This week at the VS live conference in Chicago I sat down with one of the attendees and we had gone some of the interesting new nuggets of TFS administration, the administration log files, that can be accessed now from the TFS web access website by post fixing the tfs url with  _oi . So going to the server with http://yourtfsserver:8080/tfs/_oi will go to those new admin pages where you can see the activity logs, and job logs to see how your sever is doing. You can read more about this feature on the following blog page:

While we where chatting one of the most asked questions came by and that is how should I license my users that only occasionally need access to the TFS server.

Now in TFS server there are ways to restrict the users access by putting them or a group in the restricted access group, so they have access to only their own work items and can view the status of their work items over time. But unfortunately you are not allowed to query the work items to see if an issue is already reported etc.

I come across many organizations that nowadays want to use agile methodologies and with that provide transparency to their customer by just providing access to the web access portal. While this enables the business to look at all the work that is being done, probably not all the business users will be interested and go to the portal each and every day.

Now for that group of users you might want to provide access, but how would you license them?

So apparently the TFS server now has an additional page that you can find in the administration console that can help you with this problem. If you go to admin pages of your TFS server by clicking the settings icon on the right top of the screen (see screenshot) then you will see the administration portal.


ON the admin portal you can click the tab called access levels, you can administer there what rights certain people or groups have. (limited, standard, or full). Now here you can also find a link called “Export Audit Log” that I had never seen before, but apparently has been there for a while 🙂 (see screenshot below)


Now if you click that link, it will go and export a CSV File that contains all the information of who accessed the team foundation server and when they did this. It also shows what level of access that user or group has. I verified with Microsoft and you can use this audit log to see who actually accessed the server and only for people that actually use the server you need to have a valid CAL license. So that means you can grant all your business users access to the team foundation server and you only have to get licenses for those users actually using it.

This is especially handy if your company has an enterprise agreement, where you have what they called true up moments, where you tell Microsoft the actual usage of software so you can adjust the license count for the next year.

So in the example below I set the default access permission to standard, so I would need only premium licenses for all my users and I added to people to the Full category.


Now if I export the audit log, and filter the columns on actual people that accessed the server you can see the following:


So here you can see that for this sever configuration, while there is a whole list of users that can potentially access the server I only need licenses for the list above. I now know that I only need 4 standards Cal licenses and 2 additional premium licenses that can be obtained by getting Test professional or Visual Studio Premium,

Hope this explanation will help you sort out how to be compliant as well 🙂