TFSConfig Identities listed all TFS accounts and all but one matched Windows.
How do I fix the lone user account where the Match is False?
While this may not be relevant, I add it to the post in case it provides any additional clues. I tried to reapply the user in the Application Tier Console Users list and it failed. The log stated the account is also an orphaned SQL Server Login. I assume that makes sense if the SID is mismatched, though.
Since you have reapply the user in the Application Tire Console Users list. Changes you make to local or Active Directory groups do not get reflected in TFS immediately.
It may be a identity synchronization issue. You must wait for the next identity synchronization with Windows before the properties of accounts that you do some account change will be updated. This requirement includes changes from group to user, user to group, and domain account to local account.
You could also force TFS to sync, details please refer this blog. After this run the TFSConfig Identities again.
Related
Having upgraded to Plastic SCM version 8.0.16.3533, one user who can assign code reviews, another can't.
The users each have two domain accounts using the same user ID, i.e. domain1\userID and domain2\userID. I've ensured the users old domain account have been deactivated. They both have active licences and are in a group assigned to the repository permissions.
No code
All users are able to assign code reviews.
I have a team set up in VSTS and I am trying to upgrade certain team members who need access to the test suite functionality. I have procured several paid enterprise level accounts that show as available. However, when I attempt to change someone's access level from basic to enterprise I get the following error:
vs1720077: Subscription could not be validated.
I have the top level account so I am not sure why I am not able to upgrade these users.
Just as Daniel commented, you must link your work ID. For troubleshooting:
Make sure in the https://msdn.microsoft.com portal you have actually linked your work ID. You still need to explicably do this
even if your MSA and Work ID use the same email address e.g.
user#domain.com. Using the same email address for both IDs can get
confusing, so I would recommend considering you setup your MSA email
addresses to not clash with your work ID.
When you login to VSO MAKE SURE YOU USE THE WORK ID LOGIN LINK (LHS OF DIALOG UNDER VSO LOGO) TO LOGIN WITH A WORK ID AND NOT THE
MAIN LIVEID FIELDS. I can’t stress this enough, especially if you
use the same email address for both the MSA and work account
If you still get issues with picking up the MSDN subscription
. In VSO the admin should set the user to be a basic user
. In https://msdn.microsoft.com the user should make sure they did not make any typo's when linking the work account ID
. The user should sign out of VSO and back in using their work ID,
MAKE SURE THEYUSE THE CORRECT WORK ID LOGIN DIALOG. They should see the features available to a basic user
. The VSO admin should change the role assignment in VSO to be MSDN
eligible and it should flip over without a problem. There seems to be
no need to logout and back in again.
Source Link: Why can’t I assign a VSO user as having ‘eligible MSDN’
using an AAD work account?
Also take a look at this similar issue: Lost capability when msdn.microsoft.com was forced to my.visualstudio.com link and VSTS Validation
So I'm trying to connect an mvc app to AAD B2C, and retrieve the current users groups, so I can add them to their roles. Unfortunately, I am unable to successfully query the graph.
Insufficient privileges error when trying to access Azure Graph APIs
The link above is essentially the situation I'm in, save that I'm connecting to a B2C directory. As near as I can tell, I don't have a way to specify privileges as that questions answer suggested. There is a section for 'Keys' but the keys it generates are really quite different than the keys that regular AD apps generate.
When I do try to use the key, I just get the insufficient privileges error.
I also tried locating my app in the main, regular AD, and adding keys and ALL permissions, but I also got the same error (and there doesn't appear to be any way that I can see to determine if I even got closer)
To add to the confusion, there are different ways to get to the registered "applications" in the Azure portal. I can go in through the B2C settings, or through the regular AD settings. In the B2C side of things, I can generate keys (but as I said, they're quite different from the keys generated on the AD side), but I cannot do annything with Privileges... no option exists. on the AD side, I actually see two apps for my 1 B2C app... it looks like there's one which has the same ID as the B2C app (but using that key and privileges does nothing), and theres another, which also doesn't appear to have any useful qualities that I've figured out.
I'm out of ideas. What else can I try?
edit
I've done some more experimenting, and found that if I use an incorrect ID or Secret, I get appropriate error messages. So, by this I assume that I am "Authenticating" correctly. The problem seems to be that, as the error message indicates, my Key does not have sufficient permissions.
To that end, I've added every single available permission under both "Windows Azure Active Directory" and "Microsoft Graph" ... No improvement, I still fail to have the required privileges. I guess I'll add ALL the available permissions, and see if that seems to help any.
-- Nope, there are NO remmaining privileges to add, but I still get the insufficient Privileges error message.
Additionally, making the login-user an AD administrator, doesn't make any difference.
You're likely missing a so called admin consent in your flow. Basically, its not enough to grant permissions (those which are marked "Requires admin") using the portal, but also a user with admin rights should consent that grant. The tricky thing is that this consent isn't shown automatically when an admin user signs in (like it happens with regular user consent). You have to add a prompt=admin_consent parameter to the url of the page where you enter credentials, press enter, and then login. In this case you will see the admin consent, asking if you want to grant the permissions.
You can read more about admin consent here: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent.
I also discuss this problem here: https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console/issues/38#issuecomment-264664883
I have a build service setup within TFS and I have a special AD user set as the user to run the service. When I enter the credentials for that user within the TFS Admin Console, everything works fine. For some reason, after so long (not sure how long yet) the Build Service stops running. When I look into the issue, it is because the password is blank. Any ideas why this would be getting cleared out? If I put the password back in, everything will work fine until is clears out again.
Is the account a member of the local administrators group? There could be a group policy within AD that removes Log on as Service rights from such accounts on restart. See this for an example
When I setup TFS for the first time, I usually use the TFSSetup account, and with this account going to login for the first time.
How to login as a different user?
How to check who the current user is?
Checkout a file in Source Control Explorer and user column it will show your username with which you are connected to TFS.
If you want to connect TFS using other credentials, then add the address of your TFS server and the credentials in Credentials Manager(Control Panel->User Accounts->Credential Manager). The next time you try to access TFS, these credentials will be used.
Clear the user's credentials in the Credential Manager. This will then bring back the Authentication Window when trying to connect to TFS.
Another approach you can take that worked for me, was to log into the web interface for TFS, then use that to log in as another user. So, navigate to:
http://yourtfshost:8080/collection/web/ (or whatever your web address is)..
Then, click on your name in the corner and select "sign in as a different user."
Essentially, this does the same thing as the above suggestions. It simply replaces your credentials in credential manager with the correct ones.