Anyone who has built an application in Visual Studio that uses several services (e.g. roaming Visual Studio settings, accessing Azure services in Server Explorer, or using Windows Store) has probably experienced what we’ve come to call “sign-in Whack-A-Mole,” with prompts popping up when you least expect them to. In Visual Studio 2015 we introduced an account manager to reduce how often Visual Studio needs to prompt for credentials and to make it easier for you to switch among different user accounts within the IDE.
You’ll see the account manager utilized in various places inside the Visual Studio 2015 user interface, but the central place of account management resides In File -> Account Settings.
Let’s take a deeper look at how the account manager works.
Many Services, Many User Accounts
There were two general types of authentication workflows we saw in Visual Studio 2013 and earlier:
Multiple Services. Online services such as Azure, Office 365, and Visual Studio Online managed their users’ authentication tokens separately. Additionally, re-entering your credentials only refreshed the token for that one feature, leaving other features unauthenticated. This meant that the number of times you had to sign in grew with the number of different services you used, even if you were signing in with the same account.
Multiple Accounts. If you used multiple user accounts (e.g. separate accounts for work and home, or for development and testing), it could be even more complex, and switching between these user accounts required signing out and signing back in.
Visual Studio 2015 helps with both.
First, it unifies the sign-in experience so that authenticating with an account once enables access to all services you use with that user account. For example, if you signed into the IDE with your Microsoft account, which is also an admin for an Azure subscription, Visual Studio will simultaneously authenticate you to use the Azure services inside Server Explorer. Additionally, if you recently refreshed your credentials for one service (e.g. your Azure subscription), they’re refreshed for all. This statement applies to adding Application Insights from the New Project dialog, or to adding Mobile Services or Storage from the new Connected Services dialog. What’s even better is that this single sign-on feature works across the Visual Studio family of applications including Blend. Visual Studio manages the access tokens across applications, so once you authenticate an account in one app, the tokens across apps refresh in unison.
Second, we added a system for managing your accounts centrally in Visual Studio so that you have one place to view, add, or remove the multiple accounts the IDE knows about. You can view the managed accounts in the Account Settings dialog, under the File menu. All the account-related features in Visual Studio use this same account manager, even if they are showing it in different places in the UI. Using the new UI, you can easily switch between different accounts or add new accounts in situ, as you use online services such as Application Insights or Azure Mobile Services.
It’s important to note: Visual Studio isn’t storing your raw credentials. This quick intro to AAD is a good reference on how Azure Active Directory and the Active Directory Authentication Library (ADAL) works which make up the building blocks for Visual Studio’s new account manager. In short, what’s happening looks like this: when you sign in to an account inside Visual Studio, you are authenticating against a web-based identity provider (probably Azure Active Directory or the Microsoft Account provider). If the authentication is successful, the identity provider passes down delegated authentication tokens. The Visual Studio 2015 account management system simply facilitates secure handling and storing of these delegated tokens.
Improvements Still to Come
We’re not done yet. For example, you’ll see in some cases that Visual Studio will ask you to re-authenticate your Microsoft accounts after as little as 12 hours. We want to improve this, but in the meantime, there are some workarounds. If, for example, you create a “Work or School account” (formerly known as Organizational account) and make that account an administrator of your Azure subscription to access Azure resources, you’ll get a better single sign-on experience in Visual Studio. Unfortunately, you can’t sign in to the IDE (for example, to roam settings and to personalize the IDE) with an organizational ID yet. We’re working on addressing this issue, too.
Beyond Preview, more features such as Team Explorer, Office 365, and ASP.NET project creation will use the new shared account storage and management services.
We also plan to roam the list of user accounts (but not passwords or authentication tokens) with your personalization account to help you get started quickly on new devices. We’ll also touch up the account picker and make it behave more consistently across the product.
As always, we’re grateful for your feedback, suggestions, and any ideas you share on UserVoice and through the in-product Send-a-Smile UI. We’ll monitor comments on this post for a couple weeks but if you find a bug its best to log it directly on the Connect site or try out the new Send-a-Frown UI John mentioned to log a bug directly from the IDE.
Ji Eun Kwon
|Ji Eun Kwon, Program Manager, Visual Studio Platform
Ji Eun Kwon is a Program Manager on the Visual Studio Platform IDE team. She joined Microsoft a year ago, and since then has focused on identity and licensing experiences in Visual Studio.