Using AzureAD identities in Azure DevOps organizations backed by Microsoft Accounts

Justin Marks

Azure DevOps now supports AzureAD (AAD) users accessing organizations that are backed by Microsoft accounts (MSA). For administrators, this means that if your organization uses MSAs for corporate users, new employees can use their AAD credentials for access instead of creating a new MSA identity.

Using this feature doesn’t require any special configuration.  Just like today, new users are invited to an Azure DevOps organization by entering an email address.  When the new user signs in for the first time, they will have the freedom to sign in with either an existing MSA or AAD identity.

The benefit of this feature to end users is that AAD users will no longer have to create an MSA, with their corporate email address, simply because of the way their organization configured Azure DevOps; they can use a single identity for all services across Microsoft.  We hope this is a big step forward in reducing instances of the identity disambiguation screen that often confuses end users.

For organizations that already use AAD identities with Azure DevOps, this feature does not apply. For organizations that currently use MSA identities, please note that all existing users can continue to sign in with their MSA identities as they do today. This only applies for users added in the future (who potentially can’t create an MSA with their corporate email address).  Creating new MSAs for custom domains backed by AzureAD will be blocked in October.

We still believe that the best experience is for corporate users to connect Azure DevOps to AAD, but we learned earlier this year that organization administrators wanted the freedom to make that connection on their own time frame.

I know identity can be a complex topic so here’s an example scenario to help drive the point of the feature home…

     Dorothy is the Azure DevOps organization owner for her company, Fabrikam. She and her team of 10 team members all sign into Azure DevOps with MSA identities that use their corporate email address, e.g. Sam is a new team member who joined the company today. Dorothy invites him to Azure DevOps by using his email, When he clicks on the “join now” link on the Azure DevOps invitation email, he can sign into Azure DevOps with the same AAD identity he was given to access his O365 email. This allows Sam to collaborate with his 11 colleagues and gives Dorothy the freedom to connect her Azure DevOps organization to AAD at a time of her own choosing.

NOTE: This feature is rolling out as part of the Sprint 141 deployment so it may take a couple days until it’s available for your organization.

Thank you,

Justin Marks, Principal PM, Azure DevOps Identity


Discussion is closed.

Feedback usabilla icon