Visual Studio Team Services and Microsoft Accounts (VSTS and MSAs)
Jeff here from the Windows SDK team. I am on temporary assignment to the VSTS group, so this blog post is something a little different.
There are 2 kinds of Microsoft accounts: MSA accounts (Microsoft Accounts, LiveID, Outlook, Hotmail, etc.) and WSA accounts (Work School Accounts, Azure Active Directory, Office 365.)
WSA accounts are used for business use, workstation logons, email, and are usually @CompanyName.com. MSA accounts are typically used for personal use, and are usually, @Hotmail.com or @Outlook.com. However, you could also create MSA accounts that duplicated WSA accounts, so you could have an account with the same UPN. When logging on with one of these “Dopplegangers” you may see this dialog:
Image may be NSFW.
Clik here to view.
Starting on 9/15/2016, Microsoft blocked being able to create duplicate MSA and WSA accounts. There are several problems that can arise when you have duplicate MSA/WSA accounts. It is always confusing which account you need or are using, and in some situations it is not possible to choose the correct account. To address these problems, Microsoft no longer lets you create accounts that overlap. This is explained in this blog. Previously created accounts will continue to work, though.
Trying to create a duplicate account throws the error: You can’t sign up here with a work or school email address.Image may be NSFW.
Clik here to view.
Impact to Visual Studio Team Services
VSTS has been greatly impacted by this change. Many VSTS accounts are “MSA backed,” this means that you can only logon to VSTS using an MSA account. Many businesses have been adding users to MSA backed VSTS accounts by inviting User@company.com. VSTS allows you to invite any user, whether or not the account already exists. In this scenario, the VSTS admin invites a new corporate user, User@company.com, and they receive the email in their corporate inbox. After receiving the email invite, they are prompted to create an MSA account when they try to access VSTS, if needed. Many VSTS administrators assume users will be able to create the new MSA account, but since 9/15/2016 this has been blocked. Previously invitees to VSTS successfully created MSA accounts with their @company.com address, however new invitees may not create an MSA account matching their WSA.
Now that new duplicate MSA accounts are blocked the only ways for new users to access VSTS are:
1) Invite users using a real MSA email account (@Hotmail, @Outlook).
2) Invite users using an email account NOT associated with Azure/O365 (@Gmail, @Yahoo). These users will still need to create an MSA account, if they haven’t already.
3) Create a link between your Azure/O365 AAD and VSTS.
To use options 1 and 2 you need to be OK with @Hotmail, @Gmail, etc. accounts in your VSTS account list. Options 1 and 2 are the easiest, no planning needed.
If you need your VSTS users to only use their corporate email accounts, then you need to use option 3. Option 3 is the more difficult, and requires some thought and planning. Information on linking an AAD and VSTS can be found here.
Some things to watch out for if you link your AAD and VSTS.
1) External accounts. When you link VSTS and an AAD, only users in the AAD can access VSTS. Corporate users will be fine, but if your VSTS account had any @Hotmail, etc. accounts you will need to add them to your AAD. (When adding a user, choose ‘User with an existing Microsoft Account’.)
2) Guest accounts. When a VSTS account is MSA backed, there is no concept of guest users, only when you link an AAD to your VSTS account does this show up. Corporate users in the AAD will be members so they are OK, but there are several gotchas with using external Microsoft Accounts (MSAs) with an AAD. You can see their member status in the new Azure portal (www.azure.com)
Image may be NSFW.
Clik here to view.
- Guests can’t search the AAD to add new users VSTS. See this blog, for more information and how to use PowerShell to change Guests to Members. Please note: the error message has changed recently, instead of one about AAD guests searching the directory, you will receive the error, “No identities found.”
- A guest can’t be assigned ownership of a VSTS account. A guest can still own it, if they owned it before the AAD was linked and you then added their account to the AAD. You could also use PowerShell to switch them to a guest in the AAD (but shouldn’t.)
- Guests can be denied all access. There is an option on the settings tab for a VSTS account, External Guest Access. It is set to allow by default, if you set it to deny then no guests can access VSTS. It is possible to have an AAD with only guests in it and in this case no one will be able to access VSTS. You would need to use PowerShell to flip the VSTS owner to be a member, then logon to VSTS and set guest access back to Allow.
Image may be NSFW.
Clik here to view.![External]()
