| title | titleSuffix | ms.custom | description | ms.prod | ms.technology | ms.assetid | ms.topic | ms.manager | ms.author | author | ms.date | monikerRange |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Troubleshoot adding, removing users in an organization |
Azure DevOps Services |
seodec18 |
Learn the answers to frequently asked questions (FAQs), like the permissions that are required to manage users and user access, find the organization owner, manage Visual Studio subscriptions, and more. |
devops |
devops-accounts |
7107fb6c-c132-45c2-a0d1-d44e9270e907 |
conceptual |
jillfra |
chcomley |
chcomley |
04/24/2019 |
azure-devops |
[!INCLUDE version-vsts-only]
A: To access and manage users, you must have Azure DevOps project collection administrator or organization owner permissions.
[!INCLUDE find-project-collection-administrator]
[!INCLUDE find-organization-owner]
[!INCLUDE user-delay]
A: Assign this access level to users who have active, valid Visual Studio subscriptions. Azure DevOps automatically recognizes and validates Visual Studio subscribers who have Azure DevOps as a benefit. You need the email address that's associated with the subscription.
For example, if a user selects Visual Studio/MSDN Subscriber but the user doesn't have a valid, active Visual Studio subscription, the user can work only as a Stakeholder.
A: See Azure DevOps benefits for Visual Studio subscribers.
A: See Why won't Azure DevOps recognize my Visual Studio subscription?
A: Azure DevOps recognizes Visual Studio subscribers. Azure DevOps automatically assigns a user access that's based on the user's subscription and not on the current access level that's assigned to the user.
A: If no other access levels are available, users can work as Stakeholders. To restore access, a user must renew their subscription.
A: On December 1, 2015, we replaced Visual Studio Online Professional with the Visual Studio Professional monthly subscription.
Although a Visual Studio Online Professional purchase now appears on your monthly invoice as a Visual Studio Professional monthly subscription, you need to transition manually to get the new offering. The transition provides an upgrade by offering access to unlimited organizations (not just one organization) like Visual Studio Online Professional.
The rest stays the same. You get monthly access to the Visual Studio Professional IDE. Pricing remains the same at $45 per user, per month. Learn more about Visual Studio subscriptions.
If you're purchasing user access to Visual Studio Professional for a specific organization (possible only if you purchased before November 2015) and want to upgrade, do the following:
-
Before the last day of the calendar month, sign in to your organization (
https://dev.azure.com/{yourorganization}). -
Select
Organization settings.
-
Select Billing.
-
Reduce the number of paid Visual Studio Online Professional users to 0.
This change takes effect on the first day of the next month. For the rest of the current calendar month, you aren't billed for any Visual Studio Online Professional users.
-
On the first day of the next calendar month, go to Visual Studio Marketplace Subscriptions > Visual Studio Professional - monthly subscription, and buy Visual Studio Professional monthly subscriptions for the same users. Learn how to buy Visual Studio subscriptions.
The value in Last Access is the last date a user accessed any resources or services. Accessing Azure DevOps includes using organizationname.visualstudio.com directly and using resources or services indirectly. For example, you might use the Azure Artifacts extension, or you might access the service by pushing code to Azure DevOps from a Git command line or IDE.
[!INCLUDE can-paid-Basic-users-join-other-organizations]
[!INCLUDE no-access-existing-features]
A: This might happen for different reasons (although the user can continue to work as a Stakeholder):
-
The user's Visual Studio subscription has expired. Meanwhile, the user can work as a Stakeholder, or you can give the user Basic access until the user renews their subscription. After the user signs in, Azure DevOps restores access automatically.
-
The Azure subscription used for billing is no longer active. This affects all purchases made with this subscription, including Visual Studio subscriptions. To fix this issue, visit the Azure account portal.
-
The Azure subscription used for billing was unlinked from your organization. Learn more about linking your organization.
-
Your organization has more users with Basic access than the number of users that you're paying for in Azure. Your organization includes five free users with Basic access. If you need to add more users with Basic access, you can pay for these users.
