{"id":40345,"date":"2018-01-29T18:22:11","date_gmt":"2018-01-29T18:22:11","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/devops\/?p=40345"},"modified":"2019-02-14T15:50:19","modified_gmt":"2019-02-14T23:50:19","slug":"vs-subscriptions-and-linking-your-vsts-account-to-azuread","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/vs-subscriptions-and-linking-your-vsts-account-to-azuread\/","title":{"rendered":"VS Subscriptions and linking your VSTS account to AzureAD"},"content":{"rendered":"

A few weeks ago,\u00a0<\/span>I posted about a change coming to organizations managing their identities with Microsoft Accounts (MSAs)<\/span><\/a>; as of March 30<\/span>th<\/span>, you will no longer able to create new MSAs with a custom domain name that is linked to an Azure Active Directory tenant.\u00a0 Many customers have reached out asking how this change affects their V<\/span>isual Studio<\/span>\u00a0subscriptions\u00a0<\/span>(formerly known as MSDN subscriptions)\u00a0<\/span>so this post is aimed at answering that question.<\/span>\u00a0<\/span><\/p>\n

In general, VS subscription administrators assign subscriptions to a user\u2019s corporate email (e.g.\u00a0<\/span>justin@fabrikam.com<\/span><\/a>) so that they can get the welcome email and notifications about the subscription.<\/span>\u00a0\u00a0<\/span>As long as the email of the identity<\/span>\u00a0and the subscription match, the user will be able to access the benefits of that subscription.\u00a0\u00a0<\/span>As your organization transitions from MSA to AAD identities and the emails match (both of the form\u00a0<\/span>justin@fabrikam.com<\/span><\/a>), your user\u2019s benefits will continue to work with their new AAD identity.<\/span>\u00a0<\/span><\/p>\n

While the previous scenario is by far the most common for organizations, t<\/span>here are a couple other scenarios that\u00a0<\/span>we\u2019ve seen customers hit\u2026<\/span>\u00a0<\/span><\/p>\n

Subscription is assigned to\u00a0<\/span><\/b>justin@outlook.com<\/span><\/b><\/a>\u00a0<\/span><\/b>(MSA)\u00a0<\/span><\/b>but the end user wants to use his VS subscription with an AAD identity (<\/span><\/b>justin@fabrikam.com<\/span><\/b><\/a>).\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

If you access\u00a0<\/span>VSTS<\/span>\u00a0or Microsoft Azure with\u00a0<\/span>an AAD identity,\u00a0<\/span>but access your\u00a0<\/span>VS subscription<\/span>\u00a0with a different identity (such as your personal Microsoft account), you can\u00a0<\/span>link your AAD identity to your VS subscription<\/span>\u00a0by\u00a0<\/span>adding an \u201cAlternate account\u201d to your subscription<\/span><\/a>.\u00a0\u00a0<\/span>Once the linking is complete, you\u2019ll be able to access\u00a0<\/span>your subscription with both the MSA and the AAD identities.<\/span>\u00a0<\/span><\/p>\n

Subscription is assigned to\u00a0<\/span><\/b>justin@fabrikam.com<\/span><\/b><\/a>\u00a0but the\u00a0<\/span><\/b>organization isn\u2019t using AAD for VSTS<\/span><\/b>.\u00a0 They have created\u00a0<\/span><\/b>a<\/span><\/b>\u00a0new MSA\u00a0<\/span><\/b>for the user\u00a0<\/span><\/b>with the sign in address\u00a0<\/span><\/b>justin@outlook.com<\/span><\/b><\/a>.\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

This\u00a0<\/span>scenario is going to become more prevalent given the lockdown of MSA account creation.\u00a0 We have just released the ability for a user to add an MSA \u201cAlternate account\u201d when they\u2019re\u00a0<\/span>signed in<\/span>to VSTS<\/span>\u00a0with an AAD identity\u00a0<\/span>(the reverse of the previous scenario).\u00a0\u00a0<\/span><\/p>\n

Subscription is assigned to\u00a0<\/span><\/b>justin@fabrikam.com<\/span><\/b><\/a>\u00a0but the<\/span><\/b>\u00a0organization\u2019s AAD\u00a0<\/span><\/b>has a different email,\u00a0<\/span><\/b>justin@contoso.com<\/span><\/b><\/a>, that doesn\u2019t match the email where the subscription is assigned.<\/span><\/b>\u00a0<\/span><\/p>\n

This is\u00a0<\/span>similar to<\/span>\u00a0the above scenario and <\/span>supported in the same way.\u00a0\u00a0<\/span>W<\/span>e\u2019ve gotten feedback from VS subscription administrators that\u00a0<\/span>some do not\u00a0<\/span>want to allow use of a subscription by AAD identities outside their\u00a0<\/span>organization<\/span>\u00a0so we are planning additional work to allow for these administrative controls at a later time.<\/span>\u00a0Alternatively, the subscription administrator can reassign the subscription to the users’s organization email address.<\/span><\/p>\n

Hopefully this helps bring some clarity and I\u2019m eager to hear your feedback as your organization begins their transition away from MSA to AAD linked VSTS accounts.\u00a0 Please don\u2019t hesitate to reach out if you have any further questions.<\/span>\u00a0<\/span><\/p>\n

Thank you,<\/span>\n<\/span>Justin Marks, Principal PM, VSTS Identity<\/span>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

A few weeks ago,\u00a0I posted about a change coming to organizations managing their identities with Microsoft Accounts (MSAs); as of March 30th, you will no longer able to create new MSAs with a custom domain name that is linked to an Azure Active Directory tenant.\u00a0 Many customers have reached out asking how this change affects […]<\/p>\n","protected":false},"author":174,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[228,1,251],"tags":[],"class_list":["post-40345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-admin-licensing","category-devops","category-security"],"acf":[],"blog_post_summary":"

A few weeks ago,\u00a0I posted about a change coming to organizations managing their identities with Microsoft Accounts (MSAs); as of March 30th, you will no longer able to create new MSAs with a custom domain name that is linked to an Azure Active Directory tenant.\u00a0 Many customers have reached out asking how this change affects […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/40345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/174"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=40345"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/40345\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=40345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=40345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=40345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}