| title | titleSuffix | ms.custom | description | ms.prod | ms.technology | ms.assetid | ms.topic | ms.manager | ms.author | author | ms.date | monikerRange |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Troubleshoot adding, removing users in an organization |
Azure DevOps Services |
seodec18 |
Learn the answers to frequently asked questions (FAQs), like the permissions that are required to manage users and user access, find the organization Owner, manage Visual Studio subscriptions, and more. |
devops |
devops-accounts |
7107fb6c-c132-45c2-a0d1-d44e9270e907 |
conceptual |
jillfra |
chcomley |
chcomley |
08/12/2019 |
>= tfs-2013 |
[!INCLUDE temp]
A: To access and manage users, you must have Azure DevOps Project Collection Administrator or organization Owner permissions.
[!INCLUDE find-project-collection-administrator]
[!INCLUDE find-organization-owner]
[!INCLUDE user-delay]
A: Assign this access level to users who have active, valid Visual Studio subscriptions. Azure DevOps automatically recognizes and validates Visual Studio subscribers who have Azure DevOps as a benefit. You need the email address that's associated with the subscription.
For example, if a user selects Visual Studio/MSDN Subscriber, but the user doesn't have a valid, active Visual Studio subscription, they can work only as a Stakeholder.
A: See Azure DevOps benefits for Visual Studio subscribers.
A: See Why won't Azure DevOps recognize my Visual Studio subscription?
A: Azure DevOps recognizes Visual Studio subscribers. Azure DevOps automatically assigns a user access that's based on the user's subscription and not on the current access level that's assigned to the user.
A: If no other access levels are available, users can work as Stakeholders. To restore access, a user must renew their subscription.
A: In 2016, we replaced Visual Studio Online Professional with the Visual Studio Professional monthly subscription. Customers who'd been purchasing Visual Studio Online Professional were able to continue purchasing it after that point, but it wasn't available to new customers. On September 30, 2019, we'll officially retire Visual Studio Online Professional. As a courtesy, billing for it stopped after August 1, 2019.
When Visual Studio Online Professional is retired, any users that are still assigned to it are assigned to the best Azure DevOps access level available to your organization. As a result, your Professional users’ access may be downgraded to Basic or Stakeholder. To avoid being downgraded, buy a Visual Studio Professional monthly subscription and assign your Professional users to it. The monthly subscription has the same monthly cost as Visual Studio Online Professional.
Follow these instructions to identify if you have Professional users, buy a monthly subscription, and assign them to it by September 30, 2019:
-
Sign in to your organization (
https://dev.azure.com/{yourorganization}). -
Select
Organization settings.
-
Select Users and filter by access level to show only Professional users.
-
Assign your Professional users to the subscription in the Visual Studio subscriptions administration portal.
If you don’t complete these steps by September 30, 2019, and your users are downgraded to Basic or Stakeholder access, you may restore their Professional access at any time by following the instructions above.
The value in Last Access is the last date a user accessed any resources or services. Accessing Azure DevOps includes using organizationname.visualstudio.com directly and using resources or services indirectly. For example, you might use the Azure Artifacts extension, or you can push code to Azure DevOps from a Git command line or IDE.
[!INCLUDE can-paid-Basic-users-join-other-organizations]
[!INCLUDE no-access-existing-features]
A: A user can lose access for the following reasons (although the user can continue to work as a Stakeholder):
-
The user's Visual Studio subscription has expired. Meanwhile, the user can work as a Stakeholder, or you can give the user Basic access until the user renews their subscription. After the user signs in, Azure DevOps restores access automatically.
-
The Azure subscription used for billing is no longer active. All purchases made with this subscription are affected, including Visual Studio subscriptions. To fix this issue, visit the Azure account portal.
-
The Azure subscription used for billing was unlinked from your organization. Learn more about linking your organization.
-
Your organization has more users with Basic access than the number of users that you're paying for in Azure. Your organization includes five free users with Basic access. If you need to add more users with Basic access, you can pay for these users.
