“No identities found” adding users from Azure Active Directory to Visual Studio Team Services

[Updated Dec 5, 2017]


  • Your Visual Studio Team Services (VSTS) account is backed by Azure Active Directory (AAD)
  • You are the a member of the Project Collection Administrators group inside VSTS
  • You are trying to add users to VSTS either on the Users Hub or in Security
  • You type in the name of a user who you know is in the AAD but you are told No identities found



  • You also may see this error when trying to make yourself the owner of the VSTS account:aadguestcannotbevstsowner




You are probably a guest in the AAD that backs VSTS. By default AAD guests cannot search the AAD.



First, check to see if you are an AAD guest:

    1. Go to the Settings section of your VSTS account (<account>.visualstudio.com/_admin/_home/settings) and look at the Azure Active Directory section at the bottom. Make a note of the tenant that backs your VSTS account.
    2. Log in to the new Azure portal (portal.azure.com) and check your user profile in the tenant from step 1. Check the User type value as seen below.




If you are an AAD guest you have a few options:

  1. Have another VSTS admin - someone who is not an AAD guest - manage the users in VSTS for you. Members of the Project Collection Administrators group inside VSTS can administer users.
  2. Have the AAD admin(s) remove you from the AAD and re-add you, making you an AAD member rather than a guest when they do. See "Can Azure AD B2B users be added as members instead of guests?" on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties.
  3. Change the User Type of the AAD guest using Azure AD PowerShell. This is an advanced topic and is not advised, frankly, but it does work and allows the user to query AAD from VSTS thereafter:

Convert AAD UserType from Member to Guest using AAD PowerShell

Prerequisites for the user making the User Type change:

  1. *Must* use a Work\School Account (WSA)
  2. *Must* be Global Admin in the AAD

I recommend you create a brand new (native) AAD user who is a Global Admin in the AAD then perform the steps below with that user. From experience helping people through this I know you run a high risk of problems, usually caused by connecting to the wrong AAD. Save yourself the headache and just make a new user. You can delete it when you're done.


  • Install the x64 Microsoft Online Services Sign-In Assistant 7.250.4556.0 for IT Professionals RTW from http://www.microsoft.com/en-us/download/details.aspx?id=41950
  • Install the Azure AD PowerShell Module
  • Start the Windows Azure Active Directory Module for Windows PowerShell tool
  • Execute Connect-msolservice. This will connect you to your AAD. When prompted, enter the WSA \ AAD Global Admin referenced earlier.
  • Execute  get-msoluser -SearchString "<display_name>" (where <display_name> is in the display name of the user as seen in AAD user management inside the Azure portal). For example:


  • Locate your ID in UserPrincipalName column and copy it. You will need this for the next steps.
  • Execute Get-msoluser -UserPrincipalName <your ID> | fl (this will list details of your ID). Look at the UserType property.

If the UserType is GUEST, you can make this user a MEMBER by executing set-msoluser -UserPrincipalName <your ID> -usertype member


While not the norm, we have seen it take several days before this change to the user in AAD is reflected inside VSTS. If it doesn't fix your VSTS issue immediately, give it some time and keep trying.



Please see these posts for additional info:

Comments (5)

  1. Matt says:

    This blog post helped me immensely! I had tried to change the role of a user in the new Azure Portal Active Directory page (currently in Preview). However, I was getting the message “Directory roles cannot be assigned to users that are guests”. Similarly, when adding a user that already exists in another directory, I see the message “xxx@xxx.com will be added as a guest”, and was then unable to assign them to a role. After running set-msoluser, I was able to assign them to a role.

    Here are a few important details that were missed in the article above:
    – I had to install the “Microsoft Azure Active Directory Module for Windows PowerShell Preview” from the following link:
    – You can run “get-msoluser” with no arguments to list all users in your organization.
    – You need to make the PowerShell buffer wider to see the complete UserPrincipalName column. This can be done using the icon in the corner of the window, selecting Properties, selecting the Layout tab, and entering 300 for the Screen Buffer Width.
    – I had to follow the directions in the Appendix to use the classic portal to create a AAD-Admin account because our main Global Admin account was not a work or school account. This meant that I was unable to use that account for the “connect-msolservice” step.
    – After logging into manage.windowsazure.net with aad-admin and changing the password, I get a message “No subscriptions found.” However, everything appears to have worked properly.

  2. Simon Hetzel says:

    Unfortunately my experience has been that if you set external users to “Member” then Office 365 external collaboration features (e.g. files shared with external users, Office Groups etc.) stop working for that user.

  3. Marilou Caro says:

    Really, this is a important internet site.

  4. Daniel says:


  5. Virginia Luther says:


Skip to main content