Otherwise, on the first day of the calendar month, users who haven't signed in to your organization for the longest time lose access first. If your organization has users who don't need access anymore, remove them from your organization.
-
The user no longer has access to features that are available only as extensions. This might happen for different reasons:
-
The user's access level no longer meets the extension's requirements. Most extensions require at least Basic access, not Stakeholder access. For more information, see the extension's description in the Marketplace.
-
The extension was uninstalled. Users can reinstall the extension by visiting the extension page in the Marketplace.
-
If the extension is a paid extension, the Azure subscription used for billing might be unlinked from your organization or might no longer be active. Learn more about linking your organization or visit the Azure portal to check payment details.
-
A: Your organization authenticates users and controls access through Azure Active Directory (Azure AD). All users must be directory members to get access.
If you're a directory administrator, you can add users to the directory. If you're not an administrator, work with your directory administrator to add users. Learn more about how to control access by using a directory.
[!INCLUDE does-organization-use-azuread]
Q: My organization controls access by using Azure Active Directory. Can I just delete users from the directory?
A: Yes, but deleting a user from the directory removes the user's access to all organizations and other assets associated with that directory. You must have Azure AD global administrator permissions to delete a user from your Azure AD directory.
Q: Why are "no identities found" when I try to add users from Azure AD to my Azure DevOps organization?
A: You're probably a guest in the Azure AD that backs your Azure DevOps organization, rather than a member. By default, Azure AD guests can't search the Azure AD in the manner required by Azure DevOps. Learn how to convert an Azure AD guest into a member.
A: Select from the following two options:
- Have the Azure AD administrator(s) remove you from the Azure AD and re-add you, making you an Azure AD member rather than a guest when they do. For more information, see Can Azure AD B2B users be added as members instead of guests.
- Change the UserType of the Azure AD guest using Azure AD PowerShell. This is an advanced process and is not advised, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.
Warning
This is an advanced process and is not advised, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.
Prerequisites
The user making the UserType change must have the following:
- A work/school account (WSA)/native user in Azure AD. You can't do this with a Microsoft Account.
- Global administrator permissions
Important
We recommend that you create a brand new (native) Azure AD user who is a global admin in the Azure AD, and then complete the following steps with that user. This new user should eliminate the possibility of connecting to the wrong Azure AD. You can delete the new user when you're done.
Process
-
Sign in to the Azure portal as global administrator for your organization's directory.
-
Go to the tenant that backs your Azure DevOps organization.
-
Check the UserType. Confirm that the user is a guest.
-
Open an Administrative Windows PowerShell prompt.
-
Execute
Install-Module -Name AzureAD. The Azure Active Directory PowerShell for Graph downloads from the PowerShell Gallery. You may see prompts about installing NuGet and untrusted repository, as pictured below. If you run into issues please review the system requirements and information at the Azure Active Directory PowerShell for Graph page.
-
Once the installation completes, execute
Connect-AzureAD. You're prompted to sign in to the Azure AD. Be sure to use an ID that meets the criteria above. -
Execute
Get-AzureADuser -SearchString "<display_name>", where <display_name> is part of the entire display name for the user, as seen inside the Azure portal). The command returns four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and the UserType should say guest. -
Execute
Set-AzureADUser -ObjectID <string> -UserType Member, where is the value of ObjectId returned by the previous command. This should set the user to member status. -
Execute
Get-AzureADuser -SearchString "<display_name>"again to verify the UserType has changed. You can also verify this in the Azure Active Directory section of the Azure portal. While not the norm, we have seen it take several hours or even days before this change is reflected inside Azure DevOps. If it doesn't fix your Azure DevOps issue immediately, give it some time and keep trying.
[!INCLUDE choose-msa-azuread-account]
[!INCLUDE choose-msa-azuread-account2]
[!INCLUDE why-cant-sign-in-msa-azuread-account]
[!INCLUDE get-team-services-support]