VS Subscriptions and linking your VSTS account to AzureAD

A few weeks ago, I posted about a change coming to organizations managing their identities with Microsoft Accounts (MSAs); as of March 30th, you will no longer able to create new MSAs with a custom domain name that is linked to an Azure Active Directory tenant.  Many customers have reached out asking how this change affects their Visual Studio subscriptions (formerly known as MSDN subscriptions) so this post is aimed at answering that question. 

In general, VS subscription administrators assign subscriptions to a user’s corporate email (e.g. justin@fabrikam.com) so that they can get the welcome email and notifications about the subscription.  As long as the email of the identity and the subscription match, the user will be able to access the benefits of that subscription.  As your organization transitions from MSA to AAD identities and the emails match (both of the form justin@fabrikam.com), your user’s benefits will continue to work with their new AAD identity. 

While the previous scenario is by far the most common for organizations, there are a couple other scenarios that we’ve seen customers hit… 

Subscription is assigned to justin@outlook.com (MSA) but the end user wants to use his VS subscription with an AAD identity (justin@fabrikam.com).  

If you access VSTS or Microsoft Azure with an AAD identity, but access your VS subscription with a different identity (such as your personal Microsoft account), you can link your AAD identity to your VS subscription by adding an “Alternate account” to your subscription.  Once the linking is complete, you’ll be able to access your subscription with both the MSA and the AAD identities. 

Subscription is assigned to justin@fabrikam.com but the organization isn’t using AAD for VSTS.  They have created a new MSA for the user with the sign in address justin@outlook.com 

This scenario is going to become more prevalent given the lockdown of MSA account creation.  We have just released the ability for a user to add an MSA “Alternate account” when they’re signed into VSTS with an AAD identity (the reverse of the previous scenario).  

Subscription is assigned to justin@fabrikam.com but the organization’s AAD has a different email, justin@contoso.com, that doesn’t match the email where the subscription is assigned. 

This is similar to the above scenario and supported in the same way.  We’ve gotten feedback from VS subscription administrators that some do not want to allow use of a subscription by AAD identities outside their organization so we are planning additional work to allow for these administrative controls at a later time. Alternatively, the subscription administrator can reassign the subscription to the users’s organization email address.

Hopefully this helps bring some clarity and I’m eager to hear your feedback as your organization begins their transition away from MSA to AAD linked VSTS accounts.  Please don’t hesitate to reach out if you have any further questions. 

Thank you,
Justin Marks, Principal PM, VSTS Identity 

Author: Justin Marks (MSFT)

Justin Marks is a principal program manager at Microsoft working on identity management for Azure DevOps. For the previous 7 years, Justin was part of the agile tooling space where he worked on all aspects of the work tracking system including process customization, the reporting stack, REST APIs, and collaboration experiences including team room, agile tooling and lightweight requirements management. Justin previously worked on the Visual Studio Debugger, the Windows Shell (as both a software design engineer in test and a program manager) and on MSN.com (as a systems engineer).

19