-
Notifications
You must be signed in to change notification settings - Fork 2.5k
/
Copy pathfaq-azure-access.yml
481 lines (358 loc) · 32.1 KB
/
faq-azure-access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
### YamlMime:FAQ
metadata:
title: Access via Azure AD FAQs
ms.custom: seodec18, fasttrack-edit, engagement-fy23
description: Learn the answers to frequently asked questions (FAQs), like how to understand Azure AD groups, add users, connect to, disconnect from, or switch your directory.
ms.subservice: azure-devops-organizations
ms.assetid: d51de748-c53e-4468-ad9b-275d6bf1a4dd
ms.topic: faq
ms.author: chcomley
author: chcomley
ms.date: 03/02/2023
monikerRange: 'azure-devops'
title: Access via Azure AD FAQs
summary: |
[!INCLUDE [version-eq-azure-devops](../../includes/version-eq-azure-devops.md)]
[!INCLUDE [alt-creds-deprecation-notice](../../includes/alt-creds-deprecation-notice.md)]
Learn the answers to the following frequently asked questions (FAQs) about access to your Azure DevOps organization via Azure Active Directory (AD). We grouped the FAQs by the following subjects:
- [General](#general)
- [Azure AD users and permissions](#azure-ad-users-and-permissions)
- [Azure AD groups](#azure-ad-groups)
- [Add users to directory](#add-users-to-directory)
- [Remove users or groups](#remove-users-or-groups)
- [Connect to, disconnect from, or switch connection with Azure AD](#faq-connect)
<a name="general"></a>
sections:
- name: General access with Azure AD
questions:
- question: |
Why don't I see my organization in the Azure portal?
answer: |
In both applications, you must have
[Azure Service Administrator or Co-administrator](/azure/billing-add-change-azure-subscription-administrator)
permissions for the Azure subscription that's linked to your organization in Azure DevOps.
Also, in the [Azure portal](https://portal.azure.com), you must have Project Collection Administrator or organization owner permissions.
- question: |
What do I need to set up an existing Azure DevOps instance with Azure AD?
answer: |
Ensure you meet the prerequisites in the following article, [Connect your organization to Azure AD](connect-organization-to-azure-ad.md).
- question: |
I made changes to Azure Active Directory (Azure AD), but they didn't seem to take effect, why?
answer: |
Changes made in Azure AD can take up to 1 hour to be visible in Azure DevOps.
<a name="o365aad"></a>
- question: |
Can I use Microsoft 365 and Azure AD with Azure DevOps?
answer: |
**Yes**.
- Don't have an organization yet? [Create an organization in Azure DevOps](https://aka.ms/SignupAzureDevOps).
- Already have an organization? [Connect your organization to Azure AD](connect-organization-to-azure-ad.md).
<a name="ChooseOrgAcctMSAcct"></a>
[!INCLUDE [choose-msa-azuread-account](../../includes/qa-choose-msa-azuread-account.md)]
[!INCLUDE [choose-msa-azuread-account2](../../includes/qa-choose-msa-azuread-account2.md)]
<a name="ChangeMSA"></a>
- question: |
My organization uses Microsoft accounts only. Can I switch to Azure AD?
answer: |
**Yes**, but before you switch, make sure that Azure AD meets your needs for sharing the following items:
- work items
- code
- resources
- other assets with your team and partners
Learn more about
controlling access with Microsoft accounts versus Azure AD, and [how to switch when you're ready](access-with-azure-ad.md).
[!INCLUDE [why-cant-sign-in-msa-azuread-account](../../includes/qa-why-cant-sign-in-msa-azuread-account.md)]
- question: |
What happens if my Azure subscription is disabled?
answer: |
If you're the organization owner or
[Azure subscription Account Administrator](/azure/billing/billing-add-change-azure-subscription-administrator),
check your subscription status in the [Account Center](https://account.windowsazure.com/),
then try to [fix your subscription](/azure/billing-subscription-become-disable).
Your paid settings are restored.
Or you can link your organization to another Azure subscription by
[unlinking your organization from the disabled subscription](../billing/change-azure-subscription.md).
