Microsoft has introduced the option to invite AAD users into MSA backed Azure DevOps accounts. This is great for companies that are transitioning accounts over from "unmanaged" to "managed", starting with transferring account ownership to an AAD user and then fixing the user and licensing mess in a slower approach.
However, when I try to clone a repository using Visual Studio 2017 or 2019, I'm greeted with an error message:
Git failed with a fatal error. Authentication failed for: {remote-url}.
or, depending on which version of the Git credential manager you have:
error: cannot spawn askpass: No such file or directory
fatal: could not read Username for '{remote-url}': terminal prompts disabled`
When cloning from the command line, there are no issues and afterward, Visual Studio can also use the resulting git repository.
Update
The latest version os Visual Studio 2017 (15.9.10+) now contains version 1.18.4 of the Git Credential Manager and should solve many of the issues that were caused by the older versions. Should you need a more recent version of the GCMfW, the same trick should work for newer versions too.
After chatting with Chad Boles (who maintains Team Explorer in Visual Studio), we worked out another option. This is preferred over overwriting the files in the Visual Studio installation as this may break future updates and can cause hard to debug issues in the future.
- Install the latest GCMW-1.xx.xx.exe in your system and/or update to the latest version of Git for Windows which should include GCM.
Update your global git config to point to a specific implementation of the Git credential Manager:
c:\>git config --global --edit
Update the [credential]
section to read:
[credential]
helper = C:\\\\Program\\ Files\\\\Git\\\\mingw64\\\\libexec\\\\git-core\\\\git-credential-manager.exe
Ensure the path points to where the latest Git Credential Manager can be found on your system. Mind all of the escapes needed to make paths work in the global git config.
It turns out that Visual Studio 2017 (as of 15.9.7) and 2019 (preview 3) still ship with version 1.17 of the Git Credential Manager and they don't use a globally installed version when available.
You can check whether you have an "old" version in the following locations:
C:\Program Files (x86)\Microsoft Visual Studio\2017\{EDITION}\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\libexec\git-core
C:\Program Files (x86)\Microsoft Visual Studio\2019\Preview\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw32\libexec\git-core
If they're not on version 1.18.4, then they don't have the required fix for AAD authentication in MSA backed accounts.
If you have the correct version you should see:
Fix
This is officially unsupported and can have unwanted side-effects. But it worked for me ;).
To fix Visual Studio you can overwrite the binaries in the above locations with the files in the latest release zip of the Git Credential Manager:
You'll need to re-apply these files each time you upgrade to a newer update/preview until Microsoft decides to ship the latest version as part of Visual Studio, unfortunately. The Visual Studio Installer will stubbornly overwrite it with the 1.17 version.