We went through the process of setting up our organization in Azure AD and connecting it to VSTS today.
Connect VSTS account to Azure Active Directory (Azure AD)
Everything seemed to be working correctly initially:
- Our VSTS account was listed in Azure
- We could login to VSTS successfully both from the web portal and Visual Studio Team Explorer Connection Manager
- Had rights to everything we needed
- All our user data had migrated correctly
- We could add AD groups in VSTS
- Our organizational Azure subscriptions were listed as expected
UNTIL the first developer tried to check-in to a git repo in VSTS. We were prompted for Microsoft account credentials:
The problem was our Microsoft Account (MSA) no longer had rights to VSTS, after following the tutorial above, VSTS had been migrated to authenticate users with our new Azure AD Accounts (AAD). Typically, this login prompt either identifies the email as an org account (notice the badge in the top right):
Or, if you have both an org and MSA account with that email address it asks which you would like to use:
In this case, it would only take a MSA which wouldn’t work. Not sure but I expect this is a limitation of Visual Studio today.
Solution
Eventually I figured out that we had previously been connecting to the git repo(s) using a stored Window Credential for our VSTS address:
Checking our VSTS profile we found all our personal access tokens were gone after the migration which makes sense. So we had to create a new token, update the Window Credential and everything worked again.
Hope this helps others!
Hey Robb, it’s been a long time. Nice blog! I stumbled upon a post of yours on Reddit which led me to here. It’s super cool y’all have moved to VSTS. I built our TFS 2017 stack here and a recent re-org has delayed our 2018 rollout. But the plan was to go from 2018 to VSTS. Hopefully we keep the plan. I’d love to chat sometime about your VSTS architecture. For instance, did you guys keep your agents on-prem? Is everyone in one giant team project? Email me sometime @ wes.goodwin@gmail.com
Hey Wes, great to hear from you. Yes, we use on-prem agents and one team project. I moved to a smaller company early this year where there are only 6 developers so we only have one team. You should come out to the .NET meetup sometime. https://www.meetup.com/Birmingham-NET-Meetup/events/
Certainly will! Thanks for the invite!