User and permissions management FAQs

A: You can recover your Microsoft account password or recover your work or school account password if your organization turned on this feature. Otherwise, contact your Microsoft Entra administrator to recover your work or school account.

A: You must be a member of the Project Collection Administrators group or organization Owner to manage users at the organization level. To get added, see Change permissions at the organization or collection-level.

A: If you have at least Basic access, you can find the current owner in your organization settings.

1. Go to your Organization settings.

   

2. Find the current owner.

   

A: If you have at least Basic access, you can find a member of the Project Collection Administrators group in your organization's or collection's settings.

A: Assign this access level to users who have active, valid Visual Studio subscriptions. Azure DevOps automatically recognizes and validates Visual Studio subscribers who have Azure DevOps as a benefit. You need the email address that's associated with the subscription.

If the user doesn't have a valid, active Visual Studio subscription, they can work only as a Stakeholder.

A: See Azure DevOps benefits for Visual Studio subscribers.

A: See Why won't Azure DevOps recognize my Visual Studio subscription?

A: Azure DevOps recognizes Visual Studio subscribers. Users automatically have access, based on their subscription, not on the current access level assigned to the user.

A: If no other access levels are available, users can work as Stakeholders. To restore access, a user must renew their subscription.

A: The value in Last Access is the last date a user accessed any resources or services. Accessing Azure DevOps includes using organizationname.visualstudio.com directly and using resources or services indirectly. For example, you might use the Azure Artifacts extension, or you can push code to Azure DevOps from a Git command line or IDE.

A: No, a user can join only the organization for which the user has paid for Basic access. But a user can join any organization where free users with Basic access are still available. The user can also join as a user with Stakeholder access for free.

A: Make sure that users have the correct access level assigned to them.

• Learn how to manage users and access levels for Azure DevOps.

• Learn how to change access levels for Azure DevOps Server.

Some features are available only as extensions. You need to install these extensions. Most extensions require you to have at least Basic access, not Stakeholder access. Check the extension's description in the Visual Studio Marketplace, Azure DevOps tab.

For example, to search your code, you can install the free Code Search extension, but you need at least Basic access to use the extension.

To help your team improve app quality, you can install the free Test & Feedback extension, but you get different capabilities based on your access level and whether you work offline or connected to Azure DevOps Services.

Some Visual Studio subscribers can use this feature for free, but Basic users need to upgrade to Basic + Test Plans access before they can create test plans.

• Learn how to get extensions for Azure DevOps.
• Learn how to get extensions for Azure DevOps Server.
• Learn how to buy access to Azure DevOps Server Test.

A: A user can lose access for the following reasons (although the user can continue to work as a Stakeholder):

• The user's Visual Studio subscription has expired. Meanwhile, the user can work as a Stakeholder, or you can give the user Basic access until the user renews their subscription. After the user signs in, Azure DevOps restores access automatically.

• The Azure subscription used for billing is no longer active. All purchases made with this subscription are affected, including Visual Studio subscriptions. To fix this issue, visit the Azure account portal.

• The Azure subscription used for billing was removed from your organization. Learn more about linking your organization.

• Your organization has more users with Basic access than the number of users that you're paying for in Azure. Your organization includes five free users with Basic access. If you need to add more users with Basic access, you can pay for these users.

Otherwise, on the first day of the calendar month, users who haven't signed in to your organization for the longest time lose access first. If your organization has users who don't need access anymore, remove them from your organization.

A: If a user is in more than one Microsoft Entra group, a DENY permission set in one group applies to the user in all groups the user is in. Because the permission is set to DENY for the user at the lowest possible level, the user's usage of the resource is affected in all groups they are in because denial always takes precedence.

For example, if a user is in the Contributor group and in the Project Administrator group and DENY is set for a specific permission in the Contributor group, that permission is denied for the user in the Project Administrator group, too. In this scenario, you can use the Not set option.

For more information about permissions states, see Permission states.

A: Personal access tokens are a more convenient and secure replacement for alternate authentication credentials. You can limit a token's use to a specific lifetime, to an organization, and to scopes of activities that the token authorizes. Learn more about personal access tokens.

A: No, you can still use that method in all the other organizations that you own. Personal access tokens apply to specific organizations or to all organizations, based on your selection when you created the token.

A: Yes, those apps continue to work.

A: To remove yourself from an organization, do the following steps:

1. Go to aex.dev.azure.com.

2. Select the organization, and then choose Leave.

   

3. Confirm that you want to Leave the organization.

   

A: Users in the group TestGroup lose access to group resources if the users haven't been explicitly assigned to the resources or assigned via a different group rule.

A: No. Your groups won't be deleted.

A: This option removes the Azure DevOps or Microsoft Entra group from any project-level default groups, such as Project Readers or Project Contributors.

A: Group rule types are ranked in the following order: Subscriber > Basic + Test Plans > Basic > Stakeholder. Users always get the best access level between all the group rules, including Visual Studio subscription.

See the following examples, showing how the subscriber detection factors into group rules.

Example 1: group rule gives me more access

If I have a Visual Studio Pro subscription and I'm in a group rule that gives me Basic + Test Plans – what happens?

