In our ADO organization, all the users are registered in AD as guest users.
My user is set as the organization owner.
I'm trying to create a flow in Power Automate, but this organization does not appear in the list of organizations.
I tried to type its name manually as a custom value. This work for configuring the trigger, and also a step of "Get Work Item Details". but when configuring a step of "Update Work Item Details" I get an authentication error:
The dynamic operation request to API 'visualstudioteamservices'
operation 'GetWorkItemSchemaForUpdate' failed with status code
'Unauthorized'. This may indicate invalid input parameters
Related
I'm trying to create a release pipeline in DevOps, that releases packages to LCS. The normal Dynamics 365 FO way of working. The issue is, I don't have an admin account without MFA that can be used to do this. Which roles or general setup, should I set on the AAD user, to be able to create the release? Currently I'm getting the AADSTS7000218 error.
I created a user that doesn't have MFA and I expect to add certain roles to be able to use this user for creating releases in DevOps.
In Azure DevOps, to create release pipeline you need "Edit release pipeline" permission set to Allow. And you need to be at least a Basic user.
And as per the document, AADSTS7000218 means The request body must contain the following parameter: 'client_assertion' or 'client_secret'. When authenticating to Azure AD to get an access token, the client application is not providing its “password” (in the form of either a client secret or a client assertion) as expected by Azure AD’s token endpoint.
You could try navigating to Azure Active Directory->App Registration and find Authentication in your application. And set "Allow public client flows" to "Yes" in Azure portal.
Here's another ticket has the similar issue, hope it can help.
I'm getting an error when I try to create a pipeline in our Azure DevOps. I've created a service connection for Azure US Gov to Azure Resource Manager that seems to have verified and saved successfully. Tried different browsers / incognito mode with no luck.
Error Message...
"You don’t appear to have an active Azure subscription."
Running version 18.181.31626.1 (Azure DevOps Server 2020 Update 1.1)
I've configured the service principal with contributor access. The connection appears to verify okay in DevOps when creating the service connection. In this example I'm selecting the option for Docker, though it appears to replicate against any of the options in the list. When selecting any of the options I see the pop out window on the side state "You don’t appear to have an active Azure subscription."
Please follow these steps to troubleshoot the error "You don’t appear to have an active Azure subscription".
1.Go to https://ms.portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade to check if your subscription status is active.
2.Go to https://ms.portal.azure.com/#blade/Microsoft_AAD_IAM/TenantPropertiesBlade to check whether the Security defaults is disabled.
Note
Remember to switch to your subscription aad in the steps above.
In addition, when the user is assigned the subscription (access level above contributor) for the first time, it needs time to sync the changes when logging in to Azure DevOps.
I'm trying to set up automated pipeline for database creation and need to open access for all users of some AD group. Last part is done through CREATE USER [Group Name] FROM EXTERNAL PROVIDER;
In order to execute this command, one needs to be logged in with AAD and the only Azure DevOps task used to execute SQL scripts (SqlAzureDacpacDeployment#1) has limited options to sign with AD. Currently it supports sign in with AD username/password and AD Integrated. User/password option is not possible as we use two factor authentication. And the latter requires self-hosted agent for pipeline which we do not have.
Additionally, there is one more sign in option that look promising (Service Principal: Uses the Authentication data from Azure Subscription), but after trying it failed miserably with error:
##[error]Principal 'web-API' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Are the any other options we could use to create AD users in Azure SQL database? Any help would be appreciated.
How to solve above error ?
Please follow below steps:
Step 1: Go to Azure portal and find out your SQL server resource and you will find Active director left side under settings. Please click Set Admin. Now your Active Directory user account becomes Admin to the SQL server.
Step 2: Now use SSMS login with Active directory authentication if Multi-factor Authentication (MFA) is enabled. Otherwise, you can choose either 'Active directory - Integrated' or 'Active Directory - Password.'
Step 3: Create new logins which you can see in the below code:
CREATE USER [User1#Domain.com]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
add user to roles for the particular database
ALTER ROLE dbmanager ADD MEMBER [User1#Domain.com];
ALTER ROLE loginmanager ADD MEMBER [User1#Domain.com];
Note : If you add a domain user that is configured for MFA, then for that user to log on using SSMS they should select the SSMS authentication option Azure Active Directory - Universal with MFA.
Regarding SqlAzureDacpacDeployment#1 follow this Link.
For more detail information refer this:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresq
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver15
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-mfa-ssms-overview?view=azuresql
I manage an Azure DevOps org. There is a user who is no longer an active employee. Their account is still in Azure Active Directory, but now, DevOps is reporting that "organization can't sign in because they're not in the ... Azure Active Directory. Delete any unwanted users in Organization settings, and then Resolve for remaining members." I confirmed the user still exists in Azure AD, though "Block sign-in" is set to "Yes." I do not have any "Group Rules" configured in DevOps.
When I click Resolve and search for the user in the "Matched Identity in Directory" box, I find the user and click on it. When I then click on Next, I get the error message "1 organization member(s) failed to get mapped. Continue resolving disconnected members by inviting them to the Azure Active Directory or retry failed mappings later." I click on the details link, and the message states "Cannot transfer identity to itself." I would prefer not to delete this user since there is work item and check-in history. Does anyone have any recommendations for resolving this issue?
It is the default behavior that users that are removed from AAD or being blocked sign-in will fail to get mapped in Azure devops.
To get rid of the warning, you can remove the blocked user from azure devops organization(or from AAD). There is no need to worry about the losing of history. For it is described as below in the document.
After you remove a user from Azure AD, you can't assign artifacts to that user anymore. Examples are work items and pull requests. However, we preserve the history of artifacts that were already assigned to the user.
However, you also just ignore the warning message and keep the user in your azure devops organization.
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes