Share via


User and permissions management FAQs

TFS 2018

Learn the answers to the following frequently asked questions (FAQs) about user and permissions management in Azure DevOps. FAQs are grouped by the following subjects:

General permissions

Q: What happens if I forget my password?

A: You can recover your Microsoft account password or recover your work or school account password if your organization turned on this feature. Otherwise, contact your Microsoft Entra administrator to recover your work or school account.

Q: Why can't I manage users?

A: You must be a member of the Project Collection Administrators group or organization Owner to manage users at the organization level. To get added, see Change permissions at the organization or collection-level.

Q: How do I find the organization owner?

A: If you have at least Basic access, you can find the current owner in your organization settings.

  1. Go to your Organization settings.

    Screenshot showing highlighted Organization settings button.

  2. Find the current owner.

    Find the current owner in organization information

Q: How do I find a Project Collection Administrator?

A: If you have at least Basic access, you can find a member of the Project Collection Administrators group in your organization's or collection's settings.

For more information, see Look up a project administrator.

Visual Studio subscriptions

Q: When do I select "Visual Studio/MSDN Subscriber"?

A: Assign this access level to users who have active, valid Visual Studio subscriptions. Azure DevOps automatically recognizes and validates Visual Studio subscribers who have Azure DevOps as a benefit. You need the email address that's associated with the subscription.

If the user doesn't have a valid, active Visual Studio subscription, they can work only as a Stakeholder.

Q: Which Visual Studio subscriptions can I use with Azure DevOps?

Q: Why won't my Visual Studio subscription validate?

Q: Why do Visual Studio subscriber access levels change after a subscriber signs in?

A: Azure DevOps recognizes Visual Studio subscribers. Users automatically have access, based on their subscription, not on the current access level assigned to the user.

Q: What happens if a user's subscription expires?

A: If no other access levels are available, users can work as Stakeholders. To restore access, a user must renew their subscription.

User access

Q: What does "Last Access" mean in the All Users view?

A: The value in Last Access is the last date a user accessed any resources or services. Accessing Azure DevOps includes using organizationname.visualstudio.com directly and using resources or services indirectly. For example, you might use the Azure Artifacts extension, or you can push code to Azure DevOps from a Git command line or IDE.

Q: Can a user who has paid for Basic access join other organizations?

A: No, a user can join only the organization for which the user has paid for Basic access. But a user can join any organization where free users with Basic access are still available. The user can also join as a user with Stakeholder access for free.

Q: Why can't users access some features?

A: Make sure that users have the correct access level assigned to them.

Some features are available only as extensions. You need to install these extensions. Most extensions require you to have at least Basic access, not Stakeholder access. Check the extension's description in the Visual Studio Marketplace, Azure DevOps tab.

For example, to search your code, you can install the free Code Search extension, but you need at least Basic access to use the extension.

To help your team improve app quality, you can install the free Test & Feedback extension, but you get different capabilities based on your access level and whether you work offline or connected to Azure DevOps Services.

Some Visual Studio subscribers can use this feature for free, but Basic users need to upgrade to Basic + Test Plans access before they can create test plans.

Q: Why does a user lose access to some features?

A: A user can lose access for the following reasons (although the user can continue to work as a Stakeholder):

  • The user's Visual Studio subscription has expired. Meanwhile, the user can work as a Stakeholder, or you can give the user Basic access until the user renews their subscription. After the user signs in, Azure DevOps restores access automatically.

  • The Azure subscription used for billing is no longer active. All purchases made with this subscription are affected, including Visual Studio subscriptions. To fix this issue, visit the Azure account portal.

  • The Azure subscription used for billing was removed from your organization. Learn more about linking your organization.

  • Your organization has more users with Basic access than the number of users that you're paying for in Azure. Your organization includes five free users with Basic access. If you need to add more users with Basic access, you can pay for these users.

Otherwise, on the first day of the calendar month, users who haven't signed in to your organization for the longest time lose access first. If your organization has users who don't need access anymore, remove them from your organization.

