Issues with Azure Active Directory GUEST users in AAD-backed Visual Studio Team Services accounts


01/17/2017 Update

There have been 2 changes to this problem recently. The error message has changed and there is a new way to see if a user is a Guest.

The obvious error message that AAD Guests used to get when adding users has changed – from “AAD Guest users are not allowed to search in AAD.” to the much less informative “No identities found.” “No identities found” is also displayed when the user you tried to add really wasn’t found.

noidentities

Guests can’t search the AAD, but the search box will return users that are already added. So, if you can’t find a user that you know is in the AAD (use single letter searches to be sure) but users already added show up then you are probably a guest account.

allusers

In the new Azure portal (http://portal.azure.com) a user’s profile shows if they are a Guest or a Member, as seen below.

identity

The PowerShell commands in the next section are still the only way to change a user from a guest to a member.

/Jeff


 

When a Visual Studio Team Services (VSTS) account is backed by Azure Active Directory (AAD), you may run into issues inside VSTS managing users who are GUESTS in the AAD. For example:

1. Changing the owner of a VSTS to an AAD-GUEST is not allowed

2. If you are trying to add users to your VSTS and see this, then *YOU* are a GUEST in the AAD:

 

 

When you’re a GUEST in the AAD you don’t have permissions to fully search it or call its APIs (the ones VSTS uses). One way you can become an AAD GUEST is when you are made a co-admin on an Azure subscription before being added to the AAD associated with it. See http://blogs.technet.com/b/ad/archive/2014/08/15/prepping-for-new-management-features.aspx. You can actually be a Global Admin of an AAD and still be a GUEST in it. For example:

So how do you tell if someone is an AAD GUEST? Unfortunately, this is not displayed in any Azure UI (that I know of). The only way I know to check this is via the Azure AD PowerShell Module. Steps for that follow. When you do this, you *must* use a Work\School Account (WSA) to connect to your AAD, and that user *must* be Global Admin in the AAD in order to change the user type of the person having trouble. Refer to the bottom of this BLOG post for guidance on how to create a new AAD Global Admin.

  • Install the x64 Microsoft Online Services Sign-In Assistant 7.250.4556.0 for IT Professionals RTW from http://www.microsoft.com/en-us/download/details.aspx?id=41950
  • Install the Azure AD PowerShell Module
  • Start the Windows Azure Active Directory Module for Windows PowerShell tool
  • Execute Connect-msolservice. This will connect you to your AAD. When prompted, enter the WSA \ AAD Global Admin referenced earlier.
  • Execute  get-msoluser -SearchString “<display_name>” (where <display_name> is in the display name of the user as seen in AAD user management inside the Azure portal). For example:

 

  • Locate your ID in UserPrincipalName column and copy it. You will need this for the next steps.
  • Execute Get-msoluser -UserPrincipalName <your ID> | fl (this will list details of your ID). Look at the UserType property.

 

If the UserType is GUEST, you can make this user a MEMBER by executing set-msoluser -UserPrincipalName <your ID> -usertype member

HTH,
Trev

 

Please see these posts for additional info:

 

 

 

 

APPENDIX: Creating a new AAD Global Admin

 

NOTE: References to <VSTS-AAD>.ONMICROSOFT.COM below are to the AAD backing your VSTS. You’d replace <VSTS-AAD> with the name of  the AAD backing your VSTSYou can see the FQDN name of the AAD backing your VSTS inside manage.windowsazure.com. For example, here we see two VSTS accounts, both backed by VSTSSupport.onmicrosoft.com:

 


 

 

 

1. Log into Manage.WindowsAzure.com and choose the subscription where you can access <VSTS-AAD>.ONMICROSOFT.COM (or the FQDN of the public VSTS-backing AAD)
2. Locate the Active Directory item in the left-hand vertical menu and click it.

3. Click the VSTS-backing AAD in the list
4. Click USERS in the horizontal menu along the top
5. Click ADD USER at the bottom of the screen

 

6. Fill in the details for the user, making sure you specify the following properties. We’ll name him “AAD-ADMIN”:

 

 

7. Finish up the wizard, making sure you copy the temporary password. You have now created a new native user in your domain who is a Global Admin and who can change the troubled VSTS user from GUEST to MEMBER in the VSTS-backing AAD

 

8. Our AAD-ADMIN@<VSTS-AAD>.ONMICROSOFT.COM user has a temporary password. He must log into Azure *once* in order to set a new password. If he doesn’t, the PowerShell commands will not work…

a. Go to Manage.WindowsAzure.com using an InPrivate IE session.
b. Log in as AAD-ADMIN@<VSTS-AAD>.ONMICROSOFT.COM using the temp password and change the password when prompted.

Execute the PowerShell process above and enter AAD-ADMIN@<VSTS-AAD>.ONMICROSOFT.COM when prompted to connect to your AAD:

Comments (0)

Skip to main content