure AD. Request that an organization administrator, who is a member of Azure AD, do the mapping. Or, request that an admin of the Azure AD convert you to a member.

    guest-azure-ad-cannot-invite.png

  • If the error message includes a user in your domain, but you don't see them active in your directory, the user likely left your company. Go to the organization user settings to remove the user from your organization.

Q: When I was trying to invite a new user to my Azure AD, I got a 403 forbidden exception. What do I do?

A: You may be a guest in Azure AD and don’t have the right permission to invite users. Go to External collaboration settings in Azure AD and move the "Guests can invite" toggle to Yes. Refresh Azure AD and try again.

Q: Will my users keep their existing Visual Studio subscriptions?

A: Visual Studio subscription administrators ordinarily assign subscriptions to users' corporate email addresses, so that users can receive welcome email and notifications. If the identity and subscription email addresses match, users can access the benefits of the subscription. As you transition from Microsoft to Azure AD identities, users' benefits still work with their new Azure AD identity. But, the email addresses must match. If the email addresses don't match, your subscription administrator must reassign the subscription. Otherwise, users must add an alternate identity to their Visual Studio subscription.

Q: What if I'm required to sign in when I use the people picker?

A: Clear your browser cache and delete any cookies for the session. Close your browser, and then reopen.

Q: What if my email account isn't found in Azure AD?

A:

  • In your Azure DevOps Organization settings, select Azure Active Directory, and then select Resolve.

    Select Azure AD and then Resolve

  • Match the identities. Select Next when you're done.

    Resolve disconnected users

Q: What if my work items are indicating that the users aren't valid?

A: Clear your browser cache and delete any cookies for the session. Close your browser, and then reopen.

Q: Once my organization is connected to Azure AD, will it update Azure Boards work items, pull requests, and other pieces where I'm referenced in the system with my new ID?

A: Yes, all pieces in the system are updated with the new ID when a user’s ID is mapped from their personal email to their work email.

Q: What if I get a warning about members who will lose access to the organization?

A: You can still connect to Azure AD, but try to resolve the mapping issue after you've connected. If you still need help, contact support.

connection-warning.png

Select the bolded text to see which users are affected.

Show disconnected users

Q: What if I have over 100 users and want to connect to Azure AD?

A: If you have more than 100 users, contact support.

Q: I have more than 100 members in my Azure DevOps organization, how can I connect to an Azure AD?

A: Currently, the in-app feature doesn't support connections for organizations with over 100 members. Please contact support.

Q: How do I get help or support for Azure DevOps?

A: You have the following options for support: