Unable to grant VSTS project access using Azure AD Groups

0
votes

I have our VSTS set up so that people log in using our Azure AD credentials and this works fine.

What I can't get working is the ability to grant access to projects using an Azure AD group.

Here's what I have done:

  • I have created the group (called Developers) and added all the team members.
  • I have added the Developers group (called [TEAM FOUNDATION]\Developers in the autocomplete pick list) to the default project team.
  • The team members card shows that I have 10 team members and shows 9 of them.
  • If I click View all link on this card, the only entry is shows is the Developers group which has the Username Or Scope listed as the name of our Azure AD. If I click on this group and view the members of the group it shows the 10 people I want to add to the project.

As far as I can see from the above it should work but it doesn't. The users are not able to see the project in Visual Studio Team Explorer or in the Visual Studio Team Services web application.

Is there anything that I have missed?

2
azureactive-directoryazure-devops
You are using mixed terms. Did you create a VSTS group Called "Teamfoindation\developers" or an AAD group? They are not the same.MrHinsh - Martin Hinshelwood
Every use of the term "group" in my question is an AAD group. I created an AAD group called Developers and that showed up in VSTS as [TEAM FOUNDATION]\Developers in some places and as just Developers in others.Steve Kaye
[TEAM FOUNDATION]\Developers is not an AAD group, it is a VSTS local group.MrHinsh - Martin Hinshelwood

2 Answers

0
votes

You also need to add users to team project(s) in order to they can see corresponding team projects.

  1. Go to a team project admin page (Click Settings Icon) > Security
  2. Add that group to a group (e.g. readers)

Regarding Team Services with Azure AD groups, you can refer to this article: Team Services: Access with Azure Active Directory (Azure AD) groups

0
votes

It seems to be an issue of timing:

On one day I created the AD group and then added the AD group to the relevant VSTS groups and this half worked (i.e. it added the names to the team project but didn't allow the team to access the project)

On the next day, what I'd set up on the previous day worked fully. Also, if I removed the AD group from the VSTS groups then access was revoked and re-adding it in granted access immediately.