January 5th, 2018

VSTS will no longer allow creation of new MSA users with custom domain names backed by AzureAD

Justin Marks
Principal Program Manager

3-28-2018 UPDATE : The deadline listed below has been extended to the end of September.  Read my latest blog post for more information.

On September 15, 2016, the Azure Active Directory (Azure AD) team blocked the ability to create new Microsoft accounts using email addresses in domains that are configured in Azure AD. Many VSTS customers expressed concern when this change happened. As a result, we worked with the Azure AD team to get a temporary exception for our service to be excluded from this limitation. Over the past year, we have improved our experience for connecting accounts to Azure AD and we are now ready to end this exception. This means that, as of March 30th, 2018, a new user in your organization will not be able to create a new MSA sign-in with a custom domain name if that domain name is already used by an Azure AD tenant. This may affect the way you bring new users into your VSTS account, so we wanted to give you advance warning of the change as well as give you guidance on how to move forward.

Personal Microsoft accounts are designed for self-management and are not centrally governable. For instance, when employees use personal accounts to access business applications, the enterprise IT department has zero ownership of, or control over, these personal accounts. As such, they are not appropriate to be used in an organizational context. Instead, we recommend that organizations use Azure AD.

Moving from using MSA sign-ins to using Azure AD accounts will allow your enterprise to regain control of the user login experience, corporate data accessed by that account, and eliminate the disambiguation experience seen by end users who have two accounts with the same email address (one in Azure AD & one Microsoft account). For example, they are often confronted with this message:

To address this issue, you will need to take one of the following actions:

We recognize that a transition like this can be disruptive to you and your teams which is why we’re communicating with you well in advance of the deadline. We also want to provide you with the information and tools necessary to make this transition as painless as possible. Here are some good starting points:

Please let me know if you have any other questions or concerns. Thank you for your continued use and support of VSTS.

Thank you, Justin Marks, Principal PM, VSTS Identity

UPDATE: Many users have reached out asking how this change affects their VS Subscriptions.  I’ve published a new blog focused on this topic.

Author

Justin Marks
Principal Program Manager

Justin Marks is a principal program manager at Microsoft working on identity management for Azure DevOps. For the previous 7 years, Justin was part of the agile tooling space where he worked on all aspects of the work tracking system including process customization, the reporting stack, REST APIs, and collaboration experiences including team room, agile tooling and lightweight requirements management. Justin previously worked on the Visual Studio Debugger, the Windows Shell (as both a ...

More about author

0 comments

Discussion are closed.