While your subscription is disabled, your organization goes back to the free
monthly limits until your subscription is fixed.
<a name="azure-ad-users-and-permissions"></a>
#### Azure AD users and permissions
If you don't find an answer to your question here, see [User and permissions management FAQs](./faq-user-and-permissions-management.yml?view=azure-devops).
- question: |
Why do I have to add users to a directory?
answer: |
Your organization authenticates users and controls access through Azure Active Directory (Azure AD). All users must be directory members to get access.
As a directory administrator, you can [add users to the directory](/previous-versions/azure/hh967632(v=azure.100)). If you're not an administrator, work with your directory administrator to add users. Learn more about [controlling access to Azure DevOps Services by using a directory](access-with-azure-ad.md).
- question: |
What happens to current users?
answer: |
Your work in Azure DevOps Services is associated with your credentials for Azure AD. After your organization is connected to your directory, users continue working seamlessly if their credential addresses appear in the connected directory. If users' addresses don't appear, you must [add those users to your directory](/azure/active-directory/fundamentals/add-users-azure-active-directory). Your organization might have policies about adding users to the directory, so find out more first.
- question: |
How do I find out whether my organization uses Azure AD to control access?
answer: |
If you have at least Basic access, go to your **Organization settings**, and then select the **Azure Active Directory** tab. You either have an option to **Connect directory**, or **Disconnect directory**.
<a name="DeleteFromDirectory"></a>
- question: |
My organization controls access by using Azure Active Directory. Can I just delete users from the directory?
answer: |
Yes, but deleting a user from the directory removes the user's access to all organizations and other assets associated with that directory. You must have Azure AD global administrator permissions to [delete a user from your Azure AD directory](/azure/active-directory/fundamentals/add-users-azure-active-directory).
<a name="no-identities"></a>
- question: |
Why are "no identities found" when I try to add users from Azure AD to my Azure DevOps organization?
answer: |
You're probably a *guest* in the Azure AD that backs your Azure DevOps organization, rather than a *member*. Azure AD guests can't search the Azure AD in the manner required by Azure DevOps. For example, Azure AD guests can't use the Azure DevOps web portal to search for or select users who haven't already been added to the Azure DevOps organization. Learn how to [convert an Azure AD guest into a member](#how-can-i-convert-an-azure-ad-guest-into-a-member).
- question: |
What if we can't use the same sign-in addresses?
answer: |
Add these users to the directory with new work or school accounts, and reassign access levels and readd them to any projects. If they have existing work or school accounts, those accounts can be used instead. Work isn't lost and stays with their current sign-in addresses. Users can migrate work that they want to keep, except for their work history. For more information, see [how to add organization users](add-organization-users.md).
- question: |
What if I accidentally delete a user in Azure AD?
answer: |
[Restore the user](/azure/active-directory/fundamentals/active-directory-users-restore), rather than create a new one. If you create a new user, even with the same email address, this user isn't associated with the previous identity.
<a name="how-can-i-convert-an-azure-ad-guest-into-a-member"></a>
- question: |
How can I convert an Azure AD guest into a member?
answer: |
Select from the following two options:
* Have the Azure AD administrator(s) remove you from the Azure AD and readd you, making you an Azure AD *member*, rather than a *guest*. For more information, see [Can Azure AD B2B users be added as members instead of guests?](/azure/active-directory/b2b/user-properties#can-azure-ad-b2b-users-be-added-as-members-instead-of-guests).
* [Change the UserType of the Azure AD guest using Azure AD PowerShell](#convert-azure-ad-usertype-from-guest-to-member-using-azure-ad-powershell). [We don't advise](/azure/active-directory/external-identities/user-properties#convert-usertype) using this advanced process, but it allows the user to query Azure AD from the Azure DevOps organization.
#### Convert Azure AD UserType from guest to member using Azure AD PowerShell
> [!WARNING]
> This process is advanced, which [we don't advise](/azure/active-directory/external-identities/user-properties#convert-usertype), but it allows the user to query Azure AD from the Azure DevOps organization.
