AAD guest users are not allowed to be account owners

Question

I have custom AAD and I added my company account to the AAD. I made the company account owner of the subscription and administrator of the AAD.

When I want to create new Team Project, the deployment fails with message:

VS850006: AAD guest users are not allowed to be account owners. Please use a non-guest AAD user. AAD guest user sign-in address: [email protected] (Code: OrganizationBadRequestException)

It was working yesterday before I made myself AAD administrator. WTF?

Answer 1

You are probably a guest in the AAD that backs VSTS. By default AAD guests cannot search the AAD.

You could check your user type on Azure Portal.Azure Active Directory-->All Users--><your user>-->profile

f the UserType is GUEST, you can make this user a MEMBER by executing

Set-Msoluser -UserPrincipalName <your ID> -usertype member

More information about this please refer to this [blog]

Update:

If your account is a Microsoft account, you could use Azure AD Power Shell 2.0 to change user type.

Connect-Azuread -TenantID "****************"
Get-azureaduser -ObjectID "99f1721e-42ae-4056-9c14-30976aa1608b"|Set-AzureADUser -UserType "member"

(https://blogs.msdn.microsoft.com/dstfs/2015/12/23/issues-with-azure-active-directory-guest-users-in-aad-backed-visual-studio-team-services-accounts/).

Answer 2

I had the same issues and these were the powershell commands that helped:

Install-Module AzureAD Install-Module MSOnline Import-Module AzureAD Import-Module MSOnline $AzureAdCred = Get-Credential Connect-AzureAD -Credential $AzureAdCred Connect-MSolService -Credential $AzureAdCred Set-MsolUser -ObjectId <your-account-id> -UserType Member

I could not connect immediately but after waiting for a few hours (8 in my case) connecting the account worked.

If you want to make sure that the object-id you are using is the correct user you want to alter you can use the following command: Get-MsolUser -ObjectId <your-account-id>