To setup a VSTS (Visual Studio Team Services) account initially is very easy. The default user directory that is behind VSTS is a directory based on Microsoft Accounts (MSA). Quite some companies start by using MSA’s to access their VSTS instance and then decide to make the move to Azure Active Directory (AAD) once relevant data is already stored, but then face some issues.
Microsoft provides extensive documentation on this process: https://www.visualstudio.com/en-us/docs/setup-admin/team-services/manage-organization-access-for-your-account-vs, but doesn’t provide a solution for my issue;
- Users that have an MSA where the email address is equal to the email address of their AAD account are OK, nothing needs to be changed
- Users that have an MSA where the email address differs from the email address configured for them in AAD need to be migrated
Migration of these accounts at least involves the following steps:
- Copy direct group membership from the MSA to the AAD account
- Re-assign Work Items from the MSA to the AAD account
- Copy specific object permissions (e.g. permission directly to a user to a Source Control folder or to a Build Definition)
- Personal Access Tokens (PAT) and Alternate Access Credentials will need to be recreated with the new user account in order to keep working (unless the user they are linked to is kept in the list of VSTS users and is added as an external user to AAD)
For steps 1 and 2 I have create a tool that is available on Github, that will automate this process. I created it as an MVP (Minimum Viable Product) in order to support these kind of migrations. Don’t expect a flawless shiny tool, but rather a simple command-line executable that will do the job. Feel free to contribute to the Repo by doing a pull request or by providing feedback (improvements, issues etc).
Note: I don’t recommend using the tool in production environments before testing it on a separate test environment!