Alternate credentials has not been saved - azure-devops

I try to use alternative credentials.
I write the name and password, then I press "Save", Azure DevOps shows me the message that the user was saved.
I navigate to other pages, if I return to the page, alternative credentials do not appear.
I have collection administrator permissions.
Another partner with the same permissions creates the alternative credential and Azure DevOps keeps the account.
The difference between the two users is that, I have a hotmail account associated with my Visual Studio license and the partner has the organization account.
I appreciate any support.

Alternate credentials has not been saved
As we know, the alternate credentials are created based on each user's account. To resolve this issue, make sure your account in current Organization.
However, what i want to say is that the security level of the alternate credentials is Least secure:
MS don't recommend using alternate credentials and Azure DevOps will no longer support Alternate Credentials authentication.
Deprecation Timeline
Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don’t have Alternate
Credentials set. This change will be in effect for all these
organizations by December 20, 2019.
In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure
authentication method.
March 2, 2020 – Start gradually disabling Alternate Credentials for all Azure DevOps organizations.
Check the dev blogs for some more details.
Hope this helps.

Related

How to activate "Alternate credentials" on Azure DevOps?

I just created a new organization for my team on Azure DevOps. I wanted to activated the git access through username/password to begin with(for multiple reasons: We use Https, so no ssh certificate, and I've no idea how to use PAT with our current git client(sourcetree)).
Currently, when I go in my settings on "Alternate credentials", I get this:
But I've been into the organization page and I cannot find this settings? How can I enable it?
But I've been into the organization page and I cannot find this
settings? How can I enable it?
You can't enable that, the Alternate authentication credentials setting has been removed from Organization settings=>Policies for newly created organizations. Check the blog shared above in Michael's answer.
I've no idea how to use PAT with our current git client.
It's recommended to use PAT instead since you have no SSH certificate. Here're samples about how to use git+pat without pop-up window for credentials (Useful when you're running the commands in pipeline, since you can't enter credentials if there's pop-up window):
1.You can generate Git credentials to get temp username and password, and then use format:
git clone https://UserName:Password#dev.azure.com/OrgName/ProjectName/_git/RepoName
2.You can create a limited PAT(more secure then Full access) and use command:
git clone https://anything:{yourPAT}#dev.azure.com/OrgName/ProjectName/_git/RepoName
Same format when using git push...
Also you can clone the repo with git clone + URL from this button. Per my experience, it will prompt for credentials and save the credentials in local machine.
For Source Tree:
Url: https://OrganizationName.visualstudio.com
userName: The email address of your azure devops account
password: PAT
Enter correct URL format, click the refresh PAT button and enter the email as username, PAT as password. The authentication succeeds in my source tree for windows.
Looks like effective March 2, 2020 Alternate Credentials are no longer supported. Organizations created before then can use them for a short time to transition to PATs. New organizations do not have that option. Source
From Microsoft DevBlog:
Deprecation Timeline
Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don’t have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
March 2, 2020 – Start gradually disabling Alternate Credentials for all Azure DevOps organizations.
Legacy Organizations
If you have a legacy organization, the option would appear under Organization Settings, Policies (under the Security subheading). The toggle is called "Alternate authentication credentials"

Invited user Azure Devops project but they are unable to access it

I added a user to my Azure Devops project but when they click on the link in the invitation email they get the "401 - Uh-oh, you do not have access." error. What am I doing wrong?
What I did that seems to have worked, was I made the project public, and the other user was able to access it. After they had accessed one time successfully I made it private again. They are still able to get to it.
First, check if your Azure DevOps organization is AAD based or not. Then that invited user should use corresponding account, work/school account for AAD based, personal account for the other. For example:
A highly specific 401 error case. In this case, both a personal Microsoft account and a work or school account (Azure AD) that have the same sign-in address exist. You've signed in with your work or school account, but your personal account is the identity with access to the organization.
More detail explanation you could take a look at our official documentation here:
Why can't I sign in after I select "personal Microsoft account" or
"work or school account"?
Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions. Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out
completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure DevOps.
Open a private or incognito browsing session.
Go to this URL: https://aka.ms/vssignout.
You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps #dev.azure.microsoft.com webpage.
If the sign-out page takes more than a minute to sign you out, close the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
Suggest you to use a InPrivate mode browser to login, then use your Microsoft Account to authenticate, also select personal account if you need to choose between a "work or school account" and my "personal account".

How to get access to an Azure DevOpps Organization

I cannot create a new organization named ''OnLineO'', as this name already exists.
I'm about sure it's me who created it a few time ago, but none of my logons run.
Must I send an email to Visual Studio Marketplace (VSMarketplace#microsoft.com) as stated in this post : Recovering access to an organization ?
Through the query, I found that your organization:"OnLineO" has been backed up to AAD:"OnLineO".
Please go to azure DevOps profile page,switch to OnLineO domain and try to login. Please do this in the new incognito window of browser. Note that your login account also needs to be backed up to AAD.
If you still cannot log in, please provide vsid as shown below. Pay attention to the processing of personal privacy information.
Sorry for the delay. If organization OnLineO is backed up to AAD "OnLineO", this is a great info, but I don't understand what it means... ?
On my DevOps profile page in an Invited session in Chrome (more isolated than incognito in other browsers), I am switched to OnLineO
DevOps profile page
It's when I try to create OnLineO as a New Organization that I get this message :
New Organization

Alternate credentials - how to generate list

I'm looking on a way to list alternate credentials created by users in my Azure DevOps organization as we are thinking about shutting this feature down.
I'm looking on a way to list alternate credentials created by users in my Azure DevOps organization
Sorry for any inconvenience.
I am afraid there is no such a way to list all the alternate credentials created by users in your Azure DevOps organization. This behavior is by designed.
That because the alternate credentials are created based on each user's account. And as we know the security level of the alternate credentials is Least secure:
MS don't recommend using alternate credentials. So, MS does not provide a method to collect alternate credentials. You can notify all users in your Azure DevOps organization that you are thinking about shutting this feature down.
Hope this helps.

How to detach, unlink, clear, remove, or rollback VSTS connection to Azure AD

There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes