Azure DevOps organization became inaccessible immediately after connecting the organization to Microsoft Entra ID.

Nilesh Thakur 6 Reputation points
2026-07-03T10:24:46.03+00:00

Azure DevOps organization became inaccessible immediately after connecting the organization to Microsoft Entra ID.

Organization exists and repositories exist, but sole organization owner receives 401/403 on all org/project/repo URLs.

Verified:

  • Correct Entra tenant connected
  • User exists in Entra
  • Azure DevOps enterprise application exists and is active
  • User assigned to enterprise application
  • Azure DevOps profile API works successfully
  • Organization APIs fail with unauthorized

This indicates Azure DevOps organization entitlement / owner mapping failure (MSA to Entra identity mismatch).

Need backend org ownership recovery or Entra disconnect.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments

2 answers

Sort by: Most helpful
  1. Kenyatta Meads 0 Reputation points
    2026-07-03T11:55:14.95+00:00

    You connected your DevOps org to Microsoft Entra ID. That basically told DevOps: “Only let people from this company Entra ID in.”

    Problem: Your account isn’t actually in that company Entra ID, so DevOps now says “I don’t know you” → 401/403 error.

    How to fix it in 3 steps:

    1. Use the emergency door

    Go to https://aex.dev.azure.com/me and log in with your original owner account. This page ignores the Entra lockout.

    1. Unplug Entra ID

    Find your org → click ... → Disconnect from Microsoft Entra ID. Now you’re back in with your old login.

    1. Reconnect the right way

    Before you reconnect:

    • Add yourself to that Entra ID as a real user first • Or add your old outlook.com email as a “guest” in Entra ID • Make someone who IS in Entra ID the org owner before connecting

    If step 1 doesn’t work: You’ll have to contact Microsoft Support and prove you own the org. They can unhook it from their side.

    TL;DR: DevOps is now carding everyone at the door, and your ID isn’t on the guest list yet. Use the back door, take the bouncer off duty, add your name to the list, then put the bouncer back.

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-07-03T10:25:18.37+00:00

    Azure DevOps organizations connected to Microsoft Entra ID require that the signed-in identity:

    1. Exists in the Azure DevOps organization’s Users list.
    2. Matches the Microsoft Entra UPN exactly (no alias, no different account type).
    3. Has sufficient access level and project permissions.

    A 401/403 on all org/project/repo URLs while the profile API still works is consistent with an identity/entitlement mismatch after Entra connection.

    Use the following checks and recovery steps:

    1. Verify the identity in the organization
      • Have another Azure DevOps organization administrator (if any still has access) go to:
        • Organization settings → Users.
      • Confirm that the affected user is present and that the identity exactly matches the Microsoft Entra UPN used to sign in (no alias). Azure DevOps does not support sign-in aliases; the exact UPN must be used.
      • If the identity is missing, it must be added back from Microsoft Entra ID.
    2. Check for UPN vs alias or account-type issues
      • Ensure sign-in is done with the exact UPN, not an alias (for example, ******@contoso.com instead of ******@contoso.com).
      • If the organization was previously using a different account type (personal Microsoft account vs Microsoft Entra account), the first account type used is what Azure DevOps bound to. If a change is needed, an administrator must remove and re-add the user so the correct account type is established.
    3. Confirm permissions at org and project level
      • In Organization settings → Users, verify the user’s access level is at least Basic (not Stakeholder) so that Azure Repos access is allowed.
      • In each project, under Project settings → Repos → Security, ensure the user (or a group containing the user) has at least Read and Contribute permissions on the required repositories.
    4. Resolve disconnected identities after Entra connection
      • If some users became disconnected during the Entra connection, use the built-in resolution flow:
        1. In Organization settings, select Microsoft Entra ID.
        2. Select Resolve.
        3. Match the existing Azure DevOps identities to the correct Microsoft Entra identities and complete the wizard.
      • This remaps old identities (for example, from personal email) to the new Entra IDs so that references and ownership are preserved.
    5. If ownership or mapping cannot be fixed via UI
      • When the sole owner is locked out and no other admin can correct the mapping, or when the Entra connection caused an unrecoverable mismatch, backend assistance is required.
      • Use the documented support channels for Azure DevOps to request:
        • Organization ownership recovery, or
        • Assistance with Microsoft Entra connection issues (including cases where users are disconnected or mappings cannot be resolved via the portal).

    These steps align with the documented behavior that:

    • Organizations connected to Microsoft Entra ID require Entra authentication.
    • 401 errors commonly result from the identity not being in the organization, UPN/alias mismatch, or insufficient permissions.
    • After connecting to Entra, identities can be remapped using the Resolve flow, and support can assist when that is not sufficient.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.