Migrating Azure Subscriptions to Organization Accounts (Including Visual Studio Online)

We started creating Azure subscriptions before organization accounts were available, but now when even Visual Studio Online supports organization accounts, we wanted to switch from Microsoft accounts. (Microsoft accounts have the obvious drawbacks: more passwords to remember and access does not go away automatically when people quit.)

The subscription owner (service account) was a Microsoft account – let us call this account1@company.se. The subscriptions were linked to a domain that I refer to here as domain1.onmicrosoft.com, and the new domain, which is synced with our Active Directory, I refer to as company.onmicrosoft.com.

Azure Co-Administrators

So here is what we had to do make the switch with co-administrators:

  1. Change the AD account name of account1@company.se to account2@company.se. Why? Because this account was synced to company.onmicrosoft.com, and there can only be one account with the same name in the same Azure Active Directory (AAD). (The Microsoft account is added in step 4 below.)
  2. Go to manage.windowsazure.com and login as account1@company.se.
  3. Create a new directory. Choose custom create. Select Use existing directory.
  4. Log in as a global administrator of the company.onmicrosoft.com domain. What happens now is that account1@company.se (the Microsoft account) is automatically added as a global administrator in company.onmicrosoft.com.
  5. Log out and log in again as account1@company.se. There should now be a new directory (company.onmicrosoft.com) visible.
  6. Go to settings, select a subscription and click Edit Directory at the bottom of the page. Change to company.onmicrosoft.com. You get a warning saying all co-administrators will be deleted. That is OK, because that is what we wish to accomplish.
  7. Add organization accounts as co-administrators as appropriate.

Azure Service Administrators

Now, we also wanted to change the service administrator from account1@company.se (Microsoft account) to account2@company.se (organization account). That is accomplished in the account portal.

  1. Go to account.windowsazure.com and log in.
  2. Select a subscription.
  3. Click Edit subscription details.
  4. Change the service administrator.

Account Administrator

I don’t know how to change the account administrator. Maybe it requires a support ticket.

Visual Studio Online

Visual Studio Online was the most difficult service. You can administer some aspects in the Azure managment portal (manage.windowsazure.com). But when you connect it to the new domain (company.onmicrosoft.com in my case), users not in that domain will loose access. Because the Microsoft accounts probably do not exist in that domain, you will have to create new users in Visual Studio Online, and because the probably have the same names as the corresponding Microsoft accounts, you must first delete these.

But beware! Before you start deleting users and switch domain, you must make sure no user has anything checked out. You might also want to delete all workspaces, because when the “new” users start Visual Studio and log in, they must create new workspaces, because the old workspaces are owned by different users. And you cannot have work folder mappings in two workspaces to the same local folder on the same computer (error: The working folder is already in use by the workspace…)

Use the following command to list all workspaces:

tf workspaces /server:<instance>.visualstudio.com\DefaultCollection /owner:*

or the following to see details on a specific computer:

tf workspaces /server:instance.visualstudio.com\DefaultCollection /computer:<computer>/owner:* /format:detailed

You can delete a workspace with the following command:

tf workspace /delete /collection:<instance>.visualstudio.com\DefaultCollection "<computer>;<user>"

Or simpler, use Team Foundation Sidekicks. In fact, I did not delete my work space before making the switch, and the only way I could delete it afterwards was to use Sidekicks.

