“No identities found” adding users from Azure Active Directory to Visual Studio Team Services


[Updated May 15, 2018]

Scenario

  • Your Visual Studio Team Services (VSTS) account is backed by Azure Active Directory (AAD)
  • You are the a member of the Project Collection Administrators group inside VSTS
  • You are trying to add users to VSTS either on the Users Hub or in Security
  • You type in the name of a user who you know is in the AAD but you are told No identities found

addusernoidentfound

 

  • You also may see this error when trying to make yourself the owner of the VSTS account:aadguestcannotbevstsowner

 

 

Cause

You are probably a guest in the AAD that backs VSTS. By default AAD guests cannot search the AAD.

 

Resolution

First, check to see if you are an AAD guest:

    1. Go to the Settings section of your VSTS account (<account>.visualstudio.com/_admin/_home/settings) and look at the Azure Active Directory section at the bottom. Make a note of the tenant that backs your VSTS account.
    2. Log in to the new Azure portal (portal.azure.com) and check your user profile in the tenant from step 1. Check the User type value as seen below.

 

aad-guest

 

If you are an AAD guest you have a few options:

  1. Have another VSTS admin - someone who is not an AAD guest - manage the users in VSTS for you. Members of the Project Collection Administrators group inside VSTS can administer users.
  2. Have the AAD admin(s) remove you from the AAD and re-add you, making you an AAD member rather than a guest when they do. See "Can Azure AD B2B users be added as members instead of guests?" on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties.
  3. Change the User Type of the AAD guest using Azure AD PowerShell. This is an advanced topic and is not advised, frankly, but it does work and allows the user to query AAD from VSTS thereafter:

Convert AAD UserType from Member to Guest using AAD PowerShell

Prerequisites for the user making the User Type change:

  1. *Must* use a Work\School Account (WSA): a native user in AAD. You cannot do this with a Microsoft Account
  2. *Must* be Global Admin in the AAD

I recommend you create a brand new (native) AAD user who is a Global Admin in the AAD then perform the steps below with that user. From experience helping people through this I know you run a high risk of problems, usually caused by connecting to the wrong AAD. Save yourself the headache and just make a new user. You can delete it when you're done.

  • Once the installation completes, execute Connect-AzureAD. You will be prompted to log in to the Azure AD. Be sure to use an ID that meets the criteria above.
  • Execute Get-AzureADuser -SearchString "<display_name>" (where <display_name> is part of or the entire display name for the user as seen inside the Azure portal). The command will return four columns for the user found - ObjectId, DisplayName, UserPrincipalName, UserType - and UserType should say "Guest".
  • Execute Set-AzureADUser -ObjectID <string> -UserType Member, where <string> is the value of ObjectId returned by the previous command. This should set the user to Member status.
  • Execute Get-AzureADuser -SearchString "<display_name>" again to verify the UserType has changed. You can also verify this in the Azure Active Directory section of the Azure Portal.

While not the norm, we have seen it take several hours or even days before this change is reflected inside VSTS. You may expedite it by signing into Visual Studio Profile (aka.ms/VsProfile) using the UPN that was just changed in AAD (when in profile, be sure to select the AAD in which the changes were made). If it doesn't fix your VSTS issue immediately, give it some time and keep trying.

HTH,
Trev


Please see these posts for additional info:

Comments (6)

  1. Matt says:

    This blog post helped me immensely! I had tried to change the role of a user in the new Azure Portal Active Directory page (currently in Preview). However, I was getting the message “Directory roles cannot be assigned to users that are guests”. Similarly, when adding a user that already exists in another directory, I see the message “xxx@xxx.com will be added as a guest”, and was then unable to assign them to a role. After running set-msoluser, I was able to assign them to a role.

    Here are a few important details that were missed in the article above:
    – I had to install the “Microsoft Azure Active Directory Module for Windows PowerShell Preview” from the following link:
    http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
    – You can run “get-msoluser” with no arguments to list all users in your organization.
    – You need to make the PowerShell buffer wider to see the complete UserPrincipalName column. This can be done using the icon in the corner of the window, selecting Properties, selecting the Layout tab, and entering 300 for the Screen Buffer Width.
    – I had to follow the directions in the Appendix to use the classic portal to create a AAD-Admin account because our main Global Admin account was not a work or school account. This meant that I was unable to use that account for the “connect-msolservice” step.
    – After logging into manage.windowsazure.net with aad-admin and changing the password, I get a message “No subscriptions found.” However, everything appears to have worked properly.

  2. Simon Hetzel says:

    Unfortunately my experience has been that if you set external users to “Member” then Office 365 external collaboration features (e.g. files shared with external users, Office Groups etc.) stop working for that user.

  3. Marilou Caro says:

    Really, this is a important internet site.

  4. Daniel says:

    great.

  5. Virginia Luther says:

    Thanks

  6. Great blog! I am loving it!! Will be back later to read some more. I am bookmarking your feeds also.

Skip to main content