[Updated Dec 5, 2017]
- Your Visual Studio Team Services (VSTS) account is backed by Azure Active Directory (AAD)
- You are the a member of the Project Collection Administrators group inside VSTS
- You are trying to add users to VSTS either on the Users Hub or in Security
- You type in the name of a user who you know is in the AAD but you are told No identities found
You are probably a guest in the AAD that backs VSTS. By default AAD guests cannot search the AAD.
First, check to see if you are an AAD guest:
- Go to the Settings section of your VSTS account (<account>.visualstudio.com/_admin/_home/settings) and look at the Azure Active Directory section at the bottom. Make a note of the tenant that backs your VSTS account.
- Log in to the new Azure portal (portal.azure.com) and check your user profile in the tenant from step 1. Check the User type value as seen below.
If you are an AAD guest you have a few options:
- Have another VSTS admin - someone who is not an AAD guest - manage the users in VSTS for you. Members of the Project Collection Administrators group inside VSTS can administer users.
- Have the AAD admin(s) remove you from the AAD and re-add you, making you an AAD member rather than a guest when they do. See "Can Azure AD B2B users be added as members instead of guests?" on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties.
- Change the User Type of the AAD guest using Azure AD PowerShell. This is an advanced topic and is not advised, frankly, but it does work and allows the user to query AAD from VSTS thereafter:
Convert AAD UserType from Member to Guest using AAD PowerShell
Prerequisites for the user making the User Type change:
- *Must* use a Work\School Account (WSA)
- *Must* be Global Admin in the AAD
I recommend you create a brand new (native) AAD user who is a Global Admin in the AAD then perform the steps below with that user. From experience helping people through this I know you run a high risk of problems, usually caused by connecting to the wrong AAD. Save yourself the headache and just make a new user. You can delete it when you're done.
- Install the x64 Microsoft Online Services Sign-In Assistant 7.250.4556.0 for IT Professionals RTW from http://www.microsoft.com/en-us/download/details.aspx?id=41950
- Install the Azure AD PowerShell Module
- Start the Windows Azure Active Directory Module for Windows PowerShell tool
- Execute Connect-msolservice. This will connect you to your AAD. When prompted, enter the WSA \ AAD Global Admin referenced earlier.
- Execute get-msoluser -SearchString "<display_name>" (where <display_name> is in the display name of the user as seen in AAD user management inside the Azure portal). For example:
- Locate your ID in UserPrincipalName column and copy it. You will need this for the next steps.
- Execute Get-msoluser -UserPrincipalName <your ID> | fl (this will list details of your ID). Look at the UserType property.
If the UserType is GUEST, you can make this user a MEMBER by executing set-msoluser -UserPrincipalName <your ID> -usertype member
While not the norm, we have seen it take several days before this change to the user in AAD is reflected inside VSTS. If it doesn't fix your VSTS issue immediately, give it some time and keep trying.
Please see these posts for additional info:
- See https://docs.microsoft.com/en-us/azure/active-directory/active-directory-users-assign-role-azure-portal for guidance on how to add someone to the AAD Global Admin role.