Cannot connect Azure DevOps organization to Azure Active Directory - azure

I have created an Azure DevOps organization. I have created it with my outlook account. I want to connect it to Azure Active Directory (AAD), Default Directory, on my Azure portal. I am using the free account on Azure portal which allows me to have one subscription. The AAD directory is shown below:
I want to connect my Azure DevOps organization to Azure Active Directory. I am using the same user in Azure portal and Azure DevOps. I have basically created both by the same account. I am following the instruction at this link to connect Azure DevOps organization to Azure AD. I emphasize that in my case both are created by the same email. However, in Azure DevOps Organization settings, by clicking on "connect directory" under "Azure Active Directory", I get an error that: "User myuser#outlook.com is a guest in the target AAD tenant Default Directory. The current organization policy does not allow guest users to access the organization. Change the policy setting to allow external guest access and try again."
This is what I see at organization settings in DevOps:
This is the error when I try to connect it to AAD:
When I check my user in Azure Active Directory I can see it has global admin role, and is a member, not guest! It is after all the user by which I have created this account and all the resources: (It is the user on the second row:)
As mentioned earlier, this user has global administrator role:
I also tried changing my policies at AAD side to be able to connect my DevOps project to AAD, but again it fails. This is how the policies are:
I basically don't know what else I should do to connect DevOps to AAD. Any help is appreciated.

When you log in to Azure DevOps, it logs in with Microsoft Directory.
You need to switch the tenant to your default directory
Then you would be able to link your Azure AD tenant to your Azure DevOps Organization

Related

I am getting an error while connecting AAD in azure devops

I am getting an error while connecting with AAD
User bhavyaaggarwal1993#outlook.com is a guest in the target AAD tenant Default Directory. The current organization policy does not allow guest users to access the organization. Change the policy setting to allow external guest access and try again.
Make sure your Azure DevOps Directory is connected to the same Default directory as your Azure AD tenant. refer to below:-
When I try to connect my Azure DevOps organization connected to Microsoft account Tenant like below, I get the same error code as yours:-
Log in to your Azure DevOps account click on your profile at right > My profile and check if your Microsoft Account is selected like below:-
When I visit the Azure DevOps organization part of this Microsoft account directory and try connecting my Azure AD tenant to this Azure DevOps organization, I get the same error code as yours like below:-
Make sure you change your Azure DevOps account directory to your Azure AD default directory like the below:-
Click on My profile
Change the Directory to your Azure AD Default Directory like the below:-
If there’s no Organization > Create one and Check your Organization settings > Azure Active Directory
Your Azure DevOps account will be connected to your Azure AD tenant like the below:-
By default, your bsaf-sgi-germany organization might be created inside Microsoft Account or another Directory than your Azure AD, change the Directory to Default like above.

No longer able to see existing projects in Azure Devops after connecting AAD

I was logged in to my AzureDevops account using my hotmail account.I then went to Organization Settings and then connected my Org to Azure AD.
After i logged out and logged in back again with the same account, i don't see anymore my projects which i was working on. I have disconnected my Azure AD and also tried switching directories but i am no longer able to see that particular organization anymore.
Any idea how to fix this or why this happened
Please check below points :
Try logging on to https://.visualstudio.com to see you can see the organization and projects, as stated in this.
Check Troubleshoot connecting to a project
You may not able to signin or access your organization unless your work or school account has the same email address as your Microsoft account.
Although you can add new work accounts to your organization, they're
treated as new users.
If you want to access all your work, including its history, you must
use the same sign-in addresses that you used before your organization
was connected to your Azure AD.
For that Add your Microsoft account as a member to your Azure AD Or
ask the owner of the organization who has proper permissions to map
any disconnected members to their Azure AD identities Or invite them
as guests into the Azure AD.
Invited user should use corresponding account, work/school account
for AAD based, personal account for the other.
So basically the user who makes the connection must confirm the following statements are true.
User exists in Azure AD as a member. If the user is an Azure AD guest, rather than member
User must have project collection administrator or owner of the organization
User must also have Azure Service Administrator or Coadministrator permissions for the Azure subscription that's linked to your organization in Azure DevOps.
User isn't using the Microsoft account identity that matches the Azure AD identity. For example, if the Microsoft account that users are currently using is jamalhartnett#fabrikam.com, the Azure AD identity they'll use after connecting is also jamalhartnett#fabrikam.com. Use a single identity that spans both applications, rather than two separate identities using the same email.
Add your work account as an administrator in your Azure DevOps organization
The AAD tenant should be same as the DevOps tenant to connect & Transfer the ownership of the organization to your work account.
Please see if you have followed the Prerequisites to Connect organization to Azure Active Directory
FAQ: to be refered
why dont i see my organization in the azure portal
why do i have to choose between a work or school account and my personal account
what if we cant use the same sign in addresses
Note: No other user than the owner of the organization will be able to see the organization under the “Azure DevOps organizations”
service in the Azure portal. Also, Azure DevOps does not support
multiple owners, like Azure services that support Role Based Access
Control (RBAC) do. An Azure DevOps organization will only have a
single owner at a time :reference
Please try to access https://aex.dev.azure.com/ and change domain to see if your organization is present in the list.
Or
You may need to open a support case on the Developer Community to help you out or raise a support request through azure portal.
References:
Lost organization after disconnecting it from Azure Active Directory-Stack Overflow
What not to do when Connecting Azure DevOps to
AzureAD |Josh Corrick |
Restore project - Azure DevOps Services | Microsoft Docs

Is it possible to use DevOps to deploy to an Azure App Service if I don't have access to Azure Active Directory?