  1. Ensure no user has anything checked out.
  2. Delete workspaces for Microsoft accounts that you plan to abandon in favour of organization account.
  3. Delete accounts in VisualStudio Online using User Management (https://<instance&gt;.visualstudio.com/_user).
  4. Go to manage.windowsazure.com and login as an administrator. Select your Visual Studio Online service and click Configure. Click the Connect button and connect to the company.onmicrosoft.com domain.
  5. MSDN subscribers must connect their Microsoft accounts with their organization accounts in the My Account section of MSDN (https://msdn.microsoft.com/subscriptions/manage/hh442900). Under Visual Studio Online they can create this link.
  6. In Visual Studio Online using User Management, add users again. This time, their organization accounts will be added. If they have MSDN, you should choose Eligible MSDN Subscriber as license.
  7. Click the cog wheel in the upper right corner in Visual Studio Online to go to the control panel. Select a project, click on your team and add team members and administrators.
  8. In Visual Studio, users must switch user by clicking Connect to Team Projects in Team Explorer and then Select Team Projects… In the bottom of the Connect to Team Foundation Server dialog, click Switch User. Enter the organization account credentials.
  9. If a user doesn’t see any code, just work items, he or she has probably a stakeholder license, not an MSDN license. They can check this by logging in to <instance>.visualstudio.com. See step 5 above. If it still doesn’t work, try changing license to basic and then back to MSDN.

Before Cancelling an Azure Subscription, Remove All Virtual Networks

I recently cancelled an Azure Subscription, and then went on to delete all of its resources (virtual machines, databases, etc.). This went fairly well with a couple of exceptions.

Problem #1: I wasn’t possible to delete my virtual network. I got an error message saying it wasn’t possible because the subscription wasn’t active. I had to submit a support request, and a helpful technician re-enabled my subscription.

Lesson: Delete all resources before you cancel a subscription.

Problem #2: I still cannot delete the associated Active Directory. I get an error message saying

The following issue(s) prevent deletion of this directory:
· Directory has one or more Azure subscriptions.

But that is not true – I changed the subscription to be associated with a different directory. I hope Microsoft Support has a solution for this issue as well…

UPDATE: I discovered there was another subscription, owned by another user, associated with the domain. After changing that, I could delete the domain.

Microsoft Azure Automation

Microsoft recently added a very useful feature to automate things in Azure. It is in preview at the time of writing, but I decided to try it for starting and stopping our virtual machines used for testing, and it works really well. Here is a link to a step-to-step guide: http://blogs.technet.com/b/keithmayer/archive/2014/04/06/step-by-step-getting-started-with-windows-azure-automation.aspx

Here is my “workflow” for starting:

workflow Start-nnn
{
    # Specify Azure Subscription Name
    $subName = 'nnn'
    # Connect to Azure Subscription
    Connect-Azure -AzureConnectionName $subName
    Select-AzureSubscription -SubscriptionName $subName

    # Start VMs
    $vmList = ('vm1','vm2')
    For ( $vmCount = 0; $vmCount -lt $vmList.Count; $vmCount++) {
        Write-Output ("Getting virtual machine status for {0}..." -f $vmList[$vmCount])
        $vm = Get-AzureVM -ServiceName $vmList[$vmCount] -Name $vmList[$vmCount]
        if ( $vm.InstanceStatus -eq 'StoppedDeallocated' ) {
            Write-Output ("Starting {0}..." -f $vm.Name)
            Start-AzureVM -ServiceName $vm.ServiceName -Name $vm.Name
        }
    }
}

And for stopping:

workflow Stop-nnn
{
    # Specify Azure Subscription Name
    $subName = 'nnn'
    # Connect to Azure Subscription
    Connect-Azure -AzureConnectionName $subName
    Select-AzureSubscription -SubscriptionName $subName

    # Shutdown VMs
    $vmList = ('vm1','vm2')
    For ( $vmCount = 0; $vmCount -lt $vmList.Count; $vmCount++) {
        Write-Output ("Getting status for {0}..." -f $vmList[$vmCount])
        $vm = Get-AzureVM -ServiceName $vmList[$vmCount] -Name $vmList[$vmCount]
        if ( $vm.InstanceStatus -eq 'ReadyRole' ) {
            Write-Output ("Stopping {0}..." -f $vm.Name)
            Stop-AzureVM -ServiceName $vm.ServiceName -Name $vm.Name -Force
        }
    }
}