Cannot add user to VSTS from Azure Active Directory

1
votes

Problem:

I've created VSTS from Azure portal. I'm now unable to add more team members to VSTS: https://myteamaccount.visualstudio.com/_user

Environment details:

  1. VSTS and Azure subscription both connected to the same AAD. I log in to both, Azure portal and VSTS with my company credentials: [email protected]

  2. The AAD is custom project specific AAD. In azure portal, I need to switch to project-subscription that is connected to project-AAD so in the top right corner click on: 

    [email protected] 
myproject123hotmail (DEFAULT DIRECTORY)

    Then I see the Team Services Account and Team Project Resources

  3. The other users are in the AAD as well: In the Azure portal in the VS-MyTeamAccount-Group -> Access Control (IAM) I can see the other users as contributors, so they must be in the same AAD as well, don't they?

    For some weird reason I'm not owner of this Resource Group although I created it.

  4. I've also tried to add desired team member to the project AAD as a guest users. Invitation was sent.

  5. In the new Azure portal, when I click the Azure Active Directory Tab, I don't have access to see, find or add users.

Question:

How do I add users to my team project?

2
azureazure-devopsazure-active-directory

2 Answers

0
votes

Since you add the account as guest user in the AAD, the user can be added to your VSTS (also will be added automatically when that user first access your VSTS), you need to grant the permission for that user in VSTS, for example, add it to Team Project Administrators group.

There is a blog about inviting directory guest to AAD-backed VSTS accounts.

The user just in guest user of AAD can't find others in VSTS.

1
votes

For those who come after, this put me on the right track.

Guest users cannot search the Azure Active Directory list, even when they are Global Administrators on Azure AD AND the owner of the DevOps Organization (I was both). Essentially they must be converted to a Member rather than Guest.

This link from the developer community forums helped me sort out the issue. I have quoted the answer at the base of this post in case it disappears.

The solution was to

  • Download the AzureAD powershell module
    • Install-Module AzureAD
  • Connect to my AzureAD instance
    • Connect-AzureAD -TenantId [your tenant id]
  • Update the user
    • Set-AzureADUser -ObjectId [User object id] -UserType Member

Once I logged out and in again (clearing my cookies) - tadaa! All my Azure AD groups/users were visible to me in the add screens of my DevOps organization.

Quote from the developer community post:

You can't search into AAD if you are a guest user in tenant directory. To overcome this problem, change yourself from a guest to a regular member in AAD. This can only done by powershell. You will have to install Azure AD powershell module first from the following location and use the commandlets given below. https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

connect-AzureAD

Set-AzureADUser

Thanks, Rajesh