VSTS Authentication: AAD or MSA?

By | 2017-07-26T10:23:59+00:00 July 26th, 2017|Visual Studio ALM, Visual Studio Team System|0 Comments

Visual Studio Team Service (VSTS) allows you to authenticate via two primary methods:

  • Microsoft Account (MSA) – formerly Live ID
  • Azure Active Directory (AAD)

There are other authentication mechanisms such as SSH and Personal Access Tokens (PATs) but you need to first authenticate via AAD or MSA before you can use these other alternative mechanisms.

Which One Should I Use?

If you’re using VSTS for small or personal projects and want to invite arbitrary users to interact on your account, you should use MSA authentication. This is the default when you create a VSTS account, so you don’t need to do anything special.

However, if you’re using VSTS in an enterprise, you’ll probably want to use AAD. AAD has a number of advantages for enterprise scenarios:

  • Membership and users can be controlled by IT rather than TFS administrators
  • You can use AAD groups for security in VSTS
  • When a user is added to an AAD group, they inherit that group’s permissions in VSTS
  • When a user leaves the org, their VSTS access disappears when their AAD account is removed

If you want to enable AAD authentication with your VSTS account, you’ll need to be an account owner in VSTS as well as a subscription co-administrator in Azure. You can get more information about how to do this here.

Buying Extra VSTS Stuff

Whether you use MSA or AAD to authenticate with VSTS, if you’re going to purchase any “extras” (listed below) you’ll need to tie your VSTS account to an Azure subscription. The billing hangs off the Azure subscription.

  • Extra Basic licenses (beyond the 5 free licenses you get when you create an account)
  • Extra hosted build minutes (beyond the free 240 minutes)
  • Extra Load Test Minutes (beyond the free 20,000 virtual user minutes)
  • Extra build/release pipelines (beyond the single free pipeline)
  • Extra hosted build agents (beyond the free 240 minute agent)

MSDN Licenses

Even if you tie your VSTS account to AAD for authentication, you’ll have to consider how to manage MSDN subscriptions. When a user is added to a VSTS account, the administrator needs to assign an access level to that user. Stakeholders get a small subset of functionality for free. MSDN subscribers get access to virtually everything in VSTS on unlimited accounts. Basic users can get access to most functionality in a single account.

When a user is assigned MSDN access, they don’t actually get that functionality until the first sign in to the account. At that point, VSTS will validate the MSDN license. If there is no license for that user, the user is bumped to Basic (if available) or Stakeholder access.

The “trick” is that MSDN licenses are assigned to MSA accounts. That means users who log in with AAD accounts need to tie their MSDN subscription to their AAD account. There are two scenarios:

  • AAD account has the same email address as the MSA MSDN account
  • AAD account has a different email address as the MSA MSDN account

When the AAD account email and MSA account email address are the same, the user doesn’t have to explicitly tie their MSDN to their AAD account. When they log in with their AAD credentials, VSTS will try to find an MSA with the same email address that has an MSDN license. If one is found, the user gets MSDN access.

However, if the AAD account email and MSA account email are different, then the user should log in to my.visualstudio.com and add an alternate account to their MSDN subscription. The alternate account should be their AAD account email address. Subsequently, when the log in to a VSTS account with their AAD credentials, VSTS will pick up the MSDN subscription via the association.

AAD and MSA Same Email Address

If your MSA and AAD accounts have the same email address, you’re in for some fun. Every time you log in to VSTS, you’ll be prompted to let VSTS know if you’re logging in with an MSA account or an AAD account. At least you won’t have to explicitly assign an alternate email address to your MSDN license!

Guest Access

Let’s say you want to invite someone outside your organization to your VSTS account (like a contractor) – to push code or participate in Backlogs or whatever. In this case, you’ll need some sort of guest access.

When you have an MSA-backed VSTS Account, you can invite anyone with an MSA to your account. Of course you only get 5 Basic licenses, otherwise the user will come in with free Stakeholder access or be validated against an MSDN license if they have one.

AAD guest access is a bit trickier. You’ll need to either create an account for the user on your AAD or you can add them as a guest to your AAD.



If you’re an enterprise, you really should be using AAD to authenticate your users. MSA should only be used for personal or very small projects. Don’t forget to link your AAD account to your MSDN license, and you should be good to go.

About the Author:

Leave A Comment