I'm looking on a way to list alternate credentials created by users in my Azure DevOps organization as we are thinking about shutting this feature down.
I'm looking on a way to list alternate credentials created by users in my Azure DevOps organization
Sorry for any inconvenience.
I am afraid there is no such a way to list all the alternate credentials created by users in your Azure DevOps organization. This behavior is by designed.
That because the alternate credentials are created based on each user's account. And as we know the security level of the alternate credentials is Least secure:
MS don't recommend using alternate credentials. So, MS does not provide a method to collect alternate credentials. You can notify all users in your Azure DevOps organization that you are thinking about shutting this feature down.
Hope this helps.
Related
I'm trying to create a release pipeline in DevOps, that releases packages to LCS. The normal Dynamics 365 FO way of working. The issue is, I don't have an admin account without MFA that can be used to do this. Which roles or general setup, should I set on the AAD user, to be able to create the release? Currently I'm getting the AADSTS7000218 error.
I created a user that doesn't have MFA and I expect to add certain roles to be able to use this user for creating releases in DevOps.
In Azure DevOps, to create release pipeline you need "Edit release pipeline" permission set to Allow. And you need to be at least a Basic user.
And as per the document, AADSTS7000218 means The request body must contain the following parameter: 'client_assertion' or 'client_secret'. When authenticating to Azure AD to get an access token, the client application is not providing its “password” (in the form of either a client secret or a client assertion) as expected by Azure AD’s token endpoint.
You could try navigating to Azure Active Directory->App Registration and find Authentication in your application. And set "Allow public client flows" to "Yes" in Azure portal.
Here's another ticket has the similar issue, hope it can help.
We've been told by Microsoft support that Azure DevOps Services supports tenant restrictions. While we have tenant restrictions enabled on a number of other services, it does't seem to apply to DevOps. Not only can we still log in to organizations outside of our tenant, we can also log in to our own organization and, if our corp email is added as a user in that org, the organization also shows up. I'd expect that our users would be blocked from logging into or accessing any external orgs.
I'm a little confused about why this isn't just working as expected and despite them saying Azure DevOps Services supports tenant restrictions, I'm not finding much documentation to back that up.
Have you been able to migrate to Azure DevOps Services and ensure that your users are only able to access orgs within your own tenant? How?
Azure DevOps Service supports the Azure Active Directory (Azure AD) tenant policy to restrict users from creating an organization in Azure DevOps. This policy is turned off, by default. You must be an Azure DevOps Administrator in Azure AD to manage this policy.
Check following link for more details:
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops
Notice:
This policy is supported only for company owned (Azure Active
Directory) organizations. Users creating organization using their
personal account (MSA or GitHub) have no restrictions.
https://devblogs.microsoft.com/devops/policy-support-to-restrict-creating-new-azure-devops-organizations/
We finally received a more concrete answer to this question from Premier Support. Sounds like this wasn't entirely clear internally either. Azure DevOps Services supports TRv1 which provides tenant restrictions from client to proxy, but does not support TRv2 tenant restrictions which provides server to server restrictions. TRv1 will prevent you from authenticating against an org outside your tenant directly but does nothing to prevent the background authentication that happens if your account is configured to be able to access a secondary tenant's org. The server to server connection strips off the header information necessary to restrict you from accessing the secondary tenant. While this feature may be on their radar there is no expectation or firm timeline for it's release at this time.
After a couple companies merge, we had to build up an AZ DevOps solution from scratch for the new business entity. Unfortunately, at that time we added some users from various companies under their original email addresses (reason: reuse of their VS subscriptions).
Now we need to migrate these users in Azure DevOps from their old bill.smith#oldcompany.com to their new bill.smith#newcompany.com without losing their work and settings. Afterwards the users should be able to log in with their new emails and see everything as if they would log in with their old addresses.
Any ideas how to solve this problem?
You need to open a support case and they can help you out. You get a excel file to map users between the domains and they can map them over in one go.
jessehouwing is right, if you want to migrate data to new Azure DevOps users, you need submit a support ticket here.
But there are something you need pay attention and get ready first:
Do not add them (bill.smith#newcompany.com) to Azure DevOps Service or let them logon to Azure DevOps Service. At this point
Azure DevOps Service support needs to migrate/transfer the users.
Provide a mapping list of users (old user > new user) to Azure DevOps
Service Support.
Azure DevOps Service will transfer identities to the new users. This should add the new account to Azure DevOps Service, assign work items to the new account, assign the Azure DevOps Service license to the new account , and remove the old account from Azure DevOps Service.
I try to use alternative credentials.
I write the name and password, then I press "Save", Azure DevOps shows me the message that the user was saved.
I navigate to other pages, if I return to the page, alternative credentials do not appear.
I have collection administrator permissions.
Another partner with the same permissions creates the alternative credential and Azure DevOps keeps the account.
The difference between the two users is that, I have a hotmail account associated with my Visual Studio license and the partner has the organization account.
I appreciate any support.
Alternate credentials has not been saved
As we know, the alternate credentials are created based on each user's account. To resolve this issue, make sure your account in current Organization.
However, what i want to say is that the security level of the alternate credentials is Least secure:
MS don't recommend using alternate credentials and Azure DevOps will no longer support Alternate Credentials authentication.
Deprecation Timeline
Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don’t have Alternate
Credentials set. This change will be in effect for all these
organizations by December 20, 2019.
In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure
authentication method.
March 2, 2020 – Start gradually disabling Alternate Credentials for all Azure DevOps organizations.
Check the dev blogs for some more details.
Hope this helps.
looking at "Authorize access to REST APIs with OAuth 2.0" at https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
An Azure DevOps organization is connected to an Azure Active Directory tenant
-> let's call it 'devops-ad-tenant'.
A user has an Active Directory Home Tenant
-> let's call it 'user-ad-home-tenant'.
A user can be a guest user withing another Active Directory Tenant
-> let's call it 'user-ad-guest-tenant'.
If the 'devops-ad-tenant' is equal to the 'user-ad-home-tenant', everything works out fine.
If the 'devops-ad-tenant' is equal to the 'user-ad-guest-tenant', the OAuth flow succeeds, but the flow happens within the context of the 'user-ad-home-tenant' and this user is from a Azure DevOps perspective not the user from 'user-ad-guest-tenant'.
I am having trouble to use something like a "domain_hint" when initiating the OAuth flow.
Any thoughts?
This behavior of get the token is used for the home directory is by design since the customer may be as guest for multiple Azure Active Directories. And as the document you shared for the Azure DevOps OAuth authentication, currently there is no such option to choose which directory for the usage of token acquired.
If you want Azure DevOps support this feature, you can submit the feedback from Develop Community - Azure DevOps.
I managed to get along with a work around...
My application uses an Azure AD multi-tenant appRegistration for authentication.
When the user logs in at my application, the OAuth flow for Azure DevOps is started.
To set the Azure AD tenant for the OAuth flow for the Azure DevOps organization
use a clean browser session, no cookies etc.
log into https://aex.dev.azure.com and select the Azure AD tenant 'user-ad-guest-tenant' for Azure DevOps organization
duplicate that tab
enter the url for my application
the OAuth flow happens within the context of 'user-ad-guest-tenant'
this is really inconvenient... but a work around... besides I am still investigating why this is working...