Team Services: Access with Azure Active Directory (Azure AD) groups

Last Update: 12/15/2016

Team Services

Do you want an easier way to control who can access your team's critical resources and key business assets in Team Services? If you already use Microsoft services like Office 365 or Azure Active Directory (Azure AD), you can use the same identities with your Team Services account. Azure AD works with your Team Services account to control access and authenticate users through your organization's directory.

When you organize directory members with Azure AD groups, you can reuse those groups to manage permissions in bulk for your Team Services account. Just add those groups to the Team Services group that you want. For example, add them to built-in groups like Project Collection Administrators or Contributors, or manually-created groups like your project management team. Azure AD group members will inherit permissions from the Team Services group, so you don't have to manage group members one at a time.

Not familiar with Azure AD, but want to check it out? Learn more about Azure AD benefits and differences in how you control Team Services account access with Microsoft accounts or with Azure AD.

Before you start

  • Your Team Services account must be connected to your organization's directory (tenant) in Azure AD. My account uses Microsoft accounts only. Can I switch to Azure AD?

  • You must be a Team Services project administrator, project collection administrator, or account owner. You must also have at least Basic access, not Stakeholder.

  • To create and manage Azure AD groups, you must have tenant administrator permissions or have the tenant administrator delegate those permissions to you in the Azure classic portal or Azure portal.

Add an Azure AD group to a Team Services group

  1. Sign in to your Visual Studio Team Services account (https://{youraccount}.visualstudio.com).

    Why am I asked to choose between my work or school account and my personal account?

  2. Go to your team project collection or team project, depending on the Team Services group that you want to work on.

  3. Go to the control panel.

    Go to team project's control panel, security settings

  4. Go to the security settings. Select the Team Services group where you want to add your Azure AD group.

    Select a Team Services group. Go to Members, Add

  5. Find the Azure AD group that you want to add. Just start typing the group's name, alias, or display name. Then select the group to add it.

    To get more details about a group and its members, review the group's contact card.

    Browse directory for groups

  6. Add more groups, or save your changes if you're done.

    Add more groups, or save changes

  7. Check that your group appears in the Team Services group that you want.

    Check your Azure Active Directory group

Q&A

Q: My account uses Microsoft accounts only. Can I switch to Azure AD?

A: Yes, but before you switch, make sure that Azure AD meets your needs for sharing work items, code, resources, and other assets with your team and partners.

Learn more about the differences in how you control access with Microsoft accounts or with Azure AD, and how to switch when you're ready.

Q: Why can't I assign Team Services permissions directly to an Azure AD group?

A: Because these groups are created and managed in Azure, you can't assign Team Services permissions directly or secure version control paths to these groups. You'll get an error if you try to assign permissions directly.

But, you can add an Azure AD group to the Team Services group that has the permissions you want. Or, you can assign these permissions to the Team Services group instead. Azure AD group members will inherit permissions from the Team Services group where you add them.

Q: Can I manage Azure AD groups in Team Services?

A: No, because these groups are created and managed in Azure. Team Services doesn't store or sync member status for Azure AD groups. So, to manage Azure AD groups, use the Azure classic portal or Azure portal, Microsoft Identity Manager (MIM), or the group management tools that your organization supports.

Q: How do I tell the difference between a Team Services group and an Azure AD group?

A: On the group's identity card, check the group's source:

To find the group's source, check the group's identity card

Q: Why doesn't the Users hub show all Azure AD group members?

A: These users have to sign in to your Team Services account before they appear in the Users hub.

Q: How do I assign account access to Azure AD group members?

A: When these group members sign in to your Team Services account for the first time, Team Services assigns an access level to them automatically. If they have Visual Studio subscriptions, Team Services assigns the respective access level to them. Otherwise, Team Services assigns them the next "best available" access level in this order: Basic, Stakeholder

If you don't have enough access levels for all Azure AD group members, those members who sign in will get a Stakeholder access.

Q: Why doesn't the Security tab show all members when I select an Azure AD group?

A: The Security tab shows Azure AD group members only after they sign in to your Team Services account and have an access level assigned to them.

