VSTS will no longer allow creation of new MSA users with custom domain names backed by AzureAD
3-28-2018 UPDATE : The deadline listed below has been extended to the end of September. Read my latest blog post for more information.
On September 15, 2016, the Azure Active Directory (Azure AD) team blocked the ability to create new Microsoft accounts using email addresses in domains that are configured in Azure AD. Many VSTS customers expressed concern when this change happened. As a result, we worked with the Azure AD team to get a temporary exception for our service to be excluded from this limitation. Over the past year, we have improved our experience for connecting accounts to Azure AD and we are now ready to end this exception. This means that, as of March 30th, 2018, a new user in your organization will not be able to create a new MSA sign-in with a custom domain name if that domain name is already used by an Azure AD tenant. This may affect the way you bring new users into your VSTS account, so we wanted to give you advance warning of the change as well as give you guidance on how to move forward.
Personal Microsoft accounts are designed for self-management and are not centrally governable. For instance, when employees use personal accounts to access business applications, the enterprise IT department has zero ownership of, or control over, these personal accounts. As such, they are not appropriate to be used in an organizational context. Instead, we recommend that organizations use Azure AD.
Moving from using MSA sign-ins to using Azure AD accounts will allow your enterprise to regain control of the user login experience, corporate data accessed by that account, and eliminate the disambiguation experience seen by end users who have two accounts with the same email address (one in Azure AD & one Microsoft account). For example, they are often confronted with this message:
To address this issue, you will need to take one of the following actions:
- Connect your VSTS account to an Azure AD tenant and ensure all users of your accounts are members or guests of that tenant [SUGGESTED SOLUTION]
- Continue to have your VSTS account backed by MSA and add all future users without custom domains (e.g. firstname.lastname@example.org)
We recognize that a transition like this can be disruptive to you and your teams which is why we’re communicating with you well in advance of the deadline. We also want to provide you with the information and tools necessary to make this transition as painless as possible. Here are some good starting points:
- Read about cleaning up the Azure AD and Microsoft account overlap
- Learn about connecting your VSTS account to an Azure AD tenant
- Learn how to bring guest users, either MSA sign-ins or members of external Azure AD tenants, into your Azure AD tenant
- Guidance on how users can rename their personal accounts
Please let me know if you have any other questions or concerns. Thank you for your continued use and support of VSTS.
Thank you, Justin Marks, Principal PM, VSTS Identity
UPDATE: Many users have reached out asking how this change affects their VS Subscriptions. I’ve published a new blog focused on this topic.