**Prerequisites**
The user making the UserType change must have the following items:
* A work/school account (WSA)/native user in Azure AD. You can't change the UserType with a Microsoft Account.
* Global administrator permissions
> [!IMPORTANT]
> We recommend that you create a brand new (native) Azure AD user who's a global admin in the Azure AD. Then, complete the following steps with that user. This new user should eliminate the possibility of connecting to the wrong Azure AD. You can delete the new user when you're done.
**Process**
1. Sign in to the [Azure portal](https://portal.azure.com) as global administrator for your organization's directory.
2. Go to the tenant that backs your Azure DevOps organization.
3. Check the UserType. Confirm that the user is a *Guest*.
4. Open an Administrative Windows PowerShell prompt.
5. Execute `Install-Module -Name AzureAD`. The [Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2?&preserve-view=true&view=azureadps-2.0) downloads from the PowerShell Gallery. You may see prompts about installing NuGet and untrusted repository, pictured as follows. If you run into issues, review the system requirements and information at the [Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0&preserve-view=true) page.
6. Once the installation completes, execute `Connect-AzureAD`. You're prompted to sign in to the Azure AD. Be sure to use an ID that meets the previously mentioned criteria.
7. Execute `Get-AzureADuser -SearchString "<display_name>"`, where <display_name> is part of the entire display name for the user, as seen inside the Azure portal). The command returns four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and the UserType should say *guest*.
8. Execute `Set-AzureADUser -ObjectID string -UserType Member`, where `string` is the value of ObjectId returned by the previous command. The user is set to member status.
9. Execute `Get-AzureADuser -SearchString "<display_name>"` again to verify the UserType has changed. You can also verify in the Azure Active Directory section of the Azure portal.
While not the norm, we've seen it takes several hours, or even days before this change is reflected inside Azure DevOps. If it doesn't fix your Azure DevOps issue immediately, give it some time and keep trying.
<a name="azure-ad-groups"></a>
- name: Azure AD groups
questions:
- question: |
Why can't I assign Azure DevOps permissions directly to an Azure AD group?
answer: |
Because these groups are created and managed in Azure, you can't assign Azure DevOps permissions directly or secure version control paths to these groups. You get an error if you try to assign permissions directly.
You can add an Azure AD group to the Azure DevOps group that has the permissions you want. Or,
you can assign these permissions to the group instead. Azure AD group members inherit permissions from the group where you add them.
- question: |
Can I manage Azure AD groups in Azure DevOps?
answer: |
No, because these groups are created and managed in Azure. Azure DevOps doesn't store or sync member status for Azure AD groups. To manage Azure AD groups, use the [Azure portal](https://portal.azure.com), Microsoft Identity Manager (MIM),
or the group management tools that your organization supports.
- question: |
How do I tell the difference between an Azure DevOps group and an Azure AD group?
answer: |
The Azure DevOps UI indicates membership scope using brackets `[]`. For example, consider this permissions settings page:
| Scope name | Definition |
|:--|:--|
| `[fabrikam-fiber]` | Membership is defined in Organization Settings |
| `[Project Name]` | Membership is defined in Project Settings |
| `[TEAM FOUNDATION]` | Membership is defined _directly_ in Azure AD |
> [!Note]
> If you add an Azure AD group to a custom security group _and_ use a similar name, you may see what appears to be duplicate groups. Examine the scope in `[]` to determine which is a DevOps Group and which is an Azure AD Group.
- question: |
Why doesn't the Users list show all Azure AD group members?
answer: |
These users have to sign in to your organization before they appear in Users.
<a name="AssignLicenses"></a>
- question: |
How do I assign organization access to Azure AD group members?
answer: |
When these group members sign in to your organization for the first time, Azure DevOps assigns an access level to them automatically. If they have
[Visual Studio subscriptions](faq-user-and-permissions-management.yml#EligibleMSDNSubscriptions),
Azure DevOps assigns the respective access level to them. Otherwise, Azure DevOps assigns them the next "best available"
[access level](https://visualstudio.microsoft.com/pricing/visual-studio-online-feature-matrix-vs), in this order: Basic, Stakeholder.
