Create Azure organization outside of organizational account - azure

I have a couple open source projects hosted on GitHub where I would like to use Azure pipelines for automated testing, building, and deploying. These projects typically involve collaborating with others outside my institution. My Azure account is an Organizational account for the University where I work. If I create an organization on Azure it ends up being "owned" by my University which means that collaborators have to go through some extra hoops to get access to the Azure organization (become a user or project admin). We've also considered having my collaborator create the organization, but their account is also tied to their institution and has even more restrictions.
Apart from making a separate Azure account on a separate email, is there any way that I can make an organization that isn't "owned" by my University?

You could create a new DevOps organization, and disconnect the AAD from Organization Settings -- Azure Active Directory, then you could add the external users in this organization. In this way, external users won't be added in the azure.

Related

Is't possible to merge two DevOps accounts?

I wish move from Microsoft personal DevOps Account to my O365 Account Tenant where I run Azure, too.
Is't possible to mantein the benefits, too?
What you can do is that transfer Transfer Azure DevOps to New Azure Account
Add a AAD member which is a Microsoft account to your Azure DevOps organization.
Add this AAD member to Project collection Administrators group.
Log into the Azure portal and connect the organization to AAD.
Then you could login to your Azure DevOps organization with AAD member
To merge two Azure DevOps account, there is no such kind of feature at the moment.
A related user voice here:
make it possible to move a Team Project between Team Project Collections
https://developercommunity.visualstudio.com/content/idea/365365/make-it-possible-to-move-a-team-project-between-te-1.html
Any other 3rd party extension or tool will not keep history info. Suggest you use two organization separately to keep history. Or manually merge it without history.

How can I add an Azure DevOps Organization user if the organization owner is just a guest of the linked Azure AD and not a domain member?

I have an Azure Devops organization that is linked to an Azure Active Directory. This organization has projects and pipelines for deploying applications to App Services in the linked Azure AD.
Recently, one of my user account (the one with the Visual Studio Enterprise Subscription) was made the organization owner and all other project users were deleted. However, my account that is now the only user in the Azure DevOps organization is just a guest account type of the linked Azure Ad, and not an actual member of the Azure AD.
I need to add new users back to the organization but since my user account is just a guest of the linked Azure AD, when I try to add users, I get an info dialog that states that since I am only a Guest of the Azure AD domain, I can't see the domain members I want to add and so the add user process fails.
As I stated earlier, my account is the Organization Owner. I also assigned my guest user account to the Global Administrators role in the linked Azure AD, but I still cannot add domain users to the Azure DevOps organization.
This organization has production code in the repo as well as build and deployment pipelines that I do not want to lose access to or lose the ability to deploy to the App Services in the linked Azure AD, so I am concerned about taking any action until I know exactly what I need to do to be able to add users from the linked Azure AD into the organization.
Any advice as to how I can add users from the linked Azure AD back to this organization would be greatly appreciated.
This is just a guess, but DevOps could be looking at your userType and show the message based on that.
Global admin would definitely allow you to list the users.
You could try using PowerShell to change your userType from Guest to Member.
E.g. with AAD PowerShell v2:
Set-AzureADUser -ObjectId 'your-user-object-id-in-tenant' -UserType 'Member'
It's actually something that isn't super-well-known.
Guest/member and local/external user are two different things.
External users just become Guests by default, which restricts what they can do.
Add the guest users to Azure AD directly, before you try to give them access in DevOps. After adding a new guest user, that new guest can be given access to DevOps by your subscription admin.
Or create yourself a domain user in your Azure AD with the proper privileges too.
e.g. If your Azure AD domains is "MyMsdnAzureADDomain.onmicrosoft.com" (or a Custom Doamin like "mycompany.com" if you have such domain registered in Azure).
A) Create new domain user in MyMsdnAzureADDomain.onmicrosoft.com
The new user is would be MyNewUser#MyMsdnAzureADDomain.onmicrosoft.com
B) Give that new user full admin in Azure AD and your DevOps (or tailor your permissions to your needs).
C) Login into Azure using that new user to manage your DevOps.

How to move an Azure application created under a personal account to a directory?

I have an application in Azure that's listed under 'App registrations' -> 'Applications from personal account' that I would like to move to a directory so other users in the company can manage it.
There's an info message that has this to say about personal account applications:
These applications are associated with the account xxxxxxxxxxxxx but
are not contained within any directory. They are shown here so you
can manage them, but will not be available to other users or admins in
this directory.
Is there any way to move it? I haven't been able to find any info on this, and seeing as it's in use in the wild by thousands of users I would prefer not to create a new one and have them re-authorize.
I have confirmed this with Azure support engineer. The answer is no. Here is the reply. Hope it helps.
Your applications were created in converged app portal by your
Microsoft account. After lab tested, the Apps owner cannot be changed
to a work account because the MSA account is not contained within any
AAD. The workaround would be re-create it in the new tenant for your
application.

Move team service account from personal to work subscription

I have an account in VSTS, which have both personal and work account. I have a project named abc.visualstudio.com under my work account. I would like to change this project to my personal account.
Changing ownership to a different person is quiet easy in VSTS. Changing a project from one directory to another of the same person is a bit tricky and I am struggling to get this done.
Make sure that "xyz#hotmail.com" is the current owner of the VSTS account and then disconnect the VSTS account from the linked Azure AD, the owner will switch to the Microsoft Account with "xyz#hotmail.com".
One important thing you need to know is that disconnecting VSTS from AAD will cause the other users who use the work account cannot sign in. So you need to make sure that all the other users also switch to microsoft account.

Can I give someone limited access to an Azure account?

I want to outsource the development of a WordPress website that will be hosted in Azure. Is there a way to create a Cloud Service that I can give someone access to, but at the same time not giving them my Azure subscription credentials?
From an Azure subscription perspective, you can only grant co-admin privilege; a co-admin gets full access to a subscription. This leaves you with a few options (I'm sure you can think of others):
Set up a separate subscription solely for the outsourced WordPress work. At completion of project, you can choose to remove the co-admin rights of the subscription
Grant admin access to the WordPress site, along with specific Azure resource keys (e.g. storage account namespace+key; service bus, MySQL credentials, etc.) for your developer to do the work. You can always change access keys once the project is completed
Have your developer set up WordPress in their own subscription, and then transfer the contents to your subscription when the project is complete.
EDIT - I slightly misunderstood the question, and was thinking the outsourced dev needed certain subscription-level resources. As Mike pointed out, source control is a good solution for Web Sites. You'd still need to set up resources such as Storage accounts if you don't want to set them up as co-admin.
If you are using Cloud Services then you could set up continuous integration between TFS and your cloud service. This would allow you to give the other person their own accounts to your TFS source code. Thus they check in and trigger the build, and it deploys. They don't have access.
If you don't have to have Cloud Service then you also have the same option with Windows Azure Web Sites (it's under development so this should be fine to run in even under the free, and bump up if you want to load test, etc.). With that you can give ftp access only, or also set up TFS or GIT source control integration.

Resources