When I try upload the project to server I receive the error: "this user is not on this server". Although I created tenant.
ss1
ss2(error)
ss3
Tenants have different users.
Check that user exists on tenant.
And check that user has Project Administrator rights on tenant to be able to upload the project.
Related
We are trying to connect our existing VSTS account to AAD following the instructions at: https://learn.microsoft.com/en-us/vsts/accounts/connect-account-to-aad?view=vsts
When we try to perform the step at: 'Connect your VSTS account to your organization directory' #6, we receive the following error:
Account ****** connection to an AAD Tenant failed due to the error : Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.
We have tried this with 2 separate MSA accounts; one was existing, one we create from scratch. The MSA accounts are added as a guest to AAD. We have made it owner on the subscription, is there a permission that I am missing?
One answer said they just had to wait 12 hours, we have waited 24 with no change.
Any help would be appreciated.
Edit
Hopefully this helps:
Request is to:
PATCH https://peprodscussu2.portalext.visualstudio.com/_apis/AzureTfs/Account/b7615ac7-c2f6-466c-9f73-b8ed37258259?tenantId=f1295c9e-6264-403f-a42b-5be8fd3266fa HTTP/1.1
Response shows 500 Internal Server Error:
{"$id":"1","innerException":null,"message":"Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.","typeName":"Microsoft.VisualStudio.Services.Licensing.TransferUserLicenseException, Microsoft.VisualStudio.Services.WebApi","typeKey":"TransferUserLicenseException","errorCode":0,"eventId":3000}
Let me know if there is additional information from Fiddler that you need.
The issue was on Microsoft's end. Apparently there was duplicate orphaned user entries for a user that had been deleted 3 years ago from the VSTS account. They had to manually correct it. Thanks for your help.
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
On the Users tab I'm trying to add a new user but the prompt says "Select user from directory" and when typing an email address to invite it just says "No identities found". This is a newly created account with default settings not linked to any azure subscription.
The settings show Allow External Guest Access which I assume should allow any microsoft account to be invited.
According to the screenshot you provided, your VSTS account is backed by an Azure Active Directory which requires that all users are directory members before they can get access to your Team Services account. So you need to add the user to your AAD first.
"External guest access" is used for external users who are added as guests through Office 365 or added using B2B collaboration by your Azure AD administrator.
Q: Can I control access to my Team Services account for external users in the connected directory?
A: Yes, but only for external users who are added as guests through
Office 365 or added using B2B collaboration by your Azure AD
administrator. These external users are managed outside the connected
directory. To learn more, contact your Azure AD administrator. The
setting below doesn't affect users who are added directly to your
organization's directory.
Refer to this link for more information: Team Services: Access with Azure Active Directory (Azure AD).
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes
I have a application .net that search a folder on report server and reads the reports inside that folder and display on asp.net page. The permissions for the asp.net user are working fine to deploy and execute on website.
Now, I want to users to deploy on "My reports" folder, so they only see theirs reports.(The users have access to report server and use report builder).
I search and I could not find a solution for this:
I want to give permissions to an a user (the same that is running on asp.net server), to access all "My reports" folder of all users(Users Folder), so I can execute the reports inside users folder on website.
I put the asp.net server user as local administrator of the report server, but with that permission te user can only see the content of the folder, this user can not execute the report. Any idea what is the problem?
I finally found a solution, and does not involve add users to local administrator of the machine.
I used the IAuthorizationExtension.
I found this example that enable anonymous access for all users witch was a start.
On my implementation I used WindowsAuthorization, because I want to keep the existing authorization and give access to one specific user. On all CheckAccess methods I check if the user is the one I want to give access and return true otherwise return the WindowsAuthorization.CheckAccess(...). On all others methods of the interface I also used the WindowsAuthorization.
With this solution the user running website can access all content of reporting services.