we have created a project and a team on visualstudio.com with one admin and two basic users. Now admin has left the team and we are not able to managing users, because all of us are only basic users. Is there any way to restore his account or change privileges to one of the existing accounts?
The only way to even try to accomplish this is through Support. If the VSTS is AAD managed, they can fix this for you. If the account is Microsoft Account backed, then it is owned by the user and support will likely tell you to create a new account instead. They can't "steal" an account for you.
See:
https://visualstudio.microsoft.com/team-services/support/
Related
Currently my organization in Azure DevOps contains two users: myname#mycompany.com (Personal Account) and myname#mycompany.com (Work Account).
myname#mycompany.com (Work Account) is the organization owner. When I log into devops with this account, I cannot do anything without avoid the user being switched to the Personal Account automatically.
The personal account does not have permission to manage users nor change and organization settings. So I am kind of stuck.
My end goal is to link this organization to our Azure Ad tennant, that my Work Account is member of.
How can I fix that?
If you want to use the AAD identity of the same email address to access the organization, you first need to check whether the organization is connected to AAD like this in the Azure Active Directory of the organization settings.
Secondly, when you log in, please select Work or school account. This happens when you sign in with an email address that's shared by your personal Microsoft account and by your work account or school account.
Select Work or school account if you used this identity to create
your organization, or if you previously signed in with this identity.
Your identity is authenticated by your organization's directory in
Azure AD, which controls access to your organization.
Select Personal account if you used your Microsoft account with Azure
DevOps. Your identity is authenticated by the global directory for
Microsoft accounts.
In addition, you can open a private or incognito browsing session and sign in, which can avoid the influence of the identity cached by the browser.
Here is the document about troubleshooting access via Azure AD you can refer to.
I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.
I try to use alternative credentials.
I write the name and password, then I press "Save", Azure DevOps shows me the message that the user was saved.
I navigate to other pages, if I return to the page, alternative credentials do not appear.
I have collection administrator permissions.
Another partner with the same permissions creates the alternative credential and Azure DevOps keeps the account.
The difference between the two users is that, I have a hotmail account associated with my Visual Studio license and the partner has the organization account.
I appreciate any support.
Alternate credentials has not been saved
As we know, the alternate credentials are created based on each user's account. To resolve this issue, make sure your account in current Organization.
However, what i want to say is that the security level of the alternate credentials is Least secure:
MS don't recommend using alternate credentials and Azure DevOps will no longer support Alternate Credentials authentication.
Deprecation Timeline
Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don’t have Alternate
Credentials set. This change will be in effect for all these
organizations by December 20, 2019.
In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure
authentication method.
March 2, 2020 – Start gradually disabling Alternate Credentials for all Azure DevOps organizations.
Check the dev blogs for some more details.
Hope this helps.
I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes