Reducing the latency of permissions inherited through AAD Group memberships

Rajesh Ramamurthy (MSFT)

Ever since we introduced the support for Azure AD groups in VSTS, the usage of Azure AD groups for managing permissions by our customers have grown significantly. The growth in usage also highlighted a gap we had where VSTS took anywhere between 24-48 hours to catch up with any membership changes that happened in upstream Azure AD. This meant a user who got added to an Azure AD group and inheriting permission to a resource via that group membership must wait anywhere between 24-48 hours to see a change in their permissions. BTW this delay is not applicable to a new user who is logging in, but for users who are already in the account, and expect an update to their permissions.

We released a feature as part of sprint 130 that brings down the current latency of 24-48 hours to a maximum of 1 hour. VSTS will now catch up with any membership changes in Azure AD group within an hour of that change happening in Azure AD, and refresh any permissions inherited via membership to that group. In addition, a user can trigger a refresh of their Azure AD membership, along with the inherited permissions in VSTS by simply signing out and signing in back again. We will continue to invest in this area to improve this.



Discussion is closed.

Feedback usabilla icon