Forum Discussion

JamesSeton's avatar
JamesSeton
Copper Contributor
Oct 28, 2024

Azure Devops External Users can't access project after being added

We have a private free repo that we have added external contractors to. They show up as guest in our Entra tenant and have accepted the invite. However, upon trying to reach the DevOps organisation, they get the following error. 

 

You don't have access to this
Your sign-in was successful but you don't have permission to access this resource.
Error Code: 53003
Request Id: 4a68d5ad-a410-4477-8588-0057f58e2a00
Correlation Id: f8469115-08b5-4238-849f-50010672613d
Timestamp: 2024-10-28T03:31:47.557Z
App name: Azure DevOps
App id: 499b84ac-1321-427f-aa17-267ca6975798
Device identifier: Not available
Device platform: Windows 10
Device state: Unregistered
 
They are added as Visual Studio Subscribers to the organisation and are B2B users in the Entra Tenant.
Everyone from within our company that have been added to the DevOps organisation can access the repo as expected. External access is also toggled on in the DevOps org. Is there anything I perhaps have missed?

2 Replies

Sort By
  • balasubramanim's avatar
    balasubramanim
    Iron Contributor
    Apr 01, 2025

    JamesSeton 

    The error you are encountering (53003 – "You don't have access to this") often indicates an Azure AD Conditional Access policy or tenant-level restriction is blocking the external B2B users, even though they have accepted the invite and appear in Entra ID.

     

    1. Check Conditional Access Policies

    - Go to Entra ID > Security > Conditional Access

    - Ensure guests aren’t blocked or required to use compliant devices.

    2. Update External Collaboration Settings

    - Entra ID > External Identities

    - Make sure guest users can access Microsoft 365 and Azure AD services.

    3. Enable Guest Access in Azure DevOps

    - Org Settings > Policies > Allow external guest access.

    4. Assign Correct License

    - Org Settings > Users > Assign Basic/Stakeholder license.

    5. Use Sign-in Logs

    - Entra ID > Monitoring > Sign-in logs

    - See which Conditional Access policy is blocking access.

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Mar 31, 2025

    Please try to fix bye following:

     

    1. Review Conditional Access Policies
    • Go to the Azure Active Directory Admin Center.
    • Navigate to Security > Conditional Access and review the policies applied to external users.
    • Check if there are policies restricting access based on:
      • Device compliance (e.g., requiring domain-joined devices).
      • Location (e.g., only allowing access from specific IP ranges or regions).
      • Application restrictions (e.g., blocking access to Azure DevOps for certain users).
    1. Sign-In Logs
    • In the Azure AD Admin Center, go to Users > Sign-in logs.
    • Look for the failed sign-in attempt for the external user and review the Conditional Access tab to identify which policy is blocking access.
    1. Adjust Conditional Access Policies
    • If a policy is blocking access, you can:
      • Add an exception for the external users or their organization.
      • Temporarily relax the policy to allow their access.
    • Ensure that the policy allows guest users to access Azure DevOps.
    1. Verify External Access Settings in Azure DevOps
    • In Azure DevOps, go to Organization Settings > Policies.
    • Confirm that External guest access is enabled.
    1. Check B2B User Configuration
    • Ensure that the external users are properly added as B2B guest users in your Entra tenant.
    • Verify that they have accepted the invitation and their accounts are active.
    1. Device State
    • The error mentions that the device state is "Unregistered." If your Conditional Access policy requires registered or compliant devices, this could be the issue. You may need to adjust the policy to allow unregistered devices for external users.

     

Resources