Q: How does my user account inherit permissions from other Microsoft Entra groups?

A: If a user is in more than one Microsoft Entra group, a DENY permission set in one group applies to the user in all groups the user is in. Because the permission is set to DENY for the user at the lowest possible level, the user's usage of the resource is affected in all groups they are in because denial always takes precedence.

For example, if a user is in the Contributor group and in the Project Administrator group and DENY is set for a specific permission in the Contributor group, that permission is denied for the user in the Project Administrator group, too. In this scenario, you can use the Not set option.

For more information about permissions states, see Permission states.

Change app access policies for your organization

Q: How do personal access tokens differ from alternate authentication credentials?

A: Personal access tokens are a more convenient and secure replacement for alternate authentication credentials. You can limit a token's use to a specific lifetime, to an organization, and to scopes of activities that the token authorizes. Learn more about personal access tokens.

Q: If I deny access to one authentication method in one organization, does that affect all the organizations that I own?

A: No, you can still use that method in all the other organizations that you own. Personal access tokens apply to specific organizations or to all organizations, based on your selection when you created the token.

Q: If I deny access to an authentication method, then allow access again, will the apps that need access continue to work?

A: Yes, those apps continue to work.

Leave your organization

Q: How do I remove myself from an organization when the owner isn't available to remove me?

A: To remove yourself from an organization, do the following steps:

  1. Go to aex.dev.azure.com.

  2. Select the organization, and then choose Leave.

    Member removing their self from the organization

  3. Confirm that you want to Leave the organization.

    Screenshot showing confirmation for leaving the organization.

Group-based licensing

Q: Will my users lose their access level and project membership if I remove a group rule?

A: Users in the group TestGroup lose access to group resources if the users haven't been explicitly assigned to the resources or assigned via a different group rule.

remove-test-group-group-rule-managing_group-based-licensing

Q: Will my Azure DevOps or Microsoft Entra group be deleted if I remove its group rule?

A: No. Your groups won't be deleted.

Q: What does the option "Remove <group> from all project level groups" do?

A: This option removes the Azure DevOps or Microsoft Entra group from any project-level default groups, such as Project Readers or Project Contributors.

Q: What determines the final access level if a user is in more than one group?

A: Group rule types are ranked in the following order: Subscriber > Basic + Test Plans > Basic > Stakeholder. Users always get the best access level between all the group rules, including Visual Studio subscription.

See the following examples, showing how the subscriber detection factors into group rules.

Example 1: group rule gives me more access

If I have a Visual Studio Pro subscription and I'm in a group rule that gives me Basic + Test Plans – what happens?

Expected: I get Basic + Test Plans because what the group rule gives me is greater than my subscription.

Example 2: group rule gives me the same access

I have a Visual Studio Test Pro subscription and I'm in a group rule that gives me Basic + Test Plans what happens?

Expected: I get detected as a Visual Studio Test Pro subscriber, because the access is the same as the group rule, and I'm already paying for the Visual Studio Test Pro, so I wouldn't want to pay again.

Add members to projects

Q: Why can't I add any more members to my project?

A: Your organization is free for the first five users with Basic access. You can add unlimited Stakeholders and Visual Studio subscribers for no extra charge. After you assign all five free users with Basic access, you can continue adding Stakeholders and Visual Studio subscribers.

To add six or more users with Basic access, you need to set up billing in Azure. Then, you can pay for more users who need Basic access, return to your organization, add these users, and assign them Basic access. When billing is set up, you pay monthly for the extra users' access. And can cancel at any time.

If you need more Visual Studio subscriptions, learn how to buy subscriptions.

Q: Why can't some users sign in?

A: This problem might happen because users must sign in with Microsoft accounts unless your organization controls access with Microsoft Entra ID. If your organization is connected to Microsoft Entra ID, users must be directory members to get access.