Expected: I get Basic + Test Plans because what the group rule gives me is greater than my subscription.

Example 2: group rule gives me the same access

I have a Visual Studio Test Pro subscription and I'm in a group rule that gives me Basic + Test Plans what happens?

Expected: I get detected as a Visual Studio Test Pro subscriber, because the access is the same as the group rule, and I'm already paying for the Visual Studio Test Pro, so I wouldn't want to pay again.

A: Your organization is free for the first five users with Basic access. You can add unlimited Stakeholders and Visual Studio subscribers for no extra charge. After you assign all five free users with Basic access, you can continue adding Stakeholders and Visual Studio subscribers.

To add six or more users with Basic access, you need to set up billing in Azure. Then, you can pay for more users who need Basic access, return to your organization, add these users, and assign them Basic access. When billing is set up, you pay monthly for the extra users' access. And can cancel at any time.

If you need more Visual Studio subscriptions, learn how to buy subscriptions.

A: This problem might happen because users must sign in with Microsoft accounts unless your organization controls access with Microsoft Entra ID. If your organization is connected to Microsoft Entra ID, users must be directory members to get access.

If you're a Microsoft Entra Administrator, you can add users to the directory. If you're not a Microsoft Entra Administrator, work with the directory administrator to add them. Learn about controlling organization access with Microsoft Entra ID.

A: Loss of access might happen for different reasons.

A: Learn how to delete users across all projects in your organization. If you paid for more users but don't need their organization access anymore, you must reduce your paid users to avoid charges.

A: You're probably a guest in the Microsoft Entra instance that backs Azure DevOps. By default, Microsoft Entra guests can't search in Microsoft Entra ID. That's why you aren't finding users in your connected Microsoft Entra ID to add to your organization.

First, check to see if you're a Microsoft Entra guest:

1. Go to the Settings section of your organization. Look at the lower Microsoft Entra ID section. Make a note of the tenant that backs your organization.

2. Sign in to the new Azure portal, portal.azure.com. Check your user profile in the tenant from step 1. Check the User type value shown as follows:

   

If you're a Microsoft Entra guest, do one of the following steps:

• Have another Azure DevOps admin, who isn't a Microsoft Entra guest, manage the users in Azure DevOps for you. Members of the Project Collection Administrators group inside Azure DevOps can administer users.
• Have the Microsoft Entra admin remove your account from the connected directory and re-add it. The admin needs to make you a Microsoft Entra member rather than a guest. See Can Microsoft Entra B2B users be added as members instead of guests?
• Change the User Type of the Microsoft Entra guest by using Microsoft Graph PowerShell. We don't advise using the following process, but it works and allows the user to query Microsoft Entra ID from Azure DevOps thereafter.

1. Download and install Microsoft Graph PowerShell.

   PS Install-Module -Name Microsoft Graph
   

2. Open PowerShell and run the following cmdlets.

   a. Connect to Microsoft Entra ID:

   PS Connect-MgGraph -Scopes 'User.Read.All'
   

   b. Find the objectId of the user:

   PS Get-MgUser -Filter "UserPrincipalName eq '<YourUPN>'"
   

   c. Check the usertype attribute for this user to see if they're a guest or member:

   PS Get-MgUser -UserId <Id> -Property DisplayName, ID, UserPrincipalName, UserType | Select DisplayName, ID, UserPrincipalName, UserType 
   

   d. Change the usertype from member to guest:

   PS Update-MgUser -UserID <replace the  ID for the result of the command to search> -UserType Member
   

A: If you experience delays finding new users or having deleted users promptly removed from Azure DevOps (for example, in drop-down lists and groups) after you add or delete users, file a problem report on Developer Community so we can investigate.

Q: Why do I have to choose between a "work or school account" and my "personal account"?

A: This happens when you sign in with an email address (for example, jamalhartnett@fabrikam.com) that's shared by your personal Microsoft account and by your work account or school account. Although both identities use the same sign-in address, they're still separate identities. The two identities have different profiles, security settings, and permissions.

• Select Work or school account if you used this identity to create your organization, or if you previously signed in with this identity. Your identity is authenticated by your organization's directory in Microsoft Entra ID, which controls access to your organization.

• Select Personal account if you used your Microsoft account with Azure DevOps. Your identity is authenticated by the global directory for Microsoft accounts.

Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?

A: When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.

Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:

1. Close all browsers, including browsers that aren't running Azure DevOps.

2. Open a private or incognito browsing session.

3. Go to this URL: https://aka.ms/vssignout.

   You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.

   Tip

   If the sign-out page takes more than a minute to sign you out, close the browser and continue.

4. Sign in to Azure DevOps again. Select your other identity.

Q: How do I get help or support for Azure DevOps?

A: You have the following options for support:

• Report a problem with Azure DevOps on Developer Community.
• Provide a suggestion on Developer Community
• Get advice on Stack Overflow
• View the archives of the Azure DevOps forum on MSDN

Related articles

• Access with Microsoft Entra ID FAQ
• Configure and customize organization FAQ
• Set up Visual Studio FAQ