We are using Visual Studio Team Services (was TFS Online) for our development and have added all the users from my company with a valid MSDN license. (username#company.com)
Now I have few developers from our client who also have a valid MSDN license from their company. When i'm trying to add my client developers in our TFS online, its not recognizing their names( maybe active directory ?).
Is there a way to add two different companies user in one team project?
If you are using Azure Active Directory (AAD) you need to add any users as a foreign principal to that directory.
You can add either an MSA or another AAD account to give them access. Works pretty good, and i have people from more than 6 different companies on mine.
To add users to a team project in Team Services, your team must sign in with Microsoft accounts unless your Team Services account uses a directory to control access. If it does, users must be directory members to get access. If you have directory administrator access, you can add usrs to the directory. If not, work with the directory administrator to add users. Check: https://www.visualstudio.com/en-us/get-started/setup/add-team-members-vs
Related
We have an issue. User is in the Contributors group of the VSTS project. Able to view dashboard and work items. Unable to view Repos. Need help. Any suggestions?
User needed an MSDN license to use Visual Studio in addition to being in the correct group of the VSTS project. Trial license was not good enough.
According to your description, highly doubt those users only have Stakeholder access level.
People with Stakeholder access level could not commit their work on branch and unable to view repos.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't buy basic access. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
The user should have either Basic access or Visual Studio subscription which include code feature.
Moreover, if it's still not able to see any other projects after giving them those access. There is another concept called Permissions in Azure DevOps. Double check the permission for Contributor group.
Also make sure you have not add them to any other project team group expect the contribute group.
Once deny the Read permission for repos level, user will not be able to see the repos.
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.
I have created visual studio online site using azure and backed by our company active directory.
And when going to user management site (example image, not my screenshot) in the search box I can see all the users from the active directory which means that I'm properly connected (I guess).
And here is the problem which I wasn't able to solve.
I would like to know if it is possible to automatically give read permissions to users from active directory that try to access the site.
Currently they can login, but when they access the site it says that they don't have permissions and I have to manually add them one by one and I don't want to do that.
Do I maybe need some special active directory group that I add there as a user or what? I'm not active directory admin so I don't have access to its settings.
Thank you for the help.
Currently VSO does not support AD groups. In addition, just because you assign a licence, does not mean that they should have permission to everything. You my be a special case, but the choice of access should be left to the Team Project owners.
We are a start-up software company with around 15 developers. We are almost entirely using Microsoft's technology stack.
A problem that we have at this point is the confusion between signing into Microsoft's online services.
Each developer has two accounts: an Office 365 account and a Windows Live account. The Live account is created from the Office 365 account's email address. So, essentially, we have one email address but two accounts (and thus two passwords).
When logging into an online service, we are often greeted with the following:
For many, this becomes a hit and miss with their various passwords until access is granted. From what I understand:
Work or school account: An Office 365 account OR an account set up in Active Directory?
Microsoft account: A Windows Live account?
Next, can Azure Active Directory help us in any way here?
Are we able to somehow unify our accounts so to have a "single sign-in" for Microsoft's online services?
EDIT:
Further comments on Dushyant Gill answer below.
If we don't need to register our Office365 accounts as Live accounts, then how would I typically add a user to the Azure Active Directory?
When creating a new user, I only have three options:
I guess the last option would be the correct approach if we wanted to move away from Live accounts. I want to add a user to my Azure AD from my Office365 AD?
When I try to do this, I get the following error:
Do I have to link the directories somehow?
davenewza, yes you can take action to improve the experience here (it won't be simple - but given the number of users in you company - it shouldn't be that difficult)
First, your company already has an Azure Active Directory - it is the directory behind your Office 365 subscription. Azure AD authenticates your company's users when they sign in to Office 365 services.
Second, you should use your Azure AD accounts (work or school account) to signup and access other Microsoft services that are meant for businesses: Microsoft Azure, Visual Studio Online, Microsoft Dynamics etc. The disambiguation screen that you see (pasted in your question) only shows up when you're signing in to a service that supports both Azure AD as well as Live accounts. So, move your Azure and other business services subscriptions to use Azure AD accounts and as a thumb rule - your companies users will always select the 'work or school account' option (if ever they see that screen).