I have a Azure For Student subscription through my university and I'm trying to work out how to deploy an Angular app to an Azure App Service using Azure Pipelines.
In my Release pipelines, in the step to deploy to an Azure App Service, I have to select a subscription. When I click Authorize I get the below error.
Seems I can't create a service connection because it requires access to Active Directory. I'm on my university's tenant so I don't have access to it.
Is there a way around this I can use Azure Pipelines if I don't have access to create accounts in Active Directory?
As the error explicityly says, There's no way to deploy this without being a Global Admin or Owner on the Azure Active Directory tenant.
Insufficient privileges to complete the operation.Ensure that the user
has permission to create an Azure Active Directory application.
This typically occurs when the system attempts to create an application in Azure AD on your behalf and this is a permission issue that may be due to the following causes:
The user has only guest permission in the directory
The user is not authorized to add applications in the directory
(1) If you only have guest permission in AAD ,please contact the admin to grant the minimum additional permissions to you. Let the admin to set Guest user permissions are limited to No.
(2) If you are the member of AAD, and just not be authorized to add applications in the directory. Go User settings, then change Users can register applications to Yes under App registrations section.
For details ,please refer to this troubleshoot document and similar ticket.

Using Managed Identity in Azure Pipelines: GetUserAccessToken: Failed to obtain an access token of identity. AAD returned silent failure

I am trying to run an Azure Resource Group Deployment task in Azure Pipelines. I have deployed an Azure Pipelines self-hosted agent on an Azure VM running Windows, and in my Azure DevOps organization I have set up an Azure Resource Manager service connection to a VM with a managed service identity.
However, I get the following error when trying to configure my Azure Resource Group Deployment task with my service connection with managed identity:
GetUserAccessToken: Failed to obtain an access token of identity . AAD returned silent failure.
Screenshot:
I have already verified that I granted access (Contributor) to the VM's managed identity to the target resource group:
The service connection is also scoped to the Azure subscription:
Any help on diagnosing this issue is appreciated. Thanks!
Failed to obtain an access token typically occur when your session has expired.
To resolve these issues:
Sign out of Azure Pipelines or TFS.
Open an InPrivate or incognito browser window and navigate to https://visualstudio.microsoft.com/team-services/.
If you are prompted to sign out, do so.
Sign in using the appropriate credentials.
Choose the organization you want to use from the list.
Select the project you want to add the service connection to.
Create the service connection you need by opening the Settings page. Then, select Services > New service connection > Azure Resource Manager.
Refer to:
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#sessionexpired
In case this is useful to anyone else, I had a similar issue when modifying service connections through Azure DevOps. The solution provided by Charlie Brown pointed me in the right direction: The user in AAD isn't automatically added to the Azure DevOps Enterprise Application, so if you run into this it may mean that you need to add the user or group that's trying to access it through DevOps.
In my case I just added myself as and owner and user through the Azure Portal -> Azure Active Directory -> Enterprise Applications -> Azure DevOps.
I didn't have to create another user, nor modify anything with MFA.
It appears that the issue comes about because it is the user account authenticated to Azure DevOps that is retrieving subscription information. Azure DevOps is not using the managed identity to retrieve the subscription information.
In particular, my original Azure DevOps user account had MFA turned on to authenticate to an Azure subscription (e.g. portal.azure.com), but did not have MFA turned on to authenticate to Azure DevOps (e.g. dev.azure.com/). I think that this was causing the issue when failing to get an access token:
I created a different user account in my Azure AD, gave it access to my Azure DevOps organization, and made sure that this new user account had Reader permissions over the target subscription and did not have MFA turned on. This resolved the issue of getting subscription info when using managed identity:
My scenario getting this error was adding a Service Connection to a Management Group in Azure DevOps
GetUserAccessToken: Failed to obtain an access token of identity
{{GUID}}. AAD returned silent failure.
Fix for me was adding my account as a Project Collection Admin in DevOps... details below:
Tried every permission possible ... GA, ROOT Mgmt Group Owner (via AAD setting), target Mgmt Group Owner, Subscription Owner, App Administrator... In devops i am a project admin and i have Admin security role in service connections.
Interesting diff i have here, my Azure AD home tenant is different from my Azure Subscription AD tenant (i am a B2B Guest).
I actually tried to use a different DevOps tenant that has an AAD tied to the Azure Subscription tenant and it WORKED :( This lead me to diving further into what is different. Aside from the DevOps->AAD link, I am also COLLECTION admin on the working one, and only a project admin on the failing one. I made sure I had Management Group Owner rights and then added my account as a Project Collection Admin - WORKED!
Ref: https://developercommunity.visualstudio.com/solutions/1246044/view.html

Azure DevOps and Azure Active Directory

I have the Azure DevOps organization called "Pay4it", which i want to connect to Azure Active Directory - I have treid to click "Connect directory", and a new window open and a error comes op:
We cannot find your account(jt#rc-pay4it.dk) in any Azure Active Directory. Please talk to the administrator of your company's Azure Active Directory to get your user account(jt#rc-pay4it.dk) added to that directory.
If i try to login into portal.azure.com with the username jt#rc-pay4it.dk it works fine, but still i have no Azure Active Directories in the dropdown.
I can't figure out what i'm missing, hopefully someone knows what i'm doing wrong.
I have attached a picture that shows the setup, the user created in Azure AD and that the user is owner of the organization in DevOps
The user who makes the connection must confirm the following statements are true.
User exists in Azure AD as a member. If the user is an Azure AD
guest, rather than member
User is a project collection administrator or owner of the
organization
User isn't using the Microsoft account identity that matches the
Azure AD identity. For example, if the Microsoft account that users
are currently using is jamalhartnett#fabrikam.com, the Azure AD
identity they'll use after connecting is also
jamalhartnett#fabrikam.com. Use a single identity that spans both
applications, rather than two separate identities using the same
email.
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops#prerequisites

Resources