If you don't have enough access levels for all Azure AD group members, those members who sign in get a Stakeholder access.
- question: |
Why doesn't the Security tab show all members when I select an Azure AD group?
answer: |
The Security tab shows Azure AD group members only after they sign in to your organization, and have an access level assigned to them.
To see all Azure AD group members, use the [Azure portal](https://portal.azure.com), MIM, or the group management tools that your organization supports.
- question: |
Why doesn't the team members widget show all Azure AD group members?
answer: |
The team members widget shows only users who previously signed in to your organization.
- question: |
Why doesn't the team capacity pane show all Azure AD group members?
answer: |
The team capacity pane shows only users who previously signed in to your organization.
To set capacity, manually add users to your team.
- question: |
Why doesn't Azure DevOps reclaim access levels from users who aren't Azure AD group members anymore?
answer: |
Azure DevOps doesn't automatically reclaim access levels from these users. To manually remove their access, go to **Users**.
- question: |
Can I assign work items to Azure AD group members who haven't signed in?
answer: |
You can assign work items to any Azure AD member who has permissions for your organization. This action also adds that member to your organization. When you add users this way, they automatically appear as Users, with the best available
access level. The user also appears in the security settings.
- question: |
Can I use Azure AD groups to query work items by using the "In Group" clause?
answer: |
No, we don't support querying on Azure AD groups.
- question: |
Can I use Azure AD groups to set up field rules in my work item templates?
answer: |
No, but you might be interested in our [process customization plans](https://devblogs.microsoft.com/devops/visual-studio-online-process-customization-update/).
<a name="add-users-to-directory"></a>
#### Add users to directory
[Add organization users to your Azure Active Directory](/azure/active-directory/fundamentals/add-users-azure-active-directory).
- question: |
Why did I get an error stating that my organization has multiple active identities with the same UPN?
answer: |
During the connect process, we map existing users to members of the Azure AD tenant, based on their UPN, which is often known as sign-in address. If we detect multiple users with the same UPN, we don't know how to map these users. This scenario occurs if a user changes their UPN to match one already existing in the organization.
- question: |
Can I switch current users from Microsoft accounts to work accounts in Azure DevOps?
answer: |
No. Although you can add new work accounts to your organization, they're treated as new users. If you want to access all your work, including its history, you must use the same sign-in addresses that you used before your organization was connected to your Azure AD.
Add your Microsoft account as a member to your Azure AD.
- question: |
Why can't I add users from other directories to my Azure AD?
answer: |
You must be a member or have read access in those directories. Otherwise, you can add them
[using B2B collaboration through your Azure AD administrator](/azure/active-directory/external-identities/what-is-b2b). You can also add them by using their Microsoft accounts, or by creating new work accounts for them in your directory.
- question: |
What if I get an error trying to map a user to an existing member of my organization?
answer: |
You can map the user onto a different identity that isn't yet an active member of the organization or add the existing user to your Azure AD. If you still need to map to the existing Azure DevOps organization member, [contact support.](https://developercommunity.visualstudio.com/spaces/21/index.html)
- question: |
How do I use my work or school account with my Visual Studio with MSDN subscription?
answer: |
If you used a Microsoft account to activate a [Visual Studio with MSDN subscription](https://visualstudio.microsoft.com/vs/pricing/) containing Azure DevOps as a benefit, you can add a work or school account. Azure AD must manage the account. Learn [how to link work or school accounts to Visual Studio with MSDN subscriptions](/visualstudio/subscriptions/vs-alternate-identity).
<a name="guest-access"></a>
- question: |
Can I control access to my organization for external users in the connected directory?
answer: |
Yes, but only for external users who are [added as guests through Microsoft 365](https://support.office.com/article/Share-sites-or-documents-with-people-outside-your-organization-80E49744-E30F-44DB-8D51-16661B1D4232)
or [added using B2B collaboration by your Azure AD administrator](/azure/active-directory/external-identities/what-is-b2b). These external users are managed outside the connected directory. To learn more, contact your Azure AD administrator. The following setting doesn't affect [users who are added directly to your organization's directory](/azure/active-directory/fundamentals/add-users-azure-active-directory).
