I disconnected my organization from Azure Active Directory and now it's missing from both my Microsoft account and this AAD.
It also didn't appear in recently deleted organizations.
It is still existing somewhere because I cannot create organization with the same name.
Before disconnecting it I double-checked that I am the owner of organization and it should remain on my account.
Lost organization after disconnecting it from Azure Active Directory
I had the same issue once, that was because I did not meet the prerequisites for disconnecting from AAD.
You could check if you meet the prerequisites for disconnecting from AAD based on this document:
Disconnect your organization from Azure Active Directory
Before you disconnect your organization from your directory, make
sure to change the organization Owner to a Microsoft account and not
to a school or work account. You can't sign in to your organization
unless your work or school account has the same email address as your
Microsoft account.
Add your Microsoft account to the Project Collection Administrator
group in Organization Settings and confirm that you have Global
Administrator Permissions in your Azure AD for your Microsoft
account. You need both because Azure AD users can't disconnect
organizations from directories. You can add Microsoft accounts to a
directory as external users.
As workaround, please try to access https://aex.dev.azure.com/ and change domain to see if your organization lists here:
Hope this helps.
Related
I have one Azure DevOps Organization tight with Active Directory name ABC(AD name). I have a user from another active directory(AD name - CDE) need access to the Azure devops organization but I can't find it's username in the user list. How I can add the CDE active directory into the organization so in future the user from this 2 AD can access to the Azure DevOps organization.
Thank you.
I am afraid that an Azure DevOps Organization is not supported to connect to 2 AAD directory at a time.
When your organization links AAD, it can only choose one AAD to link.
How I can add the CDE active directory into the organization so in future the user from this 2 AD can access to the Azure DevOps organization.
You can add the required users from CDE active directory to ABC AAD directory as Guest Role.
Then you can find the user name and add the user to Organization.
Or you can directly search the user via user email in Organization Settings -> Users.
Even if you can't see the corresponding user name in the drop down list, the invited mailbox can still accept the invitation and join the organization
Then the user will be added to current AAD as a Guest Role by default.
Note: In order for the AAD Guest user to access the organization, you need to make sure the option: External guest access is turned on in Organization Settings -> Policies.
For more detailed info, you can refer to the docs: Add external users to your organization and Quickstart: Add a guest user and send an invitation
Update:
To grant the Guest Inviter Role in Azure AD, you can navigate to Azure Portal -> Azure Active Directory -> Roles and administrators -> Search Guest Inviter Role and grant the role to your account.
Currently my organization in Azure DevOps contains two users: myname#mycompany.com (Personal Account) and myname#mycompany.com (Work Account).
myname#mycompany.com (Work Account) is the organization owner. When I log into devops with this account, I cannot do anything without avoid the user being switched to the Personal Account automatically.
The personal account does not have permission to manage users nor change and organization settings. So I am kind of stuck.
My end goal is to link this organization to our Azure Ad tennant, that my Work Account is member of.
How can I fix that?
If you want to use the AAD identity of the same email address to access the organization, you first need to check whether the organization is connected to AAD like this in the Azure Active Directory of the organization settings.
Secondly, when you log in, please select Work or school account. This happens when you sign in with an email address that's shared by your personal Microsoft account and by your work account or school account.
Select Work or school account if you used this identity to create
your organization, or if you previously signed in with this identity.
Your identity is authenticated by your organization's directory in
Azure AD, which controls access to your organization.
Select Personal account if you used your Microsoft account with Azure
DevOps. Your identity is authenticated by the global directory for
Microsoft accounts.
In addition, you can open a private or incognito browsing session and sign in, which can avoid the influence of the identity cached by the browser.
Here is the document about troubleshooting access via Azure AD you can refer to.
I'm trying to connect Azure DevOps to Azure Active Directory (which is being synced to an on premise AD server) and I keep getting the following error:
Connection Failed Your organization #### failed to connect to the ####
Azure Active Directory.
User: ##AADGUID##\##USER#####DOMAIN## of 1 total users has multiple
active identities with the same UPN. Please either remove the
duplicates or change the UPNs to be unique.
I've looked at the user's account and don't see anything obviously misconfigured compared to any other user's account but that might not be saying much. Any help would be greatly appreciated.
Turns out when our Azure DevOps instance was first set up, all our users set up Microsoft accounts with their company emails. Later when we finally stood up Azure AD but before we connected it to DevOps we added a new project and set the permissions for a few existing employees. For some reason the user permissions on the new DevOps project were listed as "aaduser" type instead of the standard "user" type (ms account) that all the users in other projects in DevOps had. In other words duplicate UPNs but different accounts (but sort of the same). What's weird is that DevOps managed to find the Azure AD user account before we even connected the two together services together.
We removed the offending users with the standard "user" type and re-added them so they were now all listed as "aaduser." We were then able to connect Azure AD. To be clear, this was all done on the DevOps side and had nothing to do with AD.
Not sure why it was finding Azure AD users when we weren't even connected to it yet.
It sounds like you have multiple users in your azure ad tenant with the same UPN.
maybe you created a cloud account with the same UPN before sync'ing the on premise with azure ad connect? or something else of that nature.
try to go to graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer
log in with a azure ad admin account
and type in a query like this
https://graph.microsoft.com/v1.0/users?$filter=startswith(UserPrincipalName,'##UPNHavingIssues##')
That should get you users with a UPN of whatever it having problems. There should only be entry, but if there are multiple, then that's where the problem is.
The other option is to remove the user having issues from devops completely, then try to connect, then re-add him. because when you try to connect devops to an azure ad domain it will try to match the UPNs of users in your devops with users in your tenant.
According to this doc:
During the connect process, we map existing users to members of the Azure AD tenant, based on their UPN, which is often known as sign-in address. If we detect multiple users with the same UPN, we don't know how to map these users.
The cause of this issue is that the target user has the same UPN as other user. A UPN must be unique among all security principal objects within a directory forest.
The UPN contains UPN prefix (the user account name) and a UPN suffix (a DNS domain name).
For example:someone#example.com
You can compare the target account with other user accounts. Then you could find the duplicate UPN.
You could try to remove the duplicate one or change the UPN as unique.
Hope this helps.
On the Users tab I'm trying to add a new user but the prompt says "Select user from directory" and when typing an email address to invite it just says "No identities found". This is a newly created account with default settings not linked to any azure subscription.
The settings show Allow External Guest Access which I assume should allow any microsoft account to be invited.
According to the screenshot you provided, your VSTS account is backed by an Azure Active Directory which requires that all users are directory members before they can get access to your Team Services account. So you need to add the user to your AAD first.
"External guest access" is used for external users who are added as guests through Office 365 or added using B2B collaboration by your Azure AD administrator.
Q: Can I control access to my Team Services account for external users in the connected directory?
A: Yes, but only for external users who are added as guests through
Office 365 or added using B2B collaboration by your Azure AD
administrator. These external users are managed outside the connected
directory. To learn more, contact your Azure AD administrator. The
setting below doesn't affect users who are added directly to your
organization's directory.
Refer to this link for more information: Team Services: Access with Azure Active Directory (Azure AD).
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes