This week we are deploying our sprint 65 work. You can read the release notes here: http://www.visualstudio.com/news/2014-may-20-vso
The really big news is that we’ve completed the next step in the journey to fully supporting Active Directory integration through Azure Active Directory. You can now create a new VS Online account through any of the paths we offer and connect the new account to Azure Active Directory in the process. The news post has a bunch more detail, tutorials, etc.
This has been one of the top service requests for a while now. In fact, there are two highly voted Uservoice items related to it that we’ve partially addressed.
There’s actually a ton more work that we’ve had to do to get to this point than you might imagine. It’s not just about hooking up another authentication provider. We’ve tried to make the whole scenario work well. For instance.
- MSDN subscriber benefits – Once you can login to VS Online with your corporate credentials, how are we going to recognize your MSDN subscription and give you credit for the license? We’ve had to add support to MSDN/VSO to enable you to specify a set of AAD credentials associated with your MSDN subscription by which you can get credit.
- Interplay between AAD and Microsoft Accounts – Microsoft Accounts (Live IDs) can be added to AAD as “external identities", making them kind of virtual members of the directory. That creates all kinds of problems. It means that with the same Microsoft Account, you can be a member of multiple organizations. How do you see all of the VSO accounts in all of those organizations you have access to? We’ve updated the profile page to round them all up and show them. What about the fact that you only have one user profile – display name, picture, etc? Many organizations want to control things like that with policy in their organization. We’ve added support for organization specific profiles. So the profile is yours but it has a “personality” specific to each organization you are a member of.
There have been tons of edges like these that we’ve had to deal with. The whole process has given me a renewed appreciation for how much more complicated identity is than you would, at first, imagine.
What you can’t do…
As I said, this is a step on the journey. There’s lots you can’t do yet. By far the biggest and most important one is that you can’t attach an existing VSO account to an AAD directory. You can only do it while creating a new account. Enabling attaching existing accounts is the next scenario on our list and, last I checked, we were estimating about 3 more sprints of work to get that done.
I know what you are thinking… How can I create a new account, move all my stuff over to the new account and keep working? Stop. Don’t go there. It’s complicated. If you just want to sync your source, create a new account and check it in – basically starting over, go ahead. But if you hope to preserve history, work items, tests, etc. Don’t. Just wait a few sprints and we’ll enable you to add AAD. Down the other path, you’ll pull out half your hair and probably be done about the time we introduce the feature anyway.
There are other things that still need to get done beyond that. For instance, once you can attach AAD to your VSO account, you will be able to add your Microsoft Accounts as external identities to your AAD and keep working. However, some of you, maybe most of you, would sure like to be able to move all of your work from your Microsoft Account to your linked on-premises AD identity – so for example, change email@example.com to firstname.lastname@example.org. We have yet more work to do to enable that and I don’t have a timeline but likely later this year. You will also want to be able to use your Active Directory groups to manage permissions (and other things) in VSO – also likely to happen later this year.
So, this is not the end but rather it is an important step.
As I said, I’ve found that identity is way more complicated than you’d expect and I’ve found that our current docs are not great at telling you everything you need to know. I’ve asked that we put together a one stop shop page that contains a good explanation, links to resources and an FAQ to really help people sort through it all and create a solution that works well for them. I’ll let you know as soon as we have it.
It’s an incredibly exciting step and I think once we get the next step (ability to support pre-existing VSO accounts), we’ll cover the most pressing needs. We’ll finish this out and start ramping up on the next most pressing requirement – process template customization.