To see all Azure AD group members, use the Azure classic portal, Azure portal, Microsoft Identity Manager (MIM), or the group management tools that your organization supports.

Q: Why doesn't the team members widget show all Azure AD group members?

A: The team members widget shows only users who previously signed in to your Team Services account.

Q: Why doesn't the team capacity pane show all Azure AD group members?

A: The team capacity pane shows only users who previously signed in to your Team Services account. To set capacity, manually add users to your team.

Q: Why doesn't the team room show offline users?

A: The team room shows Azure AD group members, but only when they're online.

Q: Why doesn't Team Services reclaim access levels from users who aren't Azure AD group members anymore?

A: Team Services doesn't automatically reclaim access levels from these users. To manually remove their access, go to the Users hub.

Q: Can I assign work items to Azure AD group members who haven't signed in?

A: You can assign work items to any Azure AD member who has permissions for your Team Services account. This also adds that member to your Team Services account. When you add users this way, they'll automatically appear in the Users hub with the best available access level and in the security settings, too.

Q: Can I use Azure AD groups to query work items using the "In Group" clause?

A: No, querying on Azure AD groups is unsupported.

Q: Can I use Azure AD groups to set up field rules in my work item templates?

A: No, but read more here about our process customization plans.

Q: Why am I asked to remove a user from an Azure AD group when I delete that user from my Team Services account?

A: Users can belong to your Team Services account, both as individuals and as members of Azure AD groups that were added to Team Services groups in your Team Services account. These users can still access your Team Services account while they're members of these Azure AD groups.

To block all access for these users, please remove them from Azure AD groups in your Team Services account, or remove these groups from your Team Services account. Although we'd like to make it possible to block access completely or make exceptions for such users, Team Services doesn't currently have this capability.

Q: How do I remove an Azure AD group from Team Services?

A: Go to your team project collection or team project. Then, go to the control panel.

Team project's control panel, security settings

Go to the security settings. Find the Azure AD group, then delete that group from your Team Services account.

Find the Azure Active Directory group, delete from Team Services

Q: Why must I choose between a "work or school account" and my "personal account"?

A: This happens when you sign-in with an email address, like jamalhartnett@fabrikam.com, that's shared by your personal Microsoft account and by your work account or school account. Although both identities use the same sign-in address, they're still separate identities with different profiles, security settings, and permissions, so you see this screen when you sign in:

Choose work or school account, or personal Microsoft account

  • Choose Work or school account if you used this identity to create your Team Services account or signed in with this identity before. For example, choose this option if you used to sign in to Team Services here:

    Old signin for work or school accounts

    Your identity is authenticated by your organization's directory in Azure Active Directory (Azure AD), which controls access to your Team Services account.

  • Choose Personal account if you used your Microsoft account with Team Services. For example, choose this option if you used to sign in to Team Services here:

    Old signin for Microsoft account

    Your identity is authenticated by the global directory for Microsoft accounts.

Q: Why can't I sign in after I choose either "personal Microsoft account" or "work or school account"?

A: This happens when your sign-in address is shared by your personal Microsoft account and by your work account or school account, but your selected identity doesn't have access. Although both identities have the same sign-in address, they're still separate identities with different profiles, security settings, and permissions.

Please try signing out completely from Team Services by following the steps below because just closing your browser might not sign you out completely from Team Services. Then sign in again to Team Services, and select your other identity:

  1. Close all browsers, including those that aren't running Team Services.

  2. Open a private or incognito browsing session.

  3. Go to this URL: http://aka.ms/vssignout

    You'll get a message that says "Sign out in progress". After you're signed out, you're redirected to the Visual Studio page @www.visualstudio.com.

    Tip If the sign-out page takes more than a minute, close the browser, and continue.

  4. Sign in to Team Services again. Select your other identity.

Q: Where can I ask more questions or send suggestions?

A: We'd love to hear from you. For help from the Microsoft Developer Community, visit the Visual Studio Team Services forum. For suggestions, visit Visual Studio UserVoice.