Before you start, make sure you have at least Basic access, not Stakeholder.
Complete the [prerequisites for adding external users](add-external-user.md#prerequisites), turning External guest access to **On**.
<a name="remove-users-or-groups"></a>
- name: Remove users or groups
questions:
- question: |
How do I remove an Azure AD group from Azure DevOps?
answer: |
Go to your project collection or project. In the upper bar, select :::image type="icon" source="../../media/icons/gear_icon.png" border="false"::: **Settings**, and then select **Security**.
Find the Azure AD group, and delete it from your organization.
- question: |
Why am I asked to remove a user from an Azure AD group when I delete that user from my organization?
answer: |
Users can belong to your organization, both as individuals and as members of Azure AD groups in Azure DevOps groups. These users can still access your organization while they're members of these Azure AD groups.
To block all access for users, remove them from Azure AD groups in your organization, or remove these groups from your organization. We currently can't block access completely or make exceptions for such users.
- question: |
If an Azure AD user is removed, are all their related PATs revoked as well?
answer: |
Users who are disabled or removed from your directory, can no longer access your organization by any mechanism, including via PATs or SSH.
<a name="faq-connect"></a>
#### Connect to, disconnect from, or change Azure AD connection
- [Connect your organization to Azure AD](./connect-organization-to-azure-ad.md)
- [Disconnect your organization from your directory](./disconnect-organization-from-azure-ad.md)
- [Change the directory that's connected to Azure DevOps](change-azure-ad-connection.md)
- [Get a list of organizations backed by Azure AD](get-list-of-organizations-connected-to-azure-active-directory.md)
- [Restrict organization creation with tenant policy](azure-ad-tenant-policy-restrict-org-creation.md)
- question: |
How can I manage multiple organizations that are connected to Azure AD?
answer: |
You can download a complete list of organizations backed by an Azure Active Directory tenant. For more information, see [Get a list of organizations backed by Azure AD](get-list-of-organizations-connected-to-azure-active-directory.md).
<a name="connect-o365-azure-ad"></a>
- question: |
Can I connect my organization to an Azure AD created from Microsoft 365?
answer: |
**Yes**. If you can't find your Azure AD created from Microsoft 365, see
[Why don't I see the directory that I want to connect?](#why-not-my-directory).
<a name="why-not-my-directory"></a>
- question: |
Why don't I see the directory that I want to connect to? What should I do?
answer: |
You might not see the directory for any of the following circumstances:
* You aren't recognized as the [**organization Owner**](../security/look-up-organization-owner.md) to manage directory connections.
* Talk to your Azure AD organization administrator and ask them to make you a member of the organization. It's possible that you're not part of the organization.
<a name="AlreadyConnected"></a>
- question: |
Why is my organization already connected to a directory? Can I change that directory?
answer: |
Your organization was connected to a directory when the organization owner created the organization, or sometime afterward. When you create an organization with a work or school account, your organization is automatically connected to the directory that manages that work or school account. Yes, you can [switch directories](#switch-directory). You might have to migrate some users.
<a name="switch-directory"></a>
- question: |
Can I switch to a different directory?
answer: |
**Yes**. For more information, see [Switch to another Azure AD](change-azure-ad-connection.md).
[!INCLUDE [note-azure-ad-tenant-switch](includes/note-azure-ad-tenant-switch.md)]
<a name="AlternateCredentials"></a>
- question: |
Why and when should I request Support to manually clear my SSH keys?
answer: |
When you switch from one Azure AD tenant to another, the underlying identity also changes and any PAT tokens or SSH keys that the user had with their old identity stop working. Any active SSH keys uploaded to the organization aren't deleted as part of the tenant switch process, which may block the user from uploading new keys after the switch. We recommend that users delete all their SSH keys **before** they switch their active directory tenant. We have work in our backlog for automatic deletion of the SSH keys as part of the tenant switch process and in the interim if you're blocked from uploading new keys after tenant switch, we recommend you to contact Support to delete those old SSH keys.
