I am trying to connect an existing MS-based DevOps organisation to our AAD (O365). I have a user account nnn#outlook.com in DevOps that is both Organization Owner and a Collection Administrator.
The same outlook.com account is a Member of the target Tenant directory. I can login to portal.azure.com using that account and see all the details of the AAD. I have made the account a Global Administrator.
When I click Connect Directory, I get a list of the tenants that account has access to. My target is there and I have confirmed that the Tenant ID matches.
When trying to connect I get the error message:
"User: nnnn#outlook.com is not allowed to link organization: xxxx to AAD tenant: zzzzz. Only active members of the AAD tenant are allowed to perform the link."
I tried creating a clean guest account, PS'd it to become a Member, but get the same result.
Any suggestions greatly appreciated.
Related
I have one Azure DevOps Organization tight with Active Directory name ABC(AD name). I have a user from another active directory(AD name - CDE) need access to the Azure devops organization but I can't find it's username in the user list. How I can add the CDE active directory into the organization so in future the user from this 2 AD can access to the Azure DevOps organization.
Thank you.
I am afraid that an Azure DevOps Organization is not supported to connect to 2 AAD directory at a time.
When your organization links AAD, it can only choose one AAD to link.
How I can add the CDE active directory into the organization so in future the user from this 2 AD can access to the Azure DevOps organization.
You can add the required users from CDE active directory to ABC AAD directory as Guest Role.
Then you can find the user name and add the user to Organization.
Or you can directly search the user via user email in Organization Settings -> Users.
Even if you can't see the corresponding user name in the drop down list, the invited mailbox can still accept the invitation and join the organization
Then the user will be added to current AAD as a Guest Role by default.
Note: In order for the AAD Guest user to access the organization, you need to make sure the option: External guest access is turned on in Organization Settings -> Policies.
For more detailed info, you can refer to the docs: Add external users to your organization and Quickstart: Add a guest user and send an invitation
Update:
To grant the Guest Inviter Role in Azure AD, you can navigate to Azure Portal -> Azure Active Directory -> Roles and administrators -> Search Guest Inviter Role and grant the role to your account.
I'm trying to connect my Azure DevOps Organization to my Azure AD Tenant. I'm the only user in both. I connect to both using my personal microsoft (#outlook.com) account. However, when I'm trying to link my DevOps orga to my Azure AD Tenant, Azure DevOps doesn't see me as a member of the Azure AD Tenant that I'm trying to connect to, even though I'm connected in Azure with the same Microsoft account that I use on Azure DevOps... I'm following the steps mentioned here.
Below pic shows the error message I'm getting while trying to connect my Azure DevOps orga to my Default Azure AD Tenant :
Here, you can see that I'm connected in my Azure AD Tenant with the same Microsoft account that in the previous picture :
Tried to do the same where only one member who is the only admin is present in the azure AD tenant.But could successfully connect to azure devops.
Please make sure you are connecting already existed AAD tenant and then creating connection. check if admin permissions are given .
I had these roles assigned .
I had guest user access same as member access
Could smoothly connect without any warnings to the same domain as that of azure ad.
I tried to reproduce the issue and so tried connect with the other tenant /directory and got the error similar to yours which is not your case as you mentioned you have same directory domain.
So in your case , please close all other tabs and signin to only the required tenant both in azure ad and also in azure devops.
Please check the access permissions for this organization, if the organization is denied access for external access.
See Access via Azure AD FAQs | Microsoft Docs which can guide to troubleshoot your error cause and it says to have co-admin or service admin permissions.
Also please take the points by #jessehouwing in the comments into consideration , if issue is still there :Create a new Global Admin user account in AAD,Add this user to the DevOps organisation and set as owner and give Project Collection Administrators permission,Remove that domain from the DevOps org and Re-add to the org and re-assign as the owner.
Else it might be some issue with the default directory permissions. You may contact and report a problem in https://developercommunity.
Currently my organization in Azure DevOps contains two users: myname#mycompany.com (Personal Account) and myname#mycompany.com (Work Account).
myname#mycompany.com (Work Account) is the organization owner. When I log into devops with this account, I cannot do anything without avoid the user being switched to the Personal Account automatically.
