cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure AD and Team Services integration, "the catch and the solution"

Kent Gaardmand
Steel Contributor

‎May 14 2017 02:23 PM - edited ‎May 14 2017 02:32 PM

‎May 14 2017 02:23 PM - edited ‎May 14 2017 02:32 PM

Azure AD and Team Services integration, "the catch and the solution"

Most developers i encounter are still using a Microsoft Account (formerly known as live accounts).

At some point your company will decide to integrate their VSTS (Visual Studio Team Services) with the company Azure Directory.

This is a best practice that should not be over looked and the process to complete this migration is easy, however once you complete the integration there are a few things to be aware of.

 

The scenario:

Custom A just started using VSTS and chose to integrate it with their Azure AD. Customer A now need to start collaborating with customer B. Customer B is still using VSTS with Microsoft accounts. Customer B receives a list of email addresses they need to grant access to their VSTS, they add the addresses and invitations are sent to Customer A.

Customer A attempts to active the invitation using the provided link after selecting work account (Azure AD), here they encounter a login loop.

 

the Catch:

So, what is happening here? When granting access to your VSTS (Not backed by Azure AD) you can invite any email you wish, but there is no validation or error message stating the account attempting access is a work account from an Azure AD and therefor is not able to login.

 

The Solution:

The problem can be solved, unfortunately this requires Customer B to integrate their VSTS with Azure AD as well. The process is simple, they have to identify all the Microsoft accounts that have access to their VSTS and add them as guests to their Azure AD. Once that is completed Customer B can proceed with integrating their team services, keep in mind accepting the AD invitation is a required step for the Microsoft accounts to regain access to Team Services. All previous permissions in Team services granted to the Microsoft account will remain, now Customer B can slowly start to replace their employees Microsoft accounts with corporate Accounts. Side benefit is they can also purchase Visual studio Enterprise licenses through a CSP partner.

Once your VSTS is Azure AD integrated all external guest must first be invited to you Azure AD before you can search for them and grant permissions in Team services. 
I would suggest creating Security Groups and adding them to your projects, this will allow you to maintain your VSTS access through the Azure portal.

 

Hope this saves a few people some troubleshooting.

Labels:
498 Views
1 Like
0 Replies
Reply
0 Replies