Automatically change account type in Azure AD from guest to member based on email domain

1
votes

In VSTS (Visual Studio Team Services) when we invite a user he is made a Guest in the backing AzureAD. This means that the user cannot perform tasks that involve AzureAD. Even though he is an administrator of the VSTS projects he cannot invite new memebrs to the project because he doesn't have permission the invite anyone to the backing AzureAD.

Can we create e.g. a policy that would give the "Guest inviter" role to all users that have the email domain of our company. That would allow all people from our company to add new users to their project, but if they have invited a customer, the customer won't be able to invite more people.

An even better way would be to change all users from Guest users to Members.

1
azureazure-devopsazure-active-directory
Why don't you link the VSTS with your company AAD?Martin Brandl
@MartinBrandl I don't know how and additionally our company has over 100 000 people working here so you can imagine the bureaucracy. Additionally the VSTS is already linked and a lot of projects have invited a lot of customers so I'm not sure what would happen if we change the backing user store.Mathias Rönnlund
No way to do it in VSTS.starian chen-MSFT

1 Answers

0
votes

For me this sounds like a workaround because the VSTS should be linked to your organization Active Directory. However, I undestand your concerns about the existing projects and users (even there is are migration guide).

You could use attribute-based rules for dynamic groups to add all users with a specific domain / mail to a certain group. Then you could assign the necessary rights on VSTS (VSTS project collection administrator or account owner permissions) and AAD (I don't know the least required privileges here) to the group .

Note: If you need to add users who are external to your Azure AD, you have to add them to your Azure AD first.

See: Create attribute-based rules for dynamic group membership in Azure Active Directory