Finally, let's get rid of that screen altogether: do you really need the live accounts to run your business? (what Microsoft services are you using that need live accounts?) If none, great - once you've moved your subscriptions to Azure AD accounts - get rid of the live accounts. If you indeed need them - change their emails (add an _live suffix to them) - you as it is have two password - different user names will reduce confusion.
Note that the second step will require you to call Microsoft support (or file online tickets) to move subscriptions for some services - however the risk of downtime is low because you already have Azure AD accounts - you might need to reconfigure permissions once the subscriptions are migrated.
I am with the Azure AD team - get in touch with me if you're stuck - contact me on http://www.dushyantgill.com
Best of luck.
ps: we are working to improve this experience - such that folks like you don't end up in this position in the first place. Stay tuned.
With the release of Office 365 can someone tell me the support available for custom visual sandboxed web parts created using Visual Studio 2010 SharePoint Power Tools that fetches an Office 365 active directory attribute values for a particular user? E.g. If my company already has existing users in a local Active Directory environment when I subscribe to Microsoft Office 365, there are tools for synchronizing those users to Office 365 directory. Let say I have synchronized my local Active Directory to Office 365 Directory, now is it possible to programmatically or OOTB way to read Office 365 directory attribute’s value for any Office 365 Directory user? I have a custom attributes added to my local Active Directory one of the attribute is “CC Number” and I want to get the value associated with this attribute for some XYZ user.
We have an Office 365 SharePoint application to which we would like to add either (or both) a custom sandboxed web part and a OOTB web part that only reads a data from an Office 365 Directory for respective Office 365 directory user.
Is this type of functionality supported with the first/current release of Office 365?
it's a really common scenario that organizations will move parts of their systems into the Microsoft Cloud by using Office365. In order to get rid of the additional AD management overhead you have to build a federation on AD level.
You need a SecureTokenService which does the authentication for your users. Microsofts implementation of STS is ADFS (ActiveDirectory Foundation Services) which could easily be plugged into an existing AD structure. Your AD has to be 2008 I think.
There is a good ebook from Dominick Baier and some other security guys available. It's called "Guide to claim based identity", you can read it online on http://msdn.microsoft.com/en-us/library/ff423674.aspx or there is anywhere a download it think... can't remember sry.
We're currently investigating what kind of authentication we want to use for a sharepoint portal site : Forms Authentication or Windows Authentication. The latter has my preference.
What suprised me (I'm a sharepoint noob), is the fact that MS didn't provide a component/web-part that handles account management when using Windows Authentication.
Do you now how to do this? Without resorting to buying an additional product. Shouldn't it be very easy to access the Active Directory by code (C#)?
Windows Authentication
I echo Justin's thoughts regarding AD management. Adding users to your domain also doesn't necessarily have anything to do with adding them to SharePoint. However perhaps there is an IIS add-on that does this if you wish to pursue it.
If you don't already know, SharePoint can automatically import user profiles from your Active Directory domain. This makes them available for assigning permissions within the sites.
Some additional info from Justin's comment about changing the AD structure to administer security: With SharePoint 2007 you no longer need to rely on Active Directory to manage groups of users. It's possible to also use SharePoint groups (which can contain AD users or AD groups). This works really well when you need to create a group for a purpose that isn't applicable outside SharePoint and you don't want to bug the infrastructure team. The downside is that without education, end users probably won't manage this well and it can become a mess.
Forms Authentication
It's true there is very little provided by Microsoft for managing this. However the Community Kit for SharePoint provides this functionality. From memory I had to tweak their code a bit but I was generally happy with it.
If you are considering this option also read this MSDN article.
It's much easier to just use the regular AD management tools provided with Windows rather than trying to manage your users' permissions through a web interface (for groups and such).
...of course you'll need access to make changes to your AD structure to administer the security.
Another alternative you may want to consider is using Forms Authentication using the Active Directory provider. It'll allow you to use the Forms Auth user admin tools and still authenticate against an Active Directory environment.
IF this is for users who are not a part of your actual domain (i.e. extranet users), I suggest you take a look at ADAM, Active Directory in Application Mode. It behaves the same as regular AD, can be administered through the windows.
Also, take a look at the following codeplex project, ADSelfService, it allows users to edit their own AD profiles. Perhaps you can extend the code yourself to allow admins to edit all profiles.
AdSelfService Project