BM-Bloggers

The blogs of Black Marble staff

Deleting unwanted orphan XAML Build Controllers on a migrated VSTS instance

Whilst working with the VSTS Data Import Service I ended up migrating a TFS TPC up to VSTS that had an old XAML Build Controller defined. I did not need this XAML build controller, in fact I needed to remove it because it was using my free private build controller slot. Problem was I could not find a way to remove it via the VSTS (or Visual Studio Team Explorer) UI, and the VM that had been running the build controller was long gone.

The way I got rid of it in the end was the TFS C# API and a quick command line tool as shown below.

Note that you will need to delete any queued builds on the controller before you can delete it. You can do this via the VSTS browser interface.

Problem adding external AAD user to a directory backed VSTS instance

Background

I recently decided to change one of my VSTS instance to be directory backed. What this means is that in the past users logged in using LiveIDs (MSAs by their new name); once the VSTS instance was linked to an Azure Active Directory (AAD), via the Azure portal, they could login only if

  • they were using an account in the AAD
  • their MSA was listed as a guest in the AAD
  • they used a work ID in another AAD that is listed as a guest in my AAD
  • Thus giving me centralised user management.

    So I made the changes required, and the first two types of user were fine, but I had a problem with the third case. When I did the following

  • Added and external Work ID to my AAD directory (via the old management portal https://manage.windowsazure.com)
  • Added the user in my VSTS instance as a user
  • Granted the new user rights to access team projects.
  • All seemed to go OK, but when I tried to login as the user I got the error

    TF400813: The user 'db0990ce-80ce-44fc-bac9-ff2cce4720af\fez_blackmarble.com#EXT#@richardblackmarbleco.onmicrosoft.com' is not authorized to access this resource.

    clip_image002

    Solution

    With some help from Microsoft I got this fixed, seem to be an issue with Azure AD. The fix was to do the following

    1. Remove the user from VSTS account
    2. Go to the new Azure Portal (https://portal.azure.com/) and remove this user from the AAD
    3. Then re-add them as an external user back into the AAD (an invite email is sent)
    4. Add the user again to VSTS (another invite email is sent)
    5. Grant the user rights to the required team projects

    and this fixed the access problems for me. The key item for me I think was to use the new Azure portal.

    Hope it saves you some time

    You can now manage complex ARM based environments in Azure DevTest Labs

    Azure DevTest Labs has been available for a while and I have found it a good way to make sure I control costs of VMs i.e. making sure they are shutdown outside office hours. However, in the past, have had a major limitation for me that they only allowed templates that contained a single VM. You could group these together but it was bit awkward.

    Well at Connect() it was announced that there is now complex ARM template support. So you can now build multi-VM environment that simulate the environments you need to work on as a single unit.

    Why not give it a try?

    There are now no excuses for not using Continuous Delivery from VSTS for Azure Web Apps

    One type of feature I hate people demoing in any IDE, especially Visual Studio, is the ‘just click here to publish to live from the developers PC’. This is just not good practice, we want to encourage a good DevOps process with

    • Source Control
    • Automated build
    • Automated release with approvals

    The problem is, this can all be a bit much for people, it takes work and knowledge, and that right click is just too tempting.

    So I was really pleased to see the new ‘Continuous Delivery (Preview)’ feature on Azure Web Apps announced at Connect().

    image

    This provides that one click simplicity, but creates a reasonably good DevOps pipeline using the features of VSTS using VSTS itself or GitHub as the source repository.

    For details of the exact features and how to use it see the ALM Blog post, I am sure it will provide you with a good starting point for your ongoing development if you don’t want to build it from scratch; but remember this will not be your end game, you are probably still going to need to think how you are going to manage the further config settings, tests and approvals a full process will require. It is just a much better place to start than a right click in Visual Studio.

    As announced at Connect() there is now a tool to fully migrate an on-premises TFS to VSTS

    I am often asked asked ‘How can I move my TFS installation to VSTS?’

    In the past the only real answer I  had was the consultant’s answer ‘it depends’. There were options, but they all ended up losing fidelity i.e. that the history of past changes got removed or altered in some manner. For many companies the implication of such changes meant they stayed on-premises; with all the regular backups, updates and patch running the use of any on-premises service entails.

    This has all changed with the announcement of the public preview of the TFS to VSTS Migrator from Microsoft at the Connect() conference.

    image

    In essence this allows a TFS Team Project Collection to be imported into VSTS as new VSTS instance. This makes it sound simple, but this can be a complex process depending upon your adoption of Azure Active Directory, the levels of customisation that have been made to your on-premises TFS instance and may require the upgrading your TFS server to the current version. Hence, the process is Microsoft ALM/DevOps partner led, and I am pleased to say that Black Marble is one of those Gold Partners.

    So if you have an on-premise TFS and…

    • your company strategy is cloud first and you want to migrate, with full history
    • or you don’t want to patch your TFS server any more (or you stopped doing it a while ago)
    • or you just want to move to VSTS because it where all the cool new bits are

    why not get in touch with us at Black Marble or myself to help you investigate the options.

