Trying to disconnect VSTS Account from one AD Tenant to Another using https://learn.microsoft.com/en-us/vsts/accounts/disconnect-account-from-aad?view=vsts
Performed the following:
Added Microsoft Account to VSTS
Added Microsoft Account as Owner
Gave this guest account in AzureAD Global Admin Rights and Owner Role on
Subscription
Logged in to VSTS and Azure Successfully
Attempted to Disconnect and received the following error:
AAD Tenant disconnection failed: AAD Tenant disconnection failed due to the error : Account entitlement not found in the dictionary for source identity 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
Repeated with 3 different Microsoft Accounts - same issue. Cannot find any information on this error.
Help!
Patience is the answer! waited for 12 hours and the issue disappeared.
Related
I'm trying to connect my Azure DevOps Organization to my Azure AD Tenant. I'm the only user in both. I connect to both using my personal microsoft (#outlook.com) account. However, when I'm trying to link my DevOps orga to my Azure AD Tenant, Azure DevOps doesn't see me as a member of the Azure AD Tenant that I'm trying to connect to, even though I'm connected in Azure with the same Microsoft account that I use on Azure DevOps... I'm following the steps mentioned here.
Below pic shows the error message I'm getting while trying to connect my Azure DevOps orga to my Default Azure AD Tenant :
Here, you can see that I'm connected in my Azure AD Tenant with the same Microsoft account that in the previous picture :
Tried to do the same where only one member who is the only admin is present in the azure AD tenant.But could successfully connect to azure devops.
Please make sure you are connecting already existed AAD tenant and then creating connection. check if admin permissions are given .
I had these roles assigned .
I had guest user access same as member access
Could smoothly connect without any warnings to the same domain as that of azure ad.
I tried to reproduce the issue and so tried connect with the other tenant /directory and got the error similar to yours which is not your case as you mentioned you have same directory domain.
So in your case , please close all other tabs and signin to only the required tenant both in azure ad and also in azure devops.
Please check the access permissions for this organization, if the organization is denied access for external access.
See Access via Azure AD FAQs | Microsoft Docs which can guide to troubleshoot your error cause and it says to have co-admin or service admin permissions.
Also please take the points by #jessehouwing in the comments into consideration , if issue is still there :Create a new Global Admin user account in AAD,Add this user to the DevOps organisation and set as owner and give Project Collection Administrators permission,Remove that domain from the DevOps org and Re-add to the org and re-assign as the owner.
Else it might be some issue with the default directory permissions. You may contact and report a problem in https://developercommunity.
So I am trying to build a Machine Learning pipeline on Azure DevOps. I followed this tutorial: https://www.azuredevopslabs.com/labs/vstsextend/aml/#author-praneet-singh-solanki
However, in Exercise 1- Step 3: Create or get workspace, I'm facing an error while authorising my Azure Subscription.
"Error: Insufficient privileges to complete the operation. Ensure that the user has permissions to create an Azure Active Directory Application."
Here is a snapshot of the problem. Also, my subscription is free tier as of now. Could that be a reason?
My subscription is free tier as of now. Could that be a reason?
No, you don't need worry about this. For free credit, we offered $200 free quota, and also the use will not be limited(just limit use depth only).
"Error: Insufficient privileges to complete the operation. Ensure that
the user has permissions to create an Azure Active Directory
Application."
This issue should caused by your incorrect role setting. Even you are owner of AAD or application, if you did not assign the role of Application administrator, you still will receive the error of permission not enough.
Please assign the role of your AD application to a Administrator permission. Go Azure Portal -> Azure Active directory-> Users, and then search your account which you will used in Azure Devops pipeline, and then follow the below setting to assign the role.
Then back to Azure Devops, refresh the Azure Subscription and Authorized again.
I am trying to connect an existing MS-based DevOps organisation to our AAD (O365). I have a user account nnn#outlook.com in DevOps that is both Organization Owner and a Collection Administrator.
The same outlook.com account is a Member of the target Tenant directory. I can login to portal.azure.com using that account and see all the details of the AAD. I have made the account a Global Administrator.
When I click Connect Directory, I get a list of the tenants that account has access to. My target is there and I have confirmed that the Tenant ID matches.
When trying to connect I get the error message:
"User: nnnn#outlook.com is not allowed to link organization: xxxx to AAD tenant: zzzzz. Only active members of the AAD tenant are allowed to perform the link."
I tried creating a clean guest account, PS'd it to become a Member, but get the same result.
Any suggestions greatly appreciated.
When trying to migrate from TFS to Azure Devops I run in an error during the import phase :
[Error] VS4032856: The identity RĂ©mi Benoit belongs to a different Azure Active Directory (AAD) tenant than the identity used during the prepare step. Please sign in with an identity in the same AAD tenant or re-run the prepare step using this identity.
The user I used for the prepare step is registered on the AAD tenant. I can login to Azure portal with it and read user details on the AAD page of the portal.
A possible problem: my user was created on a different tenant. I was then invited as a guest to the tenant domain used in the import. I can list all the users on the AAD from the Azure portal. I also changed my default Azure directory to the tenant of the import.
Should I use an account created specifically on the AAD to execute the import ? Or Am I just missing some rights ?
Fixed my problem by using another account.
Switched from using a guest account to a member account on the AAD.
We are trying to connect our existing VSTS account to AAD following the instructions at: https://learn.microsoft.com/en-us/vsts/accounts/connect-account-to-aad?view=vsts
When we try to perform the step at: 'Connect your VSTS account to your organization directory' #6, we receive the following error:
Account ****** connection to an AAD Tenant failed due to the error : Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.
We have tried this with 2 separate MSA accounts; one was existing, one we create from scratch. The MSA accounts are added as a guest to AAD. We have made it owner on the subscription, is there a permission that I am missing?
One answer said they just had to wait 12 hours, we have waited 24 with no change.
Any help would be appreciated.
Edit
Hopefully this helps:
Request is to:
PATCH https://peprodscussu2.portalext.visualstudio.com/_apis/AzureTfs/Account/b7615ac7-c2f6-466c-9f73-b8ed37258259?tenantId=f1295c9e-6264-403f-a42b-5be8fd3266fa HTTP/1.1
Response shows 500 Internal Server Error:
{"$id":"1","innerException":null,"message":"Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.","typeName":"Microsoft.VisualStudio.Services.Licensing.TransferUserLicenseException, Microsoft.VisualStudio.Services.WebApi","typeKey":"TransferUserLicenseException","errorCode":0,"eventId":3000}
Let me know if there is additional information from Fiddler that you need.
The issue was on Microsoft's end. Apparently there was duplicate orphaned user entries for a user that had been deleted 3 years ago from the VSTS account. They had to manually correct it. Thanks for your help.