Access VSTS with Azure Active Directory (Azure AD)


Want to authenticate users and control access to your VSTS account the same way that you can with Microsoft services like Office 365 and Azure? If your VSTS account was created with a Microsoft account, you can connect your VSTS account to your organization's directory (tenant) in Azure Active Directory (Azure AD). You can then sign in to VSTS with the same username and password that you use with these Microsoft services. You can also enforce policies for accessing your team's critical resources and key assets.

To use existing on-premises identities with VSTS, you can integrate on-premises directories with Azure AD by using Azure AD Connect. To switch your VSTS account to another directory, learn how to change your directory in Azure AD.

How does Azure AD control access to VSTS?

Your VSTS account authenticates users through your organization's directory so that only users who are members or guests in that directory can get access to your VSTS account. When users are removed from your directory, for example, because they've moved elsewhere, they can't access your account anymore. Only specific Azure AD administrators can manage users in your directory, so they control who can get access to your VSTS account.

Without Azure AD, you're solely responsible for controlling VSTS account access. And all users must sign in with Microsoft accounts.

What do I need to set up an existing VSTS with Azure AD?

You'll need the following:

Otherwise, work with your directory's global administrator to add users. Learn more about Azure AD administrators.

To check your permissions, Sign in to the Azure classic portal with your work or school account. Go to your target directory.

Check that you're a global administrator

  • You must add your Microsoft account to your Azure AD.

Although directory membership isn't required to connect your VSTS account to Azure AD, this will make sure that you can sign in and access your VSTS account after connecting to Azure AD. Otherwise, your Microsoft account will not have access to your VSTS account.

What happens to current users?

Your work in VSTS is associated with your sign-in address. After your VSTS account is connected to your directory, users will continue working seamlessly if their sign-in addresses appear in the connected directory. If they don't, you'll have to add those users to your directory. Your organization might have policies about adding users to the directory, so find out more first.

What if we can't use the same sign-in addresses? You'll have to add these users to the directory with new work or school accounts, or if they have existing work or school accounts, they can use those instead. Their work in VSTS won't be lost and will stay with their current VSTS sign-in addresses. You must add them as new users to VSTS, reassign access levels, and readd them to any team projects. Users can migrate work that they want to keep, except for their work history. Learn how to manage VSTS account users.

What happens to tools that use my credentials, like alternate credentials? Alternate credentials won't work anymore for tools that run outside a web browser, like the Git command line tool. You'll have to set up your credentials again for the VSTS account that you connected.

What if I accidentally delete a user in Azure AD?

You should restore the user, rather than create a new one. If you create a new user, even with the same email address, this user would not be associated with the previous identity.

Manage organization access with Azure AD