    Changes to LiveID/MSA and what I have done about it to get around the new domain limitations

    What are the changes in allowed email addresses in MSAs?

    You may or may not have noticed that there has been a recent change in LiveID (or Microsoft Account MSA as they are now called). In the past you could create a MSA using an existing email address e.g. richard@mydomain.co.uk . This is no longer an option. If you try to create a new MSA with a non Microsoft (outlook.com/hotmal.com) email they are blocked saying ‘This email is part of a reserved domain. Please enter a different email address’.

    image

    This limitation is actually a bit more complex than you might initially think, as it is not just your primary corporate work email it checks, it also checks any aliases you have. So in my case it would give the same error for richard@mydomain.com as well as richard@mydomain.co.uk because they are both valid non Microsoft domains even though one is really only used as an email alias for the other.

    So if creating a new MSA you will need to create a user@outlook.com style address. This is something all our new staff need to do as at present you need an MSA to associate with your MSDN subscription.

    In the past we asked them to create this MSA with their email user@mydomain.co.uk alias. This email address is an alias for their primary work email account, not their primary work account address user@mydomain.com itself. We encouraged them to not use their primary email address as it gets confusing as to which type of account (MSA or work account)  is in use at any given login screen if their login name is the same for both (their primary email address). We now we have to ask them to create one in the form bm-user@outlook.com to associate their MSDN subscription with.

    So that is all good, but that about any existing accounts?

    I think the best option is to update any existing to use new user@outlook.com addresses. I have found if you don’t do this you get into a place where the Azure/VSTS/O365 etc. login get confused as to whether your account is MSA or a Work Account. I actually managed to get to the point where I suddenly could not login to an Azure Active Directory (AAD) backed VSTS instance due to this confusion (the fix was to remove my ‘confused’ MSA and re-add my actual corporate AAD work account)

    How do I fix that then?

    To try to forestall this problem on other services I decided to update my old MSA email adress by do the following

    1. Login as my old MSA
    2. Go to https://account.microsoft.com
    3. Select ‘Info’
    4. Select ‘Manage how you sign in to Microsoft’
    5. Select ‘Add a new email address’
    6. Create a new @outlook.com email address (this will create a new email/Outlook inbox, but note that this seems to take a few minutes, or it did for me)
    7. Once the new email alias is created you can choose to make it your primary login address
    8. Finally you can delete your old address from the MSA

    And your are done, you now can login with your new user@outlook.com with your existing password and any 2FA settings  you have to any services you would previously login to e.g MSDN web site, VSTS etc.

    The one extra step I did was to go into https://outlook.live.com , one the new email inbox was created, to access the new Inbox and setup an email forward to my old richard@mydomain.co.uk email address. This was just to make sure any email notifications sent to the MSAs new Inbox end up somewhere I will actually see them, last think I wanted was a new Inbox to monitor

    Summary

    So I have migrated the primary email address for my MSA and all is good. You might not need this today, but I suspect it is something most people with MSAs using a work email as their primary login address are going to have to address at some point in the future.

    Can’t login to OneDrive desktop application on Windows 10

    Whilst I have been on holiday my PC has been switched off and in a laptop bag. This did not seem to stopped me getting problems when I tried to use it again…

    • Outlook could not sync to O365 – turns out there had been some changes in our hybrid Exchange infrastructure, I just need to restart/patch the PC on our company LAN to pick up all the new group policy settings etc.
    • Could not login to OneDrive getting a script error https://auth.gfx.ms/16.000.26657.00/DefaultLogin_Core.js

    image

    This second problem was a bit more complex to fix.

    1. Load Internet Explorer (not Edge)
    2. Go to Settings > Internet Options > Security
    3. Pick Trusted Sites and manually add the URL https://auth.gfx.ms as a trusted site.
    4. Unload the OneDrive desktop client
    5. Reload the OneDrive desktop client and you should get the usual LiveID login and all is good
    6. Interestingly – if you remove the trusted site setting the login still appears to work, but for how long I don’t know. I assume something is being cached.

    So it appears there have been a few changes on security whilst I have been away.

    Devils with Arms and Cats - the new name for DevOps?

    Great day at DDDNorth yesterday, hope everyone enjoyed it. Thanks to all the team who helped during the preparation and on the day.

    The slides from Rik Hepworth and my presentation on ‘Living the dream - Real world DevOps with Azure and VSTS’ are up at Github

    We were a late stand in session  to cover for a presenter who could not attend on the day. So I hope it was not too much of let down, that we were not the speaker on the agenda, covered a different subject and did not match the title the spell checker converted out session title too. Though ‘Devils with Arms and Cats’  is maybe a good term for DevOps?

    As to the grok talk I did at lunchtime on developing VSTS extension with VS Code, there are no slides; but look at these past posts, building VSTS tasks with Powershell and putting a release process around vsts extension development they are on similar subjects.