If you're a Microsoft Entra Administrator, you can add users to the directory. If you're not a Microsoft Entra Administrator, work with the directory administrator to add them. Learn about controlling organization access with Microsoft Entra ID.

Q: Why did some users lose access to certain features?

A: Loss of access might happen for different reasons.

Q: How do I remove users from my organization?

A: Learn how to delete users across all projects in your organization. If you paid for more users but don't need their organization access anymore, you must reduce your paid users to avoid charges.

Q: Why can't I find members from my connected Microsoft Entra ID, even though I'm the global admin?

A: You're probably a guest in the Microsoft Entra instance that backs Azure DevOps. By default, Microsoft Entra guests can't search in Microsoft Entra ID. That's why you aren't finding users in your connected Microsoft Entra ID to add to your organization.

First, check to see if you're a Microsoft Entra guest:

  1. Go to the Settings section of your organization. Look at the lower Microsoft Entra ID section. Make a note of the tenant that backs your organization.

  2. Sign in to the new Azure portal, portal.azure.com. Check your user profile in the tenant from step 1. Check the User type value shown as follows:

    Check user type in the Azure portal

If you're a Microsoft Entra guest, do one of the following steps:

  • Have another Azure DevOps admin, who isn't a Microsoft Entra guest, manage the users in Azure DevOps for you. Members of the Project Collection Administrators group inside Azure DevOps can administer users.
  • Have the Microsoft Entra admin remove your account from the connected directory and re-add it. The admin needs to make you a Microsoft Entra member rather than a guest. See Can Microsoft Entra B2B users be added as members instead of guests?
  • Change the User Type of the Microsoft Entra guest by using Microsoft Graph PowerShell. We don't advise using the following process, but it works and allows the user to query Microsoft Entra ID from Azure DevOps thereafter.
  1. Download and install Microsoft Graph PowerShell.

    PS Install-Module -Name Microsoft Graph
    
  2. Open PowerShell and run the following cmdlets.

    a. Connect to Microsoft Entra ID:

    PS Connect-MgGraph -Scopes 'User.Read.All'
    

    b. Find the objectId of the user:

    PS Get-MgUser -Filter "UserPrincipalName eq '<YourUPN>'"
    

    c. Check the usertype attribute for this user to see if they're a guest or member:

    PS Get-MgUser -UserId <Id> -Property DisplayName, ID, UserPrincipalName, UserType | Select DisplayName, ID, UserPrincipalName, UserType 
    

    d. Change the usertype from member to guest:

    PS Update-MgUser -UserID <replace the  ID for the result of the command to search> -UserType Member
    

Q: Why don't users appear or disappear promptly in Azure DevOps after I add or delete them in the Users hub?

A: If you experience delays finding new users or having deleted users promptly removed from Azure DevOps (for example, in drop-down lists and groups) after you add or delete users, file a problem report on Developer Community so we can investigate.

Q: Why do I have to choose between a "work or school account" and my "personal account"?

A: This happens when you sign in with an email address (for example, jamalhartnett@fabrikam.com) that's shared by your personal Microsoft account and by your work account or school account. Although both identities use the same sign-in address, they're still separate identities. The two identities have different profiles, security settings, and permissions.

  • Select Work or school account if you used this identity to create your organization, or if you previously signed in with this identity. Your identity is authenticated by your organization's directory in Microsoft Entra ID, which controls access to your organization.

  • Select Personal account if you used your Microsoft account with Azure DevOps. Your identity is authenticated by the global directory for Microsoft accounts.

Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?

A: When your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate: they have different profiles, security settings, and permissions.

Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:

  1. Close all browsers, including browsers that aren't running Azure DevOps.

  2. Open a private or incognito browsing session.

  3. Go to this URL: https://aka.ms/vssignout.

    You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage.

    Tip

    If the sign-out page takes more than a minute to sign you out, close the browser and continue.

  4. Sign in to Azure DevOps again. Select your other identity.

Q: How do I get help or support for Azure DevOps?

A: You have the following options for support: