We are trying to connect our existing VSTS account to AAD following the instructions at: https://learn.microsoft.com/en-us/vsts/accounts/connect-account-to-aad?view=vsts
When we try to perform the step at: 'Connect your VSTS account to your organization directory' #6, we receive the following error:
Account ****** connection to an AAD Tenant failed due to the error : Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.
We have tried this with 2 separate MSA accounts; one was existing, one we create from scratch. The MSA accounts are added as a guest to AAD. We have made it owner on the subscription, is there a permission that I am missing?
One answer said they just had to wait 12 hours, we have waited 24 with no change.
Any help would be appreciated.
Edit
Hopefully this helps:
Request is to:
PATCH https://peprodscussu2.portalext.visualstudio.com/_apis/AzureTfs/Account/b7615ac7-c2f6-466c-9f73-b8ed37258259?tenantId=f1295c9e-6264-403f-a42b-5be8fd3266fa HTTP/1.1
Response shows 500 Internal Server Error:
{"$id":"1","innerException":null,"message":"Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.","typeName":"Microsoft.VisualStudio.Services.Licensing.TransferUserLicenseException, Microsoft.VisualStudio.Services.WebApi","typeKey":"TransferUserLicenseException","errorCode":0,"eventId":3000}
Let me know if there is additional information from Fiddler that you need.
The issue was on Microsoft's end. Apparently there was duplicate orphaned user entries for a user that had been deleted 3 years ago from the VSTS account. They had to manually correct it. Thanks for your help.
Related
I am just new to Azure Cloud and Devops, so forgive me if I may forget some critical info here.
So during creation of tasks for the release and selecting subscriptions, I get an error when trying to authorize the subscription (which I suspect is because of insufficient permissions associated to my account), so I go to advanced options to select the managed identity authentication.
After which no error shows now. So I set all remaining items and assign Deploy Azure App Service task. However during the running of the agent I get an error during Deploy Azure App Service step.
Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'sample-vue'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
I have already set my azure app service to have a system assigned managed identity, but still this error occurs. I can't find any answer, online, with regards to the error above so hoping that someone could help explain to me the problem and how to possibly fix it. My hunch now is that I may have some insufficient permissions, but I don't know what it may be.
Please try the following items:
Remove and re-add the service connection in DevOps.
Check the rights of the account on Azure subscription. Please verify if the account has at least contributor access on Azure subscriptions. Check https://learn.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
A year ago I published a Visual Studio Code extension with vsce. I wish to publish an update, but lost the old token. I created a new one, but have not been able to find the right combination of permissions to republish.
Without supplying a new token, I get:
> vsce publish
ERROR Failed request: (401)
Using the new token with Full access scope on All accessible organizations or with the documented Marketplace scopes, I get:
> vsce publish -p newtoken
ERROR Access Denied: xxx needs the following permission(s) on the resource /aaa/bbb to perform this action: Make changes to, share, or view certificate of an existing extension
What have I missed in setting up permissions to republish?
Arg. I should have known once I took the time to post a question I'd figure out the problem. Back story: After adopting Azure AD, there was great confusion among developers here between Office 365 accounts and Microsoft accounts--because we had been advised to use the same email address for both.
Long story short, the problem was I was attempting to publish using a token from my Office 365 account, when the extension was originally published under my Microsoft account. It was long enough ago that I didn't remember that. I also gave my O365 account access to the organization owned by my Microsoft account, so I could conveniently access various resources with either one.
I created a new token under my Microsoft account, and boom, publish succeeded.
Recently changed azure subscription and I need to add the same in Azure DevOps – service connection. When trying to create new service connection for the changed subscription I am getting below error -
Failed to query service connection API: 'https://management.azure.com/subscriptions/{id}/resourcegroups?api-
version=2016-02-01'. Status Code: 'Unauthorized', Response from
server:
'{"error":{"code":"InvalidAuthenticationTokenTenant","message":"The
access token is from the wrong issuer
'https://sts.windows.net/{id}/'. It must match the tenant
'https://sts.windows.net/{id}/' associated with this
subscription. Please use the authority (URL)
'https://login.windows.net/{id}' to get the token. Note, if the
subscription is transferred to another tenant there is no impact to
the services, but information about new tenant could take time to
propagate (up to an hour). If you just transferred your subscription
and see this error message, please try back later."}}'
With the subscription - azure active directory is also changed. Do I need to change AD in AzureDevops? or How do I resolve this error?
Thanks.
If your subscription is in another tenant, you may need to change it.
See : https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/change-azure-ad-connection?view=azure-devops
I have followed the steps on https://learn.microsoft.com/en-us/vsts/accounts/connect-account-to-aad?view=vsts to get my VSTS instance to use Azure Active Directory. When I click "Connect" I get the error:
Account [VSTS instance name] connection to an AAD Tenant failed due to
the error : Aad guest user cannot be made an owner of the account.
Owner identity: (id: [id]; mid: [id]; cuid: [id])
Looking through the list of users I can see that I am logged in as a user that is present on both VSTS and AAD, and that the AAD user has a User Type = Member
Originally the user was setup as Guest, and using powershell I changed them to Member. This seemed to change the user type immediately, but I still get the error above, even after waiting approx. 36 hours so far.
Is there something else I need to do here?
As per my comment above:
I have managed to fix this by dropping the user completely and creating a brand new MSA account and starting again. I don't know what I did wrong the first time round, but it is working now with the brand new user.
Trying to disconnect VSTS Account from one AD Tenant to Another using https://learn.microsoft.com/en-us/vsts/accounts/disconnect-account-from-aad?view=vsts
Performed the following:
Added Microsoft Account to VSTS
Added Microsoft Account as Owner
Gave this guest account in AzureAD Global Admin Rights and Owner Role on
Subscription
Logged in to VSTS and Azure Successfully
Attempted to Disconnect and received the following error:
AAD Tenant disconnection failed: AAD Tenant disconnection failed due to the error : Account entitlement not found in the dictionary for source identity 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
Repeated with 3 different Microsoft Accounts - same issue. Cannot find any information on this error.
Help!
Patience is the answer! waited for 12 hours and the issue disappeared.