I am trying to add a user into our VSTS. This user is a domain account on the company's Azure AD, which is connected to VSTS. The user does not show up in the directory. I imagine they no longer are with the company. However, I am trying to add them so that I can use git-tf to import a repository in TFVC format and use the --keep-author argument.
How can I add this user to VSTS and if I cannot, how should I proceed? I suppose I could create a nondomain email and map this user in the git-tf USERMAP file, but I'm not sure of the best course of action here.
Update: the git-tf mapping is not always working for me. I have added many users from the source repository but only some of them moved to the [mapped] section. Several are still in [unmapped] and one user I cannot add to VSTS because I believe it is a deactivated/deleted Azure AD account, so the add user process fails, saying "Aad guest invitation failed".
Thanks for your help!
You can add guest user to AD in azure portal.
Add guest users to a group
Related
I add external AD groups to my Organization/Project level just fine. That is, to share my Projects with them.
But, users belonging to the AD groups don't see anything from me on their Azure DevOps home page.
Only when I add them individually as Organization 'Users', they see my projects.
Wondering if I need to do something extra to make AD Groups fully work.
Permissions are Ok. I added the groups even as 'Project Administrators'.
Thank you.
First,you need to check if the organization is properly connected to AAD in the following article, Connect your organization to Azure AD .
Confirm that the connection process is complete. Sign out, and then open your browser in a private session and sign in to your organization with your Azure AD or work credentials.
You can let users to go to azure DevOps profile page to check if they switch to the corresponding domain.
I created a number of organizations in Azure DevOps to experiment with.
They were all visible under existing Microsoft accounts (subscription accounts).
Then I created an Active Directory and linked one of the organizations to the newly-created directory.
After signoff and signon, the organization can no longer be found.
When I select the new directory in DevOps, there is only a default organization without my test project.
When I tried the same with another organization, this one also disappeared.
Where did my DevOps organization go?
And how can I get them back?
You can try the following two ways to see if the organizations can be displayed.
1.Please try to access https://aex.dev.azure.com/ and change domain to see if your organization lists here.
2.Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:
Close all browsers, including browsers that aren't running Azure
DevOps.
Open a private or incognito browsing session.
Go to this URL: https://aka.ms/vssignout.
You see a message that says, "Sign out in progress." After you sign
out, you're redirected to the Azure DevOps #dev.azure.microsoft.com
webpage. If the sign-out page takes more than a minute to sign you out, close the browser and continue.
Sign in to Azure DevOps again. Select your other identity.
I had a similar issue when I previously logged in using "Personal" account, created organisation, and when logged out and logged in again selected "Work or Department" account, so I wasn't able to see my organisations because they were created and visible only on "Personal" account 'plan'.
I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.
I have created an organization on Azure DevOps with my email id ( created by me) which is the same as my email id associated with my azure subscription.
I want to create an organization with the name and URL what I created with my personal account in Microsoft associated account.
I deleted one which I created and tried creating by login as a Work Account, however, I get an error organization already exits.
How can I get it resolved?
Azure DevOps can be linked to an Azure Active Directory. In your situation, I strongly suggest you do the following steps to link it and transfer the ownership to your work account:
Make sure you can fully control both your work account and your personal Microsoft account.
Link your existing Azure DevOps organization to your Azure Active Directory.
Add your work account as an administrator in your Azure DevOps organization.
Transfer the ownership of the organization to your work account.
Kick your personal account out.
Here are some tips:
You can link existing Azure Active Directory like this:
You can change the ownership of your Azure DevOps organization like this:
Backup solution
Of course, you can delete the entire Azure DevOps organization and recreate it. To delete it, make sure all your data is safe. And press the Delete button in the Overview settings.
After deleting it and you can re-create a new organization with the same name using your work account.
There are good instructions available here on changing the VSTS connection from one Azure AD to another: Change VSTS AD.
But what if you just want to remove the Azure AD integration, and just revert to using Microsoft Accounts?
I successfully performed all the steps in the instruction, up to the point of attaching a new target Azure AD. You'd think when the VSTS account was unlinked in Azure, it would no longer show up in VSTS.
But going to https://[AccountName].visualstudio.com/_admin/_home/settings still shows account being backed by the source directory.
Attempting to add a Microsoft Account based user at https://[AccountName].visualstudio.com/_user fails to find the account, presumably because it is looking the the Source Azure AD.
This is an important capability when transferring ownership of an account. Thanks for taking a look!
You can follow the steps here: Disconnect your Team Services account from Azure AD.
To stop using Azure AD and revert to using Microsoft accounts, you can
disconnect your Team Services account from its directory.
Here's what you'll need:
Microsoft accounts added to your Team Services account for all users.
Team Services account owner permissions for your Microsoft account.
Directory membership for your Microsoft account as an external user
and global administrator permissions. Azure AD members can't
disconnect Team Services accounts from directories.
With the help of Microsoft Premium Support, we did manage to get this worked out.
The problem was the Team Services was not disconnected from the associated Azure AD before it was unlinked. Then once it was unlinked, it appeared gone from Azure, leaving no way to disassociate Azure AD.
The documentation does show to first disconnect the VSTS account from Azure AD, and then “unlink” the account. Where I got into trouble was by using the new portal. It's pretty hard to even find the old portal anymore BTW).
The new portal has this nice handy unlink button, which is practically irresistible. If clicking it, then it declares success. There is nothing in the UI that prevents you from unlinking while still leaving the AD association. There is no option at all in the new UI portal, as far as I could find, to disconnect Team Services from Azure AD.
Once unlinked, the only fix is to relink, and then redo it all in the old portal as is indicated by the documentation.
This is much more difficult than it should be because it seems like something that should be simple to achieve through the web UI. These posts helped me, but I wanted to add my 2 cents:
In order to disconnect VSTS from AAD you need to be able to use the disconnect button on the configure tab in the old portal seen here. However, you can only use that button if you're the VSTS account owner and if your account is not sourced from the currently linked active directory (i.e. - a MS Account). But you can't make the VSTS account owner a MS account if you've used the portal's interface to add the MS Account to your AAD as an external user. This is because external users are added as Guest account type by default (rather than Member type). If you try to set the MS account as VSTS owner you get the "AAD guest users are not allowed to be collection owners" message seen here.
It's a chicken/egg thing which is made more difficult by the fact that the official documents for this process make no mention of the conflict you'll face. They read as if this should just work.
The answer is that (as of today) you can't do this without using Powershell or an AAD API to convert the MS Account from a "Guest" to a "Member" user type. There are a number or articles out there which walk through the older APIs to do this. Here is what I did with the latest PS:
First, log in to the directory you wish to unlink with an account which has permissions to modify members. Ideally an admin or owner.
Connect-AzureAD
Next, find the account you want to modify using this command:
Get-AzureADUser
Find the ObjectID of the user you want to convert from Guest to Member and then run this command:
Set-AzureADUser -ObjectId [ObjectID GUID Here] -UserType Member
This will convert the MS Account in the AAD you want to unlink to a 'member' type. In my situation I found that I had to remove the MS Account from VSTS and re-add it in order to trigger a refresh which allowed me to set it as account owner.
Now you just follow the documented steps:
set MS account as project owner. Save.
log in to old portal, go to configure tab, and disconnect
log back in everywhere to see the changes