The personal account does not have permission to manage users nor change and organization settings. So I am kind of stuck.
My end goal is to link this organization to our Azure Ad tennant, that my Work Account is member of.
How can I fix that?
If you want to use the AAD identity of the same email address to access the organization, you first need to check whether the organization is connected to AAD like this in the Azure Active Directory of the organization settings.
Secondly, when you log in, please select Work or school account. This happens when you sign in with an email address that's shared by your personal Microsoft account and by your work account or school account.
Select Work or school account if you used this identity to create
your organization, or if you previously signed in with this identity.
Your identity is authenticated by your organization's directory in
Azure AD, which controls access to your organization.
Select Personal account if you used your Microsoft account with Azure
DevOps. Your identity is authenticated by the global directory for
Microsoft accounts.
In addition, you can open a private or incognito browsing session and sign in, which can avoid the influence of the identity cached by the browser.
Here is the document about troubleshooting access via Azure AD you can refer to.
I'm trying to connect Azure DevOps to Azure Active Directory (which is being synced to an on premise AD server) and I keep getting the following error:
Connection Failed Your organization #### failed to connect to the ####
Azure Active Directory.
User: ##AADGUID##\##USER#####DOMAIN## of 1 total users has multiple
active identities with the same UPN. Please either remove the
duplicates or change the UPNs to be unique.
I've looked at the user's account and don't see anything obviously misconfigured compared to any other user's account but that might not be saying much. Any help would be greatly appreciated.
Turns out when our Azure DevOps instance was first set up, all our users set up Microsoft accounts with their company emails. Later when we finally stood up Azure AD but before we connected it to DevOps we added a new project and set the permissions for a few existing employees. For some reason the user permissions on the new DevOps project were listed as "aaduser" type instead of the standard "user" type (ms account) that all the users in other projects in DevOps had. In other words duplicate UPNs but different accounts (but sort of the same). What's weird is that DevOps managed to find the Azure AD user account before we even connected the two together services together.
We removed the offending users with the standard "user" type and re-added them so they were now all listed as "aaduser." We were then able to connect Azure AD. To be clear, this was all done on the DevOps side and had nothing to do with AD.
Not sure why it was finding Azure AD users when we weren't even connected to it yet.
It sounds like you have multiple users in your azure ad tenant with the same UPN.
maybe you created a cloud account with the same UPN before sync'ing the on premise with azure ad connect? or something else of that nature.
try to go to graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer
log in with a azure ad admin account
and type in a query like this
https://graph.microsoft.com/v1.0/users?$filter=startswith(UserPrincipalName,'##UPNHavingIssues##')
That should get you users with a UPN of whatever it having problems. There should only be entry, but if there are multiple, then that's where the problem is.
The other option is to remove the user having issues from devops completely, then try to connect, then re-add him. because when you try to connect devops to an azure ad domain it will try to match the UPNs of users in your devops with users in your tenant.
According to this doc:
During the connect process, we map existing users to members of the Azure AD tenant, based on their UPN, which is often known as sign-in address. If we detect multiple users with the same UPN, we don't know how to map these users.
The cause of this issue is that the target user has the same UPN as other user. A UPN must be unique among all security principal objects within a directory forest.
The UPN contains UPN prefix (the user account name) and a UPN suffix (a DNS domain name).
For example:someone#example.com
You can compare the target account with other user accounts. Then you could find the duplicate UPN.
You could try to remove the duplicate one or change the UPN as unique.
Hope this helps.
When trying to migrate from TFS to Azure Devops I run in an error during the import phase :
[Error] VS4032856: The identity RĂ©mi Benoit belongs to a different Azure Active Directory (AAD) tenant than the identity used during the prepare step. Please sign in with an identity in the same AAD tenant or re-run the prepare step using this identity.
The user I used for the prepare step is registered on the AAD tenant. I can login to Azure portal with it and read user details on the AAD page of the portal.
A possible problem: my user was created on a different tenant. I was then invited as a guest to the tenant domain used in the import. I can list all the users on the AAD from the Azure portal. I also changed my default Azure directory to the tenant of the import.
Should I use an account created specifically on the AAD to execute the import ? Or Am I just missing some rights ?
Fixed my problem by using another account.
Switched from using a guest account to a member account on the AAD.