Today we began deployment of our sprint 68 work. There’s a bunch of really good stuff there. I say “begun” because deployment is a multi day event now as we roll it out across instances. Everyone should have the updates by tomorrow (Tue) afternoon. You can read the release notes to get details.
You’ll see that one part of the licensing changes I described a couple of weeks ago are now live – addition of Test Hub access to the Visual Studio Online Advanced license. The remaining stakeholder licensing changes are still tracking to go live in mid-August. Stay tuned for more.
Azure Active Directory support
The biggest thing in the announcement is the next step in our rollout of Azure Active Directory (AAD) support in VS Online. We started this journey back in April with the very first flicker of AAD support at the Build conference. We added more support at TechEd but I’ve stayed pretty quiet about it because, until this week, there was no way to convert and existing account to AAD. With this deployment we’ve enabled it. Officially it’s in preview and you have to ask to get access to do it but we’re accepting all requests so it’s nothing more than a speed bump to keep too big a rush from happening all at once. With these last set of changes, you can:
- Associate your OrgID (AAD/AD credentials) with your MSDN subscription, if you have one, and use that to grant your VSO license
- Create a new account connected to an AAD tenant
- Connect an existing account to an AAD tenant
- Disconnect an account from an AAD tenant
- Log in with either a Microsoft Account or and OrgID (AAD only or synchronized from you on prem Active Directory) giving you single sign-on with your corporate credentials, Office 365, etc.
- I’m probably forgetting something but you get the point
I encourage you to read the docs and more docs for details. One thing I’ve asked be included in the docs and I’m still not satisfied with the clarity is one detail about binding an existing account to AAD. If you have an existing account not connected to AAD then, by definition, you are using Microsoft Accounts. When you connect you VS Online account to AAD, your identities have to be recognized by AAD to authenticate. You have 3 options for each existing user of your account:
- Add the Microsoft Account as an “external identity” in your AAD. All your data and in-progress work carries forward. The draw back is that external Microsoft accounts won’t fully honor you AAD policies – like Two Factor Auth, Password policies, etc. It’s still a Microsoft Account that’s been associated with your AAD, giving your AAD admin central control over access.
- If you created your Microsoft Account using the same email address as your AD/AAD identity (for instance, for me it’s firstname.lastname@example.org) then, when you connect your VSO account to AAD, your Microsoft Account will be seamlessly rebound to your corporate identity. All your data and in progress work carries forward and your login get the full set of AAD governance. This is the “best” of the 3 options but requires that you created your Microsoft Account a certain way.
- If you can’t do #2 and you don’t want to do #1, then you can just add your AAD identity as a “new” VS Online user and remove your old Microsoft Account identity from the VS Online account. To VS Online this is just like adding a new user and deleting an old user. VS Online has no idea they are the same person. This has the advantage of getting full AAD administration but the downside that in-progress work (checkouts, work items assigned to you, …) and other places where your old MS Account identity was associated need to either be deleted or reassigned to your new identity. Work items can be reassigned. Workspaces, shelvesets and stuff like that can be deleted. History will always be associated with your “old” Microsoft Account identity.
So that’s a good segue to what’s left for us to do to really complete AAD support…
- Add the ability to migrate one identity to any other identity, thereby having all references in VSO changed to the new user (to get around the issue in #3). This is on the backlog but is going to take a while.
- Add support for using AAD groups (to assign permissions, query work items, etc) in VS Online. Today you can use AAD users, but you can’t yet AAD groups. This feature is coming fairly soon (within the next few sprints).
I’m sure I’m missing something else we haven’t done yet but I don’t think anything big. AAD support is ready for prime time for most user scenarios.
And I have to say something about account deletion. Until this week, VS Online account deletions could only be done by contacting support – and we had to do a delicate dance to ensure that the person requesting a deletion had the rights to. For the past few months, account deletion has been the #1 support request, with dozens of requests a month. There are all kinds of reasons –
- Merging multiple accounts into one
- Moving from VS Online back to on-premises TFS
- Wanting to just wipe everything out and start over (for instance after an evaluation)
With this week’s deployment, account deletion is self service (assuming you are an account administrator). However, it’s important to understand that all account deletes are “soft” deletes only. Meaning the account is “marked for deletion” and no one can access it any more but it is *not* actually deleted. It will be physically deleted, I believe, 90 days after you delete it in the UI. This gives you a window to have your “Oh sh%t!” moment. If you realize that you deleted something you did not intend to, you can contact support and they can “undelete” your account. This is indicative of a general direction we are headed where all deletes are “soft” and you always have a time window to go back and recover it. It will take us quite a while to get there on everything that can be deleted but we’ll make progress every chance we get. Of course, if there’s some reason you *REALLY* need a VS Online account permanently deleted immediately, you can contact support to help you.
Oh, and lest I manage to avoid mentioning any feature in this deployment, check out the new trend reports. They are very cool and make the VS online charting experience even more useful. And, because I know several people will ask, yes, these charting enhancements will be added Team Foundation Server (our on-premises product). If everything goes according to plan, they will be in TFS 2013.4 (Update 4) later this fall.
It’s a bunch of stuff. Maybe you have to be a bit of a geek to appreciate all of it We’ve been working on some of this for a good while and I’m really happy to see it all available. Check it out and let us know what you think.