“No identities found” adding users from Azure Active Directory to Azure DevOps


[Updated Feb 28, 2019]

Scenario

  • Your Azure DevOps org is backed by Azure Active Directory (AAD)
  • You are the a member of the Project Collection Administrators group inside Azure DevOps
  • You are trying to add users to Azure DevOps either on the Users Hub or in Security
  • You type in the name of a user who you know is in the AAD but you are told No identities found

addusernoidentfound

 

Cause

You're probably a guest in the AAD that backs Azure DevOps org, rather than a member. By default AAD guests cannot search the AAD in the manner required by Azure DevOps.

 

Resolution

First, check to see if you are an AAD guest:

    1. Go to the Settings section of your Azure DevOps org (Dev.Azure.com/<org>/_settings) and look at the Azure Active Directory section. Make a note of the tenant that backs your Azure DevOps org.
    2. Log into portal.azure.com and check your user profile in the tenant from step 1. Check the User type value as seen below.

 

aad-guest

 

If you are an AAD guest you have a few options:

  1. Have another Azure DevOps org admin - someone who is not an AAD guest - manage the users in Azure DevOps for you. Members of the Project Collection Administrators group inside Azure DevOps can administer users, as can the owner.
  2. Have the AAD admin(s) remove you from the AAD and re-add you, making you an AAD member rather than a guest when they do. See "Can Azure AD B2B users be added as members instead of guests?" on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties.
  3. Change the User Type of the AAD guest using Azure AD PowerShell. This is an advanced topic and is not advised, frankly, but it does work and allows the user to query AAD from Azure DevOps org thereafter:

Convert AAD UserType from Guest to Member using AAD PowerShell

Prerequisites for the user making the UserType change:

  1. *Must* use a Work\School Account (WSA): a native user in AAD. You cannot do this with a Microsoft Account.
  2. *Must* be Global Admin in the AAD

I recommend you create a brand new (native) AAD user who is a Global Admin in the AAD then perform the steps below with that user. From experience helping people through this I know you run a high risk of problems, usually caused by connecting to the wrong AAD, if you don't. Save yourself the headache and just make a new user. You can delete it when you're done, after all.

  • Once the installation completes, execute Connect-AzureAD. You will be prompted to log in to the Azure AD. Be sure to use an ID that meets the criteria above.
  • Execute Get-AzureADuser -SearchString "<display_name>" (where <display_name> is part of or the entire display name for the user as seen inside the Azure portal). The command will return four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and UserType should say "Guest".
  • Execute Set-AzureADUser -ObjectID <string> -UserType Member, where <string> is the value of ObjectId returned by the previous command. This should set the user to Member status.
  • Execute Get-AzureADuser -SearchString "<display_name>" again to verify the UserType has changed. You can also verify this in the Azure Active Directory section of the Azure Portal.

While not the norm, we have seen it take several hours or even days before this change is reflected inside Azure DevOps. You may expedite it by signing into Visual Studio Profile (aka.ms/VsProfile) using the UPN that was just changed in AAD (when in profile, be sure to select the AAD in which the changes were made). If it doesn't fix your Azure DevOps  issue immediately, give it some time and keep trying.

HTH,
Trev


Please see these posts for additional info:

Comments (7)

  1. Matt says:

    This blog post helped me immensely! I had tried to change the role of a user in the new Azure Portal Active Directory page (currently in Preview). However, I was getting the message “Directory roles cannot be assigned to users that are guests”. Similarly, when adding a user that already exists in another directory, I see the message “xxx@xxx.com will be added as a guest”, and was then unable to assign them to a role. After running set-msoluser, I was able to assign them to a role.

    Here are a few important details that were missed in the article above:
    – I had to install the “Microsoft Azure Active Directory Module for Windows PowerShell Preview” from the following link:
    http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
    – You can run “get-msoluser” with no arguments to list all users in your organization.
    – You need to make the PowerShell buffer wider to see the complete UserPrincipalName column. This can be done using the icon in the corner of the window, selecting Properties, selecting the Layout tab, and entering 300 for the Screen Buffer Width.
    – I had to follow the directions in the Appendix to use the classic portal to create a AAD-Admin account because our main Global Admin account was not a work or school account. This meant that I was unable to use that account for the “connect-msolservice” step.
    – After logging into manage.windowsazure.net with aad-admin and changing the password, I get a message “No subscriptions found.” However, everything appears to have worked properly.

  2. Simon Hetzel says:

    Unfortunately my experience has been that if you set external users to “Member” then Office 365 external collaboration features (e.g. files shared with external users, Office Groups etc.) stop working for that user.

  3. Marilou Caro says:

    Really, this is a important internet site.

  4. Virginia Luther says:

    Thanks

  5. Great blog! I am loving it!! Will be back later to read some more. I am bookmarking your feeds also.

  6. Anonymous says:
    (The content was deleted per user request)
Skip to main content