Problem adding external AAD user to a directory backed VSTS instance

calendarNov 30, 2016 · 2 min read · Uncategorised  ·
Share on: linkedincopy

Background

I recently decided to change one of my VSTS instance to be directory backed. What this means is that in the past users logged in using LiveIDs (MSAs by their new name); once the VSTS instance was linked to an Azure Active Directory (AAD), via the Azure portal, they could login only if

  • they were using an account in the AAD
  • their MSA was listed as a guest in the AAD
  • they used a work ID in another AAD that is listed as a guest in my AAD

Thus giving me centralised user management.

So I made the changes required, and the first two types of user were fine, but I had a problem with the third case. When I did the following

  • Added and external Work ID to my AAD directory (via the old management portal https://manage.windowsazure.com)
  • Added the user in my VSTS instance as a user
  • Granted the new user rights to access team projects.

All seemed to go OK, but when I tried to login as the user I got the error

TF400813: The user 'db0990ce-80ce-44fc-bac9-ff2cce4720affez_blackmarble.com#EXT#@richardblackmarbleco.onmicrosoft.com' is not authorized to access this resource.

clip_image002

Solution

With some help from Microsoft I got this fixed, seem to be an issue with Azure AD. The fix was to do the following

  1. Remove the user from VSTS account
  2. Go to the new Azure Portal (https://portal.azure.com/) and remove this user from the AAD
  3. Then re-add them as an external user back into the AAD (an invite email is sent)
  4. Add the user again to VSTS (another invite email is sent)
  5. Grant the user rights to the required team projects

and this fixed the access problems for me. The key item for me I think was to use the new Azure portal.

Hope it saves you some time