- question: |
My alternate credentials don't work anymore. What do I do?
answer: |
Azure DevOps no longer supports Alternate Credentials authentication since the beginning of March 2, 2020. If you're still using Alternate Credentials, we strongly encourage you to switch to a more secure authentication method (for example, personal access tokens or SSH). [Learn more](https://devblogs.microsoft.com/devops/azure-devops-will-no-longer-support-alternate-credentials-authentication/).
- question: |
Some users are disconnected, but they have matching identities in Azure AD. What should I do?
answer: |
- In your Azure DevOps **Organization settings**, select **Azure Active Directory**, and then select **Resolve**.
- Match the identities. Select **Next** when you're done.
- question: |
I got an error message when I was resolving disconnections. What should I do?
answer: |
* Try again.
* You might be a guest in Azure AD. Request that an organization administrator, who is a member of Azure AD, do the mapping. Or, request that an admin of the Azure AD converts you to a member.
* If the error message includes a user in your domain, but you don't see them active in your directory, the user likely left your company. Go to the organization user settings to remove the user from your organization.
- question: |
When I was trying to invite a new user to my Azure AD, I got a 403 exception. What do I do?
answer: |
You may be a guest in Azure AD and don't have the right permission to invite users. Go to **External collaboration settings** in Azure AD and move the "Guests can invite" toggle to **Yes**. Refresh Azure AD and try again.
- question: |
Will my users keep their existing Visual Studio subscriptions?
answer: |
Visual Studio subscription administrators ordinarily assign subscriptions to users' corporate email addresses, so that users can receive welcome email and notifications. If the identity and subscription email addresses match, users can access the benefits of the subscription. As you transition from Microsoft to Azure AD identities, users' benefits still work with their new Azure AD identity. But, the email addresses must match. If the email addresses don't match, your subscription administrator must [reassign the subscription](../billing/csp/buy-vs-app-center.md). Otherwise, users must [add an alternate identity to their Visual Studio subscription](/visualstudio/subscriptions/vs-alternate-identity).
- question: |
What if I'm required to sign in when I use the people picker?
answer: |
Clear your browser cache and delete any cookies for the session. Close your browser, and then reopen.
- question: |
What if my work items are indicating that the users aren't valid?
answer: |
Clear your browser cache and delete any cookies for the session. Close your browser, and then reopen.
- question: |
Once my organization is connected to Azure AD, will it update Azure Boards work items, pull requests, and other pieces where I'm referenced in the system with my new ID?
answer: |
**Yes**, all pieces in the system are updated with the new ID when a user's ID gets mapped from their personal email to their work email.
- question: |
What if I get a warning about members who will lose access to the organization?
answer: |
You can still connect to Azure AD, but try to resolve the mapping issue after you've connected. If you still need help, [contact support](https://developercommunity.visualstudio.com/spaces/21/index.html).
Select the bolded text to see which users are affected.
- question: |
With more than 100 members in my Azure DevOps organization, how can I connect to an Azure AD?
answer: |
Currently, you can still connect, but the mapping and invite features that help resolve disconnected users post-connection doesn't work beyond 100. [Contact Support](https://azure.microsoft.com/support/devops/).
- question: |
Why is git.exe/Visual Studio failing to authenticate after linking/unlinking from Azure Active Directory?
answer: |
The tenant cache must be cleared if you're using a GCM version before v1.15.0. Clearing the tenant cache is as easy as deleting the `%LocalAppData%\GitCredentialManager\tenant.cache` file on each machine returning a sign-in error. The GCM automatically recreates and populates the cache file, as needed, on subsequent sign-in attempts.
[!INCLUDE [get-team-services-support](../../includes/qa-get-vsts-support.md)]
additionalContent: |
## Related articles
- [Configure and customize organization FAQs](faq-configure-customize-organization.yml)
- [User and permissions management FAQs](faq-user-and-permissions-management.yml)
- [Set up Visual Studio FAQs](faq-set-up-vs.yml)