Otherwise, on the first day of the calendar month, users who haven't signed in to your organization for the longest time lose access first. If your organization has users who don't need access anymore, remove them from your organization.
-
The user no longer has access to features that are available only as extensions. This lack of access might happen for one of the following reasons:
-
The user's access level no longer meets the extension's requirements. Most extensions require at least Basic access, not Stakeholder access. For more information, see the extension's description in the Marketplace.
-
The extension was uninstalled. Users can reinstall the extension.
-
If the extension is a paid extension, the Azure subscription used for billing might be unlinked from your organization or might no longer be active. Learn more about linking your organization or visit the Azure portal to check payment details.
-
A: Your organization authenticates users and controls access through Azure Active Directory (Azure AD). All users must be directory members to get access.
If you're a directory administrator, you can add users to the directory. If you're not an administrator, work with your directory administrator to add users. Learn more about how to control access by using a directory.
[!INCLUDE does-organization-use-azuread]
Q: My organization controls access by using Azure Active Directory. Can I just delete users from the directory?
A: Yes, but deleting a user from the directory removes the user's access to all organizations and other assets associated with that directory. You must have Azure AD global administrator permissions to delete a user from your Azure AD directory.
Q: Why are "no identities found" when I try to add users from Azure AD to my Azure DevOps organization?
A: You're probably a guest in the Azure AD that backs your Azure DevOps organization, rather than a member. By default, Azure AD guests can't search the Azure AD in the manner required by Azure DevOps. Learn how to convert an Azure AD guest into a member.
A: Select from the following two options:
- Have the Azure AD administrator(s) remove you from the Azure AD and readd you, making you an Azure AD member, rather than a guest. For more information, see Can Azure AD B2B users be added as members instead of guests.
- Change the UserType of the Azure AD guest using Azure AD PowerShell. This is an advanced process we don't advise, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.
Warning
This is an advanced process and is not advised, but it allows the user to query Azure AD from the Azure DevOps organization thereafter.
Prerequisites
The user making the UserType change must have the following:
- A work/school account (WSA)/native user in Azure AD. You can't change the UserType with a Microsoft Account.
- Global administrator permissions
Important
We recommend that you create a brand new (native) Azure AD user who is a global admin in the Azure AD, and then complete the following steps with that user. This new user should eliminate the possibility of connecting to the wrong Azure AD. You can delete the new user when you're done.
Process
-
Sign in to the Azure portal as global administrator for your organization's directory.
-
Go to the tenant that backs your Azure DevOps organization.
-
Check the UserType. Confirm that the user is a guest.
-
Open an Administrative Windows PowerShell prompt.
-
Execute
Install-Module -Name AzureAD. The Azure Active Directory PowerShell for Graph downloads from the PowerShell Gallery. You may see prompts about installing NuGet and untrusted repository, as pictured below. If you run into issues, review the system requirements and information at the Azure Active Directory PowerShell for Graph page.
-
Once the installation completes, execute
Connect-AzureAD. You're prompted to sign in to the Azure AD. Be sure to use an ID that meets the criteria above. -
Execute
Get-AzureADuser -SearchString "<display_name>", where <display_name> is part of the entire display name for the user, as seen inside the Azure portal). The command returns four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and the UserType should say guest. -
Execute
Set-AzureADUser -ObjectID <string> -UserType Member, where is the value of ObjectId returned by the previous command. The user is set to member status. -
Execute
Get-AzureADuser -SearchString "<display_name>"again to verify the UserType has changed. You can also verify in the Azure Active Directory section of the Azure portal. While not the norm, we have seen it take several hours or even days before this change is reflected inside Azure DevOps. If it doesn't fix your Azure DevOps issue immediately, give it some time and keep trying.
[!INCLUDE choose-msa-azuread-account]
[!INCLUDE choose-msa-azuread-account2]
[!INCLUDE why-cant-sign-in-msa-azuread-account]
[!INCLUDE get-team-services-support]