Moving Azure DevOps Sites Between Tenants

At some point this article won't be needed. Hopefully in the near future Microsoft will have tools to help users do this themself.

Assume you have an old tenant (OldT) and you are moving to a new tenant (NewT). You have lots to worry about. ActiveDirectory, Office 365, mazes of SharePoint sites and more. You also have some items like Azure DevOps (formerly VisualStudio's TFS).

DevOps is much more amorphous than the other items. For this say that you have an user on OldT. The username could be [email protected] (U1). You also need a user on NewT. Let's say [email protected] (U2). These users don't need admin privileges. They just need to be able to create "DevOps Organizations" on their respective tenants.

It's worth noting that in the DevOps an "organization" can be thought of as a site. https://dev.azure.com/AnOrganizationName is the site. The organization/site isn't linked to AzurePortal or Microsoft Admin interface like you might want. Hence the reason for these steps.

To continue you need to enable guest accounts on OldT if you haven't.

Step 1. Add U2 as a guest user on OldT.

Step 2. Add U1 to the DevOps org/site. If you have already decommissioned OldT and deleted the users for this site you are at a surprising advantage. Login as U1 and go to your DevOps org from your old tenant. If the org is called Org1 the url should be https://dev.azure.com/Org1. Since the user was deleted you should a 401 error but also get the option to claim the site with U1.

If the user was not deleted you may have to log in as the owner. To do that you will have to change their Azure Password, add U1 then accept the permissions from U1's email. Then as the original Org1 owner you might have to add permissions so for U1 for "Project Collection Administrators" under Org1 settings/security/permissions. It is way easier to delete the org owner in Active Directory and claim the site. If you still want the org owner on OldT you then just restore the user.

Step 3. From https://portal.azure.com you want to go to "Azure Active Directory". If you don't see the link there is a search bar where you can find it. Then click on "Users" -> "New guest User". If you don't have this link then your tenant isn't setup for remote users. You have to enable that to proceed.

Lastly you want to add the U2 user from NewT as a guest user.

Step 4. At this point you will want to be logged in as U1 on https://dev.azure.com/Org1. At the bottom left of the page you will see a link for Organization settings. Click that.

You should now see the following settings for the Org.

First thing you want to do is click on "Policies" under the Security heading.

Make sure that "External guest access" is turned on. This is so we can add U2@NewT to this org/site.

Next click on Users then click "Add Users".

Type in the username/email of U2. If you don't see them then you might not have the setup in AD as a remote user or you might not allow external guests on your Azure org permissions.

Step 5. Click on Permissions on the left hand side. You will see a list of the groups for Org1. You need to add U2 to "Project Collection Administrators". If you don't see the user then you missed the "External guests" step above.

Step 6. You will either want to log out of everything or open a different browser. For example if you were using Internet Explorer you might want to open Chrome. This is optional but logging in/out of Azure might be a headache.

Log into Org1 as U2. Click on Organization settings again. Then click on "Azure Active Directory".

Click the "Switch directory" button.

Lastly you can change the dropdown to connect to NewT's active directory.

Most likely you are done. If there are any issues users losing access you can click on the Settings -> 'Azure Active Directory' and you can resolve any missed user mappings from OldT to NewT.

Unfortunately if you have multiple Orgs you have to change each and every one. It's a pain but at least you will start out better